Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7qBBKk0P4l.exe

Overview

General Information

Sample name:7qBBKk0P4l.exe
renamed because original name is a hash value
Original sample name:3397920e23cf8435201e9e90796b2a8c9ec340e4733cbc8064999e462dc53470.exe
Analysis ID:1488122
MD5:94e7772b2b1bda89b23a2fba0e57742e
SHA1:2af48b80b7354b4a15eff49af3f3d70d3e5789a4
SHA256:3397920e23cf8435201e9e90796b2a8c9ec340e4733cbc8064999e462dc53470
Tags:exe
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to resolve many domain names, but no domain seems valid
Connects to many different domains
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Executes massive DNS lookups (> 100)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 7qBBKk0P4l.exe (PID: 5452 cmdline: "C:\Users\user\Desktop\7qBBKk0P4l.exe" MD5: 94E7772B2B1BDA89B23A2FBA0E57742E)
    • psjpq2s5tgtsjq0yguk.exe (PID: 2976 cmdline: "C:\hjflhukc\psjpq2s5tgtsjq0yguk.exe" MD5: 94E7772B2B1BDA89B23A2FBA0E57742E)
      • yanidfx.exe (PID: 3628 cmdline: "C:\hjflhukc\yanidfx.exe" MD5: 94E7772B2B1BDA89B23A2FBA0E57742E)
  • yanidfx.exe (PID: 3120 cmdline: C:\hjflhukc\yanidfx.exe MD5: 94E7772B2B1BDA89B23A2FBA0E57742E)
    • xxxniijvj.exe (PID: 1984 cmdline: tgtbxnf8r33w "c:\hjflhukc\yanidfx.exe" MD5: 94E7772B2B1BDA89B23A2FBA0E57742E)
      • yanidfx.exe (PID: 5676 cmdline: "c:\hjflhukc\yanidfx.exe" MD5: 94E7772B2B1BDA89B23A2FBA0E57742E)
        • xxxniijvj.exe (PID: 6500 cmdline: tgtbxnf8r33w "c:\hjflhukc\yanidfx.exe" MD5: 94E7772B2B1BDA89B23A2FBA0E57742E)
          • yanidfx.exe (PID: 4584 cmdline: "c:\hjflhukc\yanidfx.exe" MD5: 94E7772B2B1BDA89B23A2FBA0E57742E)
  • svchost.exe (PID: 2688 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 2688, ProcessName: svchost.exe

Snort Signatures

Suricata Signatures

Timestamp:2024-08-05T16:38:07.114356+0200
SID:2018316
Source Port:53
Destination Port:56830
Protocol:UDP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:38:17.877671+0200
SID:2815568
Source Port:49740
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:36:45.925960+0200
SID:2037771
Source Port:80
Destination Port:49706
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:36:42.598232+0200
SID:2018316
Source Port:53
Destination Port:56810
Protocol:UDP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:36:48.099598+0200
SID:2815568
Source Port:49708
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:36:56.538931+0200
SID:2815568
Source Port:49719
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:36:43.677692+0200
SID:2815568
Source Port:49705
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:36:56.545343+0200
SID:2037771
Source Port:80
Destination Port:49719
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:36:41.235057+0200
SID:2811542
Source Port:53
Destination Port:59367
Protocol:UDP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:38:00.887942+0200
SID:2815568
Source Port:49728
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:38:02.779063+0200
SID:2815568
Source Port:49729
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:38:13.014870+0200
SID:2815568
Source Port:49737
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:38:15.755898+0200
SID:2815568
Source Port:49738
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:37:58.771271+0200
SID:2815568
Source Port:49727
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:38:08.756166+0200
SID:2815568
Source Port:49732
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:36:58.610225+0200
SID:2815568
Source Port:49720
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:36:41.217947+0200
SID:2815568
Source Port:49704
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:38:00.892788+0200
SID:2037771
Source Port:80
Destination Port:49728
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:38:13.043633+0200
SID:2811542
Source Port:53
Destination Port:53468
Protocol:UDP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:36:43.682520+0200
SID:2037771
Source Port:80
Destination Port:49705
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:38:10.787983+0200
SID:2815568
Source Port:49734
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 7qBBKk0P4l.exeAvira: detected
Antivirus detection for dropped file
Source: C:\hjflhukc\xxxniijvj.exeAvira: detection malicious, Label: HEUR/AGEN.1318579
Source: C:\hjflhukc\yanidfx.exeAvira: detection malicious, Label: HEUR/AGEN.1318579
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeAvira: detection malicious, Label: HEUR/AGEN.1318579
Multi AV Scanner detection for dropped file
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeReversingLabs: Detection: 92%
Source: C:\hjflhukc\xxxniijvj.exeReversingLabs: Detection: 92%
Source: C:\hjflhukc\yanidfx.exeReversingLabs: Detection: 92%
Multi AV Scanner detection for submitted file
Source: 7qBBKk0P4l.exeReversingLabs: Detection: 92%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\hjflhukc\xxxniijvj.exeJoe Sandbox ML: detected
Source: C:\hjflhukc\yanidfx.exeJoe Sandbox ML: detected
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: 7qBBKk0P4l.exeJoe Sandbox ML: detected
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_005FBECE GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptGenRandom,2_2_005FBECE
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_0060AE3B CryptAcquireContextA,2_2_0060AE3B
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_0074BECE GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptGenRandom,3_2_0074BECE
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_0075AE3B CryptAcquireContextA,3_2_0075AE3B
Source: 7qBBKk0P4l.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AE5C39 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00AE5C39
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_005F5C39 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,2_2_005F5C39
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_00745C39 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,3_2_00745C39
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00CE5C39 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,4_2_00CE5C39
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00045C39 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,11_2_00045C39

Networking

barindex
Tries to resolve many domain names, but no domain seems valid
Source: unknownDNS traffic detected: query: smokesystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadylaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: summerbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanconsider.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshconsider.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womanreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanfancy.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadybranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: crowdbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womannorth.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: beginlaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: beginquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: crowdhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberlaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadyquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadysystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemansystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencequarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partyquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencereceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: waterbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberfancy.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: crowdquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokegeneral.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokequarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experienceconsider.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: summersystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: summerquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: summerhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partysystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadyreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partybranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencefriend.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knownlaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberconsider.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightnorth.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightinclude.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightgeneral.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experienceneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: waterneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: waterbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadytrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshsystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: beginfancy.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fighttrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokebelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: beginbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: crowdreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencebelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencebranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: thoughtreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womanquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokenorth.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: crowdsystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knownbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokehonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: thoughtquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: crowdneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followsystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knownhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womantrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: beginreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: watertrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokeneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadybelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencesystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knowntrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadyfancy.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokereceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knownquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: beginhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knownreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partyinclude.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: summertrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partytrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: thoughtbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: beginneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knownneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fighthonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: begintrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshlaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knownbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokeclear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followlaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: thoughtneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadyconsider.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smoketrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemantrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partynorth.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womanneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshfriend.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womangeneral.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokeinclude.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: waterreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: waterquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followfancy.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followtrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womaninclude.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womanbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followconsider.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partyclear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: waterhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencetrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: summerneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: thoughttrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knownsystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: thoughthonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightclear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: beginsystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencelaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencehonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshtrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: summerreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencefancy.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partyhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberfriend.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partyreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanfriend.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womansystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokebranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: crowdbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadyneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: beginbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: summerbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadyhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanlaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partyneither.net replaycode: Name error (3)
Source: unknownNetwork traffic detected: DNS query count 170
Source: global trafficDNS traffic detected: number of DNS queries: 170
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: partygeneral.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: memberreceive.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: thoughtbranch.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: womanbelieve.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: partybelieve.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: membersystem.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: membertrust.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: crowdtrust.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: thoughtsystem.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: watersystem.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: womanhonor.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: freshfancy.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: alreadyfriend.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: followfriend.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: partygeneral.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: memberreceive.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: thoughtbranch.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: womanbelieve.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: partybelieve.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: membersystem.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: membertrust.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: crowdtrust.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: thoughtsystem.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: watersystem.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: womanhonor.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: freshfancy.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: alreadyfriend.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: followfriend.net
Source: Joe Sandbox ViewIP Address: 188.225.40.227 188.225.40.227
Source: Joe Sandbox ViewIP Address: 34.246.200.160 34.246.200.160
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AF8695 socket,setsockopt,gethostbyname,inet_ntoa,inet_addr,htons,connect,send,recv,closesocket,0_2_00AF8695
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: partygeneral.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: memberreceive.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: thoughtbranch.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: womanbelieve.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: partybelieve.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: membersystem.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: membertrust.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: crowdtrust.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: thoughtsystem.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: watersystem.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: womanhonor.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: freshfancy.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: alreadyfriend.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: followfriend.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: partygeneral.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: memberreceive.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: thoughtbranch.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: womanbelieve.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: partybelieve.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: membersystem.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: membertrust.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: crowdtrust.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: thoughtsystem.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: watersystem.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: womanhonor.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: freshfancy.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: alreadyfriend.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: followfriend.net
Source: global trafficDNS traffic detected: DNS query: smokeclear.net
Source: global trafficDNS traffic detected: DNS query: womangeneral.net
Source: global trafficDNS traffic detected: DNS query: smokegeneral.net
Source: global trafficDNS traffic detected: DNS query: womaninclude.net
Source: global trafficDNS traffic detected: DNS query: smokeinclude.net
Source: global trafficDNS traffic detected: DNS query: womannorth.net
Source: global trafficDNS traffic detected: DNS query: smokenorth.net
Source: global trafficDNS traffic detected: DNS query: partyclear.net
Source: global trafficDNS traffic detected: DNS query: fightclear.net
Source: global trafficDNS traffic detected: DNS query: partygeneral.net
Source: global trafficDNS traffic detected: DNS query: fightgeneral.net
Source: global trafficDNS traffic detected: DNS query: partyinclude.net
Source: global trafficDNS traffic detected: DNS query: fightinclude.net
Source: global trafficDNS traffic detected: DNS query: partynorth.net
Source: global trafficDNS traffic detected: DNS query: fightnorth.net
Source: global trafficDNS traffic detected: DNS query: freshbranch.net
Source: global trafficDNS traffic detected: DNS query: experiencebranch.net
Source: global trafficDNS traffic detected: DNS query: freshbelieve.net
Source: global trafficDNS traffic detected: DNS query: experiencebelieve.net
Source: global trafficDNS traffic detected: DNS query: freshreceive.net
Source: global trafficDNS traffic detected: DNS query: experiencereceive.net
Source: global trafficDNS traffic detected: DNS query: freshquarter.net
Source: global trafficDNS traffic detected: DNS query: experiencequarter.net
Source: global trafficDNS traffic detected: DNS query: gentlemanbranch.net
Source: global trafficDNS traffic detected: DNS query: alreadybranch.net
Source: global trafficDNS traffic detected: DNS query: gentlemanbelieve.net
Source: global trafficDNS traffic detected: DNS query: alreadybelieve.net
Source: global trafficDNS traffic detected: DNS query: gentlemanreceive.net
Source: global trafficDNS traffic detected: DNS query: alreadyreceive.net
Source: global trafficDNS traffic detected: DNS query: gentlemanquarter.net
Source: global trafficDNS traffic detected: DNS query: alreadyquarter.net
Source: global trafficDNS traffic detected: DNS query: followbranch.net
Source: global trafficDNS traffic detected: DNS query: memberbranch.net
Source: global trafficDNS traffic detected: DNS query: followbelieve.net
Source: global trafficDNS traffic detected: DNS query: memberbelieve.net
Source: global trafficDNS traffic detected: DNS query: followreceive.net
Source: global trafficDNS traffic detected: DNS query: memberreceive.net
Source: global trafficDNS traffic detected: DNS query: followquarter.net
Source: global trafficDNS traffic detected: DNS query: memberquarter.net
Source: global trafficDNS traffic detected: DNS query: beginbranch.net
Source: global trafficDNS traffic detected: DNS query: knownbranch.net
Source: global trafficDNS traffic detected: DNS query: beginbelieve.net
Source: global trafficDNS traffic detected: DNS query: knownbelieve.net
Source: global trafficDNS traffic detected: DNS query: beginreceive.net
Source: global trafficDNS traffic detected: DNS query: knownreceive.net
Source: global trafficDNS traffic detected: DNS query: beginquarter.net
Source: global trafficDNS traffic detected: DNS query: knownquarter.net
Source: global trafficDNS traffic detected: DNS query: summerbranch.net
Source: global trafficDNS traffic detected: DNS query: crowdbranch.net
Source: global trafficDNS traffic detected: DNS query: summerbelieve.net
Source: global trafficDNS traffic detected: DNS query: crowdbelieve.net
Source: global trafficDNS traffic detected: DNS query: summerreceive.net
Source: global trafficDNS traffic detected: DNS query: crowdreceive.net
Source: global trafficDNS traffic detected: DNS query: summerquarter.net
Source: global trafficDNS traffic detected: DNS query: crowdquarter.net
Source: global trafficDNS traffic detected: DNS query: thoughtbranch.net
Source: global trafficDNS traffic detected: DNS query: waterbranch.net
Source: global trafficDNS traffic detected: DNS query: thoughtbelieve.net
Source: global trafficDNS traffic detected: DNS query: waterbelieve.net
Source: global trafficDNS traffic detected: DNS query: thoughtreceive.net
Source: global trafficDNS traffic detected: DNS query: waterreceive.net
Source: global trafficDNS traffic detected: DNS query: thoughtquarter.net
Source: global trafficDNS traffic detected: DNS query: waterquarter.net
Source: global trafficDNS traffic detected: DNS query: womanbranch.net
Source: global trafficDNS traffic detected: DNS query: smokebranch.net
Source: global trafficDNS traffic detected: DNS query: womanbelieve.net
Source: global trafficDNS traffic detected: DNS query: smokebelieve.net
Source: global trafficDNS traffic detected: DNS query: womanreceive.net
Source: global trafficDNS traffic detected: DNS query: smokereceive.net
Source: global trafficDNS traffic detected: DNS query: womanquarter.net
Source: global trafficDNS traffic detected: DNS query: smokequarter.net
Source: global trafficDNS traffic detected: DNS query: partybranch.net
Source: global trafficDNS traffic detected: DNS query: fightbranch.net
Source: global trafficDNS traffic detected: DNS query: partybelieve.net
Source: global trafficDNS traffic detected: DNS query: fightbelieve.net
Source: global trafficDNS traffic detected: DNS query: partyreceive.net
Source: global trafficDNS traffic detected: DNS query: fightreceive.net
Source: global trafficDNS traffic detected: DNS query: partyquarter.net
Source: global trafficDNS traffic detected: DNS query: fightquarter.net
Source: global trafficDNS traffic detected: DNS query: freshhonor.net
Source: global trafficDNS traffic detected: DNS query: experiencehonor.net
Source: global trafficDNS traffic detected: DNS query: freshneither.net
Source: global trafficDNS traffic detected: DNS query: experienceneither.net
Source: global trafficDNS traffic detected: DNS query: freshsystem.net
Source: global trafficDNS traffic detected: DNS query: experiencesystem.net
Source: global trafficDNS traffic detected: DNS query: freshtrust.net
Source: global trafficDNS traffic detected: DNS query: experiencetrust.net
Source: global trafficDNS traffic detected: DNS query: gentlemanhonor.net
Source: global trafficDNS traffic detected: DNS query: alreadyhonor.net
Source: global trafficDNS traffic detected: DNS query: gentlemanneither.net
Source: global trafficDNS traffic detected: DNS query: alreadyneither.net
Source: global trafficDNS traffic detected: DNS query: gentlemansystem.net
Source: global trafficDNS traffic detected: DNS query: alreadysystem.net
Source: global trafficDNS traffic detected: DNS query: gentlemantrust.net
Source: global trafficDNS traffic detected: DNS query: alreadytrust.net
Source: global trafficDNS traffic detected: DNS query: followhonor.net
Source: global trafficDNS traffic detected: DNS query: memberhonor.net
Source: global trafficDNS traffic detected: DNS query: followneither.net
Source: global trafficDNS traffic detected: DNS query: memberneither.net
Source: global trafficDNS traffic detected: DNS query: followsystem.net
Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Mon, 05 Aug 2024 14:36:46 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 05 Aug 2024 14:36:53 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 05 Aug 2024 14:36:58 GMTServer: Apache/2.4.61 (Unix)Content-Length: 196Content-Type: text/html; charset=iso-8859-1Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Mon, 05 Aug 2024 14:38:03 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>
Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Mon, 05 Aug 2024 14:38:03 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 05 Aug 2024 14:38:10 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 05 Aug 2024 14:38:15 GMTServer: Apache/2.4.61 (Unix)Content-Length: 196Content-Type: text/html; charset=iso-8859-1Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: yanidfx.exe, 0000000A.00000002.3239685017.0000000001207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fasthosts.co.uk/
Source: yanidfx.exe, 00000003.00000002.2205282054.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp, yanidfx.exe, 00000003.00000002.2205368302.000000000194D000.00000004.00000010.00020000.00000000.sdmp, yanidfx.exe, 0000000A.00000002.3239801424.0000000001CFD000.00000004.00000010.00020000.00000000.sdmp, yanidfx.exe, 0000000A.00000002.3239685017.0000000001207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://followfriend.net/index.php
Source: yanidfx.exe, 00000003.00000002.2205282054.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp, yanidfx.exe, 00000003.00000002.2205368302.000000000194D000.00000004.00000010.00020000.00000000.sdmp, yanidfx.exe, 0000000A.00000002.3239801424.0000000001CFD000.00000004.00000010.00020000.00000000.sdmp, yanidfx.exe, 0000000A.00000002.3239685017.0000000001207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.fasthosts.co.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_par
Source: yanidfx.exe, 00000003.00000002.2205282054.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp, yanidfx.exe, 0000000A.00000002.3239685017.0000000001207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.fasthosts.co.uk/domain-names/search/?domain=$
Source: yanidfx.exe, 00000003.00000002.2205282054.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp, yanidfx.exe, 0000000A.00000002.3239685017.0000000001207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.fasthosts.co.uk/get-online?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_
Source: yanidfx.exe, 00000003.00000002.2205282054.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp, yanidfx.exe, 0000000A.00000002.3239685017.0000000001207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-199510482-1
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeFile created: C:\Windows\hjflhukc\Jump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeFile created: C:\Windows\hjflhukc\hhziccmdjstiJump to behavior
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeFile created: C:\Windows\hjflhukc\hhziccmdjstiJump to behavior
Source: C:\hjflhukc\yanidfx.exeFile created: C:\Windows\hjflhukc\hhziccmdjstiJump to behavior
Source: C:\hjflhukc\xxxniijvj.exeFile created: C:\Windows\hjflhukc\hhziccmdjstiJump to behavior
Source: C:\hjflhukc\yanidfx.exeFile created: C:\Windows\hjflhukc\hhziccmdjstiJump to behavior
Source: C:\hjflhukc\yanidfx.exeFile created: C:\Windows\hjflhukc\hhziccmdjstiJump to behavior
Source: C:\hjflhukc\xxxniijvj.exeFile created: C:\Windows\hjflhukc\hhziccmdjstiJump to behavior
Source: C:\hjflhukc\yanidfx.exeFile created: C:\Windows\hjflhukc\hhziccmdjstiJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeFile deleted: C:\Windows\hjflhukc\hhziccmdjstiJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AE88A80_2_00AE88A8
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AF111E0_2_00AF111E
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AFFF2A0_2_00AFFF2A
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AE60AD0_2_00AE60AD
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AF0CE60_2_00AF0CE6
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AF70E60_2_00AF70E6
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00B024D30_2_00B024D3
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00B084D70_2_00B084D7
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00B0D8310_2_00B0D831
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00B030250_2_00B03025
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AFA8050_2_00AFA805
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AE69A80_2_00AE69A8
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AE11B70_2_00AE11B7
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00B07DC00_2_00B07DC0
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AEA9280_2_00AEA928
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AE99030_2_00AE9903
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AF01130_2_00AF0113
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AF86950_2_00AF8695
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AE46CF0_2_00AE46CF
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AF16360_2_00AF1636
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AF5FBA0_2_00AF5FBA
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AECFBB0_2_00AECFBB
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AFB3DB0_2_00AFB3DB
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00B0DFCC0_2_00B0DFCC
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AF9F240_2_00AF9F24
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00B05F1E0_2_00B05F1E
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AF571F0_2_00AF571F
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AE774C0_2_00AE774C
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_006184D72_2_006184D7
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_005F88A82_2_005F88A8
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_0060FF2A2_2_0060FF2A
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_0060B3DB2_2_0060B3DB
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_006130252_2_00613025
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_0061D8312_2_0061D831
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_0060A8052_2_0060A805
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_00600CE62_2_00600CE6
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_006070E62_2_006070E6
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_006124D32_2_006124D3
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_005F60AD2_2_005F60AD
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_005F99032_2_005F9903
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_006001132_2_00600113
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_005FA9282_2_005FA928
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_0060111E2_2_0060111E
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_00617DC02_2_00617DC0
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_005F11B72_2_005F11B7
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_005F69A82_2_005F69A8
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_006016362_2_00601636
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_005F46CF2_2_005F46CF
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_006086952_2_00608695
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_005F774C2_2_005F774C
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_00609F242_2_00609F24
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_00615F1E2_2_00615F1E
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_0060571F2_2_0060571F
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_0061DFCC2_2_0061DFCC
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_00605FBA2_2_00605FBA
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_005FCFBB2_2_005FCFBB
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_007684D73_2_007684D7
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_007624D33_2_007624D3
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_007488A83_2_007488A8
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_007586953_2_00758695
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_0075FF2A3_2_0075FF2A
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_0075571F3_2_0075571F
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_0075B3DB3_2_0075B3DB
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_0076D8313_2_0076D831
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_007630253_2_00763025
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_0075A8053_2_0075A805
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_007570E63_2_007570E6
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_00750CE63_2_00750CE6
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_007460AD3_2_007460AD
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_0074A9283_2_0074A928
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_007501133_2_00750113
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_0075111E3_2_0075111E
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_007499033_2_00749903
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_00767DC03_2_00767DC0
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_007411B73_2_007411B7
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_007469A83_2_007469A8
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_007679A83_2_007679A8
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_007516363_2_00751636
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_007446CF3_2_007446CF
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_0074774C3_2_0074774C
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_00759F243_2_00759F24
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_00765F1E3_2_00765F1E
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_0076DFCC3_2_0076DFCC
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_0074CFBB3_2_0074CFBB
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_00755FBA3_2_00755FBA
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_0075A7903_2_0075A790
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00CE88A84_2_00CE88A8
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00CF571F4_2_00CF571F
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00CFFF2A4_2_00CFFF2A
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00D024D34_2_00D024D3
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00D084D74_2_00D084D7
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00CF0CE64_2_00CF0CE6
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00CF70E64_2_00CF70E6
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00CE60AD4_2_00CE60AD
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00CFA8054_2_00CFA805
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00D0D8314_2_00D0D831
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00D030254_2_00D03025
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00D07DC04_2_00D07DC0
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00CE69A84_2_00CE69A8
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00CE11B74_2_00CE11B7
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00CE99034_2_00CE9903
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00CF111E4_2_00CF111E
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00CF01134_2_00CF0113
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00CEA9284_2_00CEA928
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00CE46CF4_2_00CE46CF
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00CF86954_2_00CF8695
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00CF16364_2_00CF1636
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00CFB3DB4_2_00CFB3DB
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00D0DFCC4_2_00D0DFCC
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00CF5FBA4_2_00CF5FBA
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00CECFBB4_2_00CECFBB
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00CE774C4_2_00CE774C
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00D05F1E4_2_00D05F1E
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00CF9F244_2_00CF9F24
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_000488A811_2_000488A8
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_0005571F11_2_0005571F
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_0005FF2011_2_0005FF20
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_0005A80511_2_0005A805
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_0006302511_2_00063025
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_0006D83111_2_0006D831
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_000460AD11_2_000460AD
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_000684D711_2_000684D7
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_000624D311_2_000624D3
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00050CE611_2_00050CE6
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_000570E611_2_000570E6
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_0004990311_2_00049903
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_0005011311_2_00050113
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_0005111E11_2_0005111E
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_0004A92811_2_0004A928
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_000469A811_2_000469A8
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_000411B711_2_000411B7
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00067DC011_2_00067DC0
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_0005163611_2_00051636
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_0005869511_2_00058695
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_000446CF11_2_000446CF
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00065F1E11_2_00065F1E
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00059F2411_2_00059F24
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_0004774C11_2_0004774C
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00055FBA11_2_00055FBA
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_0004CFBB11_2_0004CFBB
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_0006DFCC11_2_0006DFCC
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_0005B3DB11_2_0005B3DB
Source: 7qBBKk0P4l.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 7qBBKk0P4l.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: psjpq2s5tgtsjq0yguk.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: yanidfx.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: xxxniijvj.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal88.troj.winEXE@15/5@326/12
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,0_2_00B035AD
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,2_2_006135AD
Source: C:\hjflhukc\yanidfx.exeCode function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,3_2_007635AD
Source: C:\hjflhukc\xxxniijvj.exeCode function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,4_2_00D035AD
Source: C:\hjflhukc\xxxniijvj.exeCode function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,11_2_000635AD
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AF0806 CreateToolhelp32Snapshot,Process32First,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,0_2_00AF0806
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00B074E8 StartServiceCtrlDispatcherA,0_2_00B074E8
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00B074E8 StartServiceCtrlDispatcherA,0_2_00B074E8
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_006174E8 StartServiceCtrlDispatcherA,2_2_006174E8
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_007674E8 StartServiceCtrlDispatcherA,3_2_007674E8
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00D074E8 StartServiceCtrlDispatcherA,4_2_00D074E8
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_000674E8 StartServiceCtrlDispatcherA,11_2_000674E8
Source: C:\hjflhukc\yanidfx.exeMutant created: NULL
Source: 7qBBKk0P4l.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 7qBBKk0P4l.exeReversingLabs: Detection: 92%
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeFile read: C:\Users\user\Desktop\7qBBKk0P4l.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\7qBBKk0P4l.exe "C:\Users\user\Desktop\7qBBKk0P4l.exe"
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeProcess created: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exe "C:\hjflhukc\psjpq2s5tgtsjq0yguk.exe"
Source: unknownProcess created: C:\hjflhukc\yanidfx.exe C:\hjflhukc\yanidfx.exe
Source: C:\hjflhukc\yanidfx.exeProcess created: C:\hjflhukc\xxxniijvj.exe tgtbxnf8r33w "c:\hjflhukc\yanidfx.exe"
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeProcess created: C:\hjflhukc\yanidfx.exe "C:\hjflhukc\yanidfx.exe"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\hjflhukc\xxxniijvj.exeProcess created: C:\hjflhukc\yanidfx.exe "c:\hjflhukc\yanidfx.exe"
Source: C:\hjflhukc\yanidfx.exeProcess created: C:\hjflhukc\xxxniijvj.exe tgtbxnf8r33w "c:\hjflhukc\yanidfx.exe"
Source: C:\hjflhukc\xxxniijvj.exeProcess created: C:\hjflhukc\yanidfx.exe "c:\hjflhukc\yanidfx.exe"
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeProcess created: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exe "C:\hjflhukc\psjpq2s5tgtsjq0yguk.exe"Jump to behavior
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeProcess created: C:\hjflhukc\yanidfx.exe "C:\hjflhukc\yanidfx.exe"Jump to behavior
Source: C:\hjflhukc\yanidfx.exeProcess created: C:\hjflhukc\xxxniijvj.exe tgtbxnf8r33w "c:\hjflhukc\yanidfx.exe"Jump to behavior
Source: C:\hjflhukc\xxxniijvj.exeProcess created: C:\hjflhukc\yanidfx.exe "c:\hjflhukc\yanidfx.exe"Jump to behavior
Source: C:\hjflhukc\yanidfx.exeProcess created: C:\hjflhukc\xxxniijvj.exe tgtbxnf8r33w "c:\hjflhukc\yanidfx.exe"Jump to behavior
Source: C:\hjflhukc\xxxniijvj.exeProcess created: C:\hjflhukc\yanidfx.exe "c:\hjflhukc\yanidfx.exe"Jump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeSection loaded: wintypes.dllJump to behavior
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeSection loaded: apphelp.dllJump to behavior
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeSection loaded: sspicli.dllJump to behavior
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeSection loaded: userenv.dllJump to behavior
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeSection loaded: profapi.dllJump to behavior
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: apphelp.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: sspicli.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: profapi.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: mswsock.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: napinsp.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: wshbth.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: winrnr.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\hjflhukc\xxxniijvj.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: sspicli.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: profapi.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: mswsock.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: napinsp.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: wshbth.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: winrnr.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\hjflhukc\yanidfx.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00B084D7 GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,HeapFree,HeapAlloc,FreeLibrary,HeapFree,FreeLibrary,0_2_00B084D7
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AF2C94 push edi; iretd 0_2_00AF2C95
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_00602C94 push edi; iretd 2_2_00602C95
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_00752C94 push edi; iretd 3_2_00752C95
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00CF2C94 push edi; iretd 4_2_00CF2C95
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00052C94 push edi; iretd 11_2_00052C95
Source: 7qBBKk0P4l.exeStatic PE information: section name: .text entropy: 6.839663016682375
Source: psjpq2s5tgtsjq0yguk.exe.0.drStatic PE information: section name: .text entropy: 6.839663016682375
Source: yanidfx.exe.2.drStatic PE information: section name: .text entropy: 6.839663016682375
Source: xxxniijvj.exe.3.drStatic PE information: section name: .text entropy: 6.839663016682375
Source: C:\hjflhukc\yanidfx.exeFile created: C:\hjflhukc\xxxniijvj.exeJump to dropped file
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeFile created: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeJump to dropped file
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeFile created: C:\hjflhukc\yanidfx.exeJump to dropped file
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00B074E8 StartServiceCtrlDispatcherA,0_2_00B074E8
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,0_2_00AF9F24
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,2_2_00609F24
Source: C:\hjflhukc\yanidfx.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,3_2_00759F24
Source: C:\hjflhukc\xxxniijvj.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,4_2_00CF9F24
Source: C:\hjflhukc\xxxniijvj.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,11_2_00059F24
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,RtlAllocateHeap,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,2_2_006184D7
Source: C:\hjflhukc\yanidfx.exeCode function: GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,RtlAllocateHeap,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,3_2_007684D7
Source: C:\hjflhukc\xxxniijvj.exeWindow / User API: threadDelayed 541Jump to behavior
Source: C:\hjflhukc\xxxniijvj.exeWindow / User API: threadDelayed 1334Jump to behavior
Source: C:\hjflhukc\xxxniijvj.exeWindow / User API: threadDelayed 666Jump to behavior
Source: C:\hjflhukc\xxxniijvj.exeWindow / User API: threadDelayed 1208Jump to behavior
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_2-9436
Source: C:\hjflhukc\xxxniijvj.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_4-9407
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-8680
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-7742
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_2-8500
Source: C:\hjflhukc\xxxniijvj.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_4-8494
Source: C:\hjflhukc\yanidfx.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_3-8884
Source: C:\hjflhukc\yanidfx.exe TID: 4128Thread sleep time: -31108s >= -30000sJump to behavior
Source: C:\hjflhukc\xxxniijvj.exe TID: 2884Thread sleep count: 541 > 30Jump to behavior
Source: C:\hjflhukc\xxxniijvj.exe TID: 2884Thread sleep time: -541000s >= -30000sJump to behavior
Source: C:\hjflhukc\xxxniijvj.exe TID: 2884Thread sleep count: 1334 > 30Jump to behavior
Source: C:\hjflhukc\xxxniijvj.exe TID: 2884Thread sleep time: -1334000s >= -30000sJump to behavior
Source: C:\hjflhukc\yanidfx.exe TID: 5672Thread sleep time: -50000s >= -30000sJump to behavior
Source: C:\hjflhukc\yanidfx.exe TID: 5952Thread sleep time: -31108s >= -30000sJump to behavior
Source: C:\hjflhukc\yanidfx.exe TID: 5672Thread sleep time: -50000s >= -30000sJump to behavior
Source: C:\hjflhukc\xxxniijvj.exe TID: 6996Thread sleep count: 666 > 30Jump to behavior
Source: C:\hjflhukc\xxxniijvj.exe TID: 6996Thread sleep time: -666000s >= -30000sJump to behavior
Source: C:\hjflhukc\xxxniijvj.exe TID: 6996Thread sleep count: 1208 > 30Jump to behavior
Source: C:\hjflhukc\xxxniijvj.exe TID: 6996Thread sleep time: -1208000s >= -30000sJump to behavior
Source: C:\hjflhukc\yanidfx.exeLast function: Thread delayed
Source: C:\hjflhukc\yanidfx.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AE5C39 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00AE5C39
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeCode function: 2_2_005F5C39 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,2_2_005F5C39
Source: C:\hjflhukc\yanidfx.exeCode function: 3_2_00745C39 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,3_2_00745C39
Source: C:\hjflhukc\xxxniijvj.exeCode function: 4_2_00CE5C39 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,4_2_00CE5C39
Source: C:\hjflhukc\xxxniijvj.exeCode function: 11_2_00045C39 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,11_2_00045C39
Source: C:\hjflhukc\yanidfx.exeThread delayed: delay time: 50000Jump to behavior
Source: C:\hjflhukc\yanidfx.exeThread delayed: delay time: 50000Jump to behavior
Source: psjpq2s5tgtsjq0yguk.exe, 00000002.00000002.1469244546.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, yanidfx.exe, 00000003.00000002.2205282054.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp, yanidfx.exe, 0000000A.00000002.3239685017.0000000001207000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeAPI call chain: ExitProcess graph end nodegraph_0-8299
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeAPI call chain: ExitProcess graph end nodegraph_2-8920
Source: C:\hjflhukc\yanidfx.exeAPI call chain: ExitProcess graph end nodegraph_3-8590
Source: C:\hjflhukc\yanidfx.exeAPI call chain: ExitProcess graph end nodegraph_3-9196
Source: C:\hjflhukc\xxxniijvj.exeAPI call chain: ExitProcess graph end nodegraph_4-9106
Source: C:\hjflhukc\xxxniijvj.exeAPI call chain: ExitProcess graph end nodegraph_11-8845
Source: C:\hjflhukc\yanidfx.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00B084D7 GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,HeapFree,HeapAlloc,FreeLibrary,HeapFree,FreeLibrary,0_2_00B084D7
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AEDE5A GetProcessHeap,RtlFreeHeap,0_2_00AEDE5A
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AEE769 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00AEE769
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AE3E8C GetSystemTimeAsFileTime,__aulldiv,0_2_00AE3E8C
Source: C:\Users\user\Desktop\7qBBKk0P4l.exeCode function: 0_2_00AE88A8 GetVersionExA,CreateDirectoryA,DeleteFileA,RemoveDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,GetTempPathA,CreateDirectoryA,GetTempPathA,SetFileAttributesA,0_2_00AE88A8
Source: C:\hjflhukc\psjpq2s5tgtsjq0yguk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Service Execution		4
Windows Service		4
Windows Service		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Native API		1
DLL Side-Loading		1
Process Injection		11
Virtualization/Sandbox Evasion		LSASS Memory111
Security Software Discovery		Remote Desktop ProtocolData from Removable Media4
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Process Injection		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS2
Process Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Software Packing		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
System Service Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSync1
System Network Configuration Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
File and Directory Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow4
System Information Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1488122 Sample: 7qBBKk0P4l.exe Startdate: 05/08/2024 Architecture: WINDOWS Score: 88 39 womantrust.net 2->39 41 womaninclude.net 2->41 43 168 other IPs or domains 2->43 51 Antivirus / Scanner detection for submitted sample 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Machine Learning detection for sample 2->55 57 2 other signatures 2->57 10 yanidfx.exe 10 2->10         started        15 7qBBKk0P4l.exe 6 2->15         started        17 svchost.exe 2->17         started        signatures3 process4 dnsIp5 45 followfriend.net 188.225.40.227, 49722, 49740, 80 TIMEWEB-ASRU Russian Federation 10->45 47 womanbelieve.net 15.197.142.173, 49707, 49730, 80 TANDEMUS United States 10->47 49 10 other IPs or domains 10->49 35 C:\hjflhukc\xxxniijvj.exe, PE32 10->35 dropped 65 Antivirus detection for dropped file 10->65 67 Multi AV Scanner detection for dropped file 10->67 69 Machine Learning detection for dropped file 10->69 19 xxxniijvj.exe 4 10->19         started        37 C:\hjflhukc\psjpq2s5tgtsjq0yguk.exe, PE32 15->37 dropped 22 psjpq2s5tgtsjq0yguk.exe 10 15->22         started        file6 signatures7 process8 file9 25 yanidfx.exe 8 19->25         started        33 C:\hjflhukc\yanidfx.exe, PE32 22->33 dropped 59 Antivirus detection for dropped file 22->59 61 Multi AV Scanner detection for dropped file 22->61 63 Machine Learning detection for dropped file 22->63 27 yanidfx.exe 4 22->27         started        signatures10 process11 process12 29 xxxniijvj.exe 4 25->29         started        process13 31 yanidfx.exe 4 29->31         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
7qBBKk0P4l.exe92%ReversingLabsWin32.Spyware.Nivdort
7qBBKk0P4l.exe100%AviraHEUR/AGEN.1318579
7qBBKk0P4l.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\hjflhukc\xxxniijvj.exe100%AviraHEUR/AGEN.1318579
C:\hjflhukc\yanidfx.exe100%AviraHEUR/AGEN.1318579
C:\hjflhukc\psjpq2s5tgtsjq0yguk.exe100%AviraHEUR/AGEN.1318579
C:\hjflhukc\xxxniijvj.exe100%Joe Sandbox ML
C:\hjflhukc\yanidfx.exe100%Joe Sandbox ML
C:\hjflhukc\psjpq2s5tgtsjq0yguk.exe100%Joe Sandbox ML
C:\hjflhukc\psjpq2s5tgtsjq0yguk.exe92%ReversingLabsWin32.Spyware.Nivdort
C:\hjflhukc\xxxniijvj.exe92%ReversingLabsWin32.Spyware.Nivdort
C:\hjflhukc\yanidfx.exe92%ReversingLabsWin32.Spyware.Nivdort

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://www.fasthosts.co.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_par0%Avira URL Cloudsafe
https://fasthosts.co.uk/0%Avira URL Cloudsafe
https://www.fasthosts.co.uk/get-online?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_0%Avira URL Cloudsafe
https://followfriend.net/index.php0%Avira URL Cloudsafe
https://www.fasthosts.co.uk/domain-names/search/?domain=$0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
crowdtrust.net
170.187.200.48
truefalse
    		unknown
    watersystem.net
    		64.190.63.222
    		truefalse
      		unknown
      thoughtsystem.net
      		213.171.195.105
      		truefalse
        		unknown
        membersystem.net
        		85.13.130.3
        		truefalse
          		unknown
          partygeneral.net
          		3.33.130.190
          		truefalse
            		unknown
            womanbelieve.net
            		15.197.142.173
            		truefalse
              		unknown
              womanhonor.net
              		54.244.188.177
              		truefalse
                		unknown
                membertrust.net
                		3.33.130.190
                		truefalse
                  		unknown
                  memberreceive.net
                  		35.164.78.200
                  		truefalse
                    		unknown
                    followfriend.net
                    		188.225.40.227
                    		truefalse
                      		unknown
                      partybelieve.net
                      		15.197.192.55
                      		truefalse
                        		unknown
                        freshfancy.net
                        		81.169.145.88
                        		truefalse
                          		unknown
                          alreadyfriend.net
                          		15.197.192.55
                          		truefalse
                            		unknown
                            thoughtbranch.net
                            		34.246.200.160
                            		truefalse
                              		unknown
                              beginhonor.net
                              		unknown
                              		unknowntrue
                                		unknown
                                memberlaughter.net
                                		unknown
                                		unknowntrue
                                  		unknown
                                  freshneither.net
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    thoughtneither.net
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      experiencefancy.net
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        followconsider.net
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          alreadyhonor.net
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            fighttrust.net
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              knownsystem.net
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                gentlemanhonor.net
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  memberfriend.net
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    freshtrust.net
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      experiencetrust.net
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown
                                                        alreadybelieve.net
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown
                                                          partyclear.net
                                                          		unknown
                                                          		unknowntrue
                                                            		unknown
                                                            waterquarter.net
                                                            		unknown
                                                            		unknowntrue
                                                              		unknown
                                                              fightbranch.net
                                                              		unknown
                                                              		unknowntrue
                                                                		unknown
                                                                knownlaughter.net
                                                                		unknown
                                                                		unknowntrue
                                                                  		unknown
                                                                  followtrust.net
                                                                  		unknown
                                                                  		unknowntrue
                                                                    		unknown
                                                                    experiencebelieve.net
                                                                    		unknown
                                                                    		unknowntrue
                                                                      		unknown
                                                                      summerhonor.net
                                                                      		unknown
                                                                      		unknowntrue
                                                                        		unknown
                                                                        thoughttrust.net
                                                                        		unknown
                                                                        		unknowntrue
                                                                          		unknown
                                                                          freshhonor.net
                                                                          		unknown
                                                                          		unknowntrue
                                                                            		unknown
                                                                            followfancy.net
                                                                            		unknown
                                                                            		unknowntrue
                                                                              		unknown
                                                                              freshfriend.net
                                                                              		unknown
                                                                              		unknowntrue
                                                                                		unknown
                                                                                freshconsider.net
                                                                                		unknown
                                                                                		unknowntrue
                                                                                  		unknown
                                                                                  summerquarter.net
                                                                                  		unknown
                                                                                  		unknowntrue
                                                                                    		unknown
                                                                                    gentlemantrust.net
                                                                                    		unknown
                                                                                    		unknowntrue
                                                                                      		unknown
                                                                                      fightinclude.net
                                                                                      		unknown
                                                                                      		unknowntrue
                                                                                        		unknown
                                                                                        gentlemanlaughter.net
                                                                                        		unknown
                                                                                        		unknowntrue
                                                                                          		unknown
                                                                                          memberbelieve.net
                                                                                          		unknown
                                                                                          		unknowntrue
                                                                                            		unknown
                                                                                            alreadylaughter.net
                                                                                            		unknown
                                                                                            		unknowntrue
                                                                                              		unknown
                                                                                              summerreceive.net
                                                                                              		unknown
                                                                                              		unknowntrue
                                                                                                		unknown
                                                                                                smokequarter.net
                                                                                                		unknown
                                                                                                		unknowntrue
                                                                                                  		unknown
                                                                                                  experiencesystem.net
                                                                                                  		unknown
                                                                                                  		unknowntrue
                                                                                                    		unknown
                                                                                                    thoughthonor.net
                                                                                                    		unknown
                                                                                                    		unknowntrue
                                                                                                      		unknown
                                                                                                      followbelieve.net
                                                                                                      		unknown
                                                                                                      		unknowntrue
                                                                                                        		unknown
                                                                                                        knowntrust.net
                                                                                                        		unknown
                                                                                                        		unknowntrue
                                                                                                          		unknown
                                                                                                          partybranch.net
                                                                                                          		unknown
                                                                                                          		unknowntrue
                                                                                                            		unknown
                                                                                                            crowdneither.net
                                                                                                            		unknown
                                                                                                            		unknowntrue
                                                                                                              		unknown
                                                                                                              womaninclude.net
                                                                                                              		unknown
                                                                                                              		unknowntrue
                                                                                                                		unknown
                                                                                                                smokebelieve.net
                                                                                                                		unknown
                                                                                                                		unknowntrue
                                                                                                                  		unknown
                                                                                                                  fightnorth.net
                                                                                                                  		unknown
                                                                                                                  		unknowntrue
                                                                                                                    		unknown
                                                                                                                    gentlemanneither.net
                                                                                                                    		unknown
                                                                                                                    		unknowntrue
                                                                                                                      		unknown
                                                                                                                      followquarter.net
                                                                                                                      		unknown
                                                                                                                      		unknowntrue
                                                                                                                        		unknown
                                                                                                                        knownhonor.net
                                                                                                                        		unknown
                                                                                                                        		unknowntrue
                                                                                                                          		unknown
                                                                                                                          womantrust.net
                                                                                                                          		unknown
                                                                                                                          		unknowntrue
                                                                                                                            		unknown
                                                                                                                            memberquarter.net
                                                                                                                            		unknown
                                                                                                                            		unknowntrue
                                                                                                                              		unknown
                                                                                                                              experiencefriend.net
                                                                                                                              		unknown
                                                                                                                              		unknowntrue
                                                                                                                                		unknown
                                                                                                                                waterbranch.net
                                                                                                                                		unknown
                                                                                                                                		unknowntrue
                                                                                                                                  		unknown
                                                                                                                                  smoketrust.net
                                                                                                                                  		unknown
                                                                                                                                  		unknowntrue
                                                                                                                                    		unknown
                                                                                                                                    gentlemanreceive.net
                                                                                                                                    		unknown
                                                                                                                                    		unknowntrue
                                                                                                                                      		unknown
                                                                                                                                      fightsystem.net
                                                                                                                                      		unknown
                                                                                                                                      		unknowntrue
                                                                                                                                        		unknown
                                                                                                                                        memberfancy.net
                                                                                                                                        		unknown
                                                                                                                                        		unknowntrue
                                                                                                                                          		unknown
                                                                                                                                          crowdhonor.net
                                                                                                                                          		unknown
                                                                                                                                          		unknowntrue
                                                                                                                                            		unknown
                                                                                                                                            summerbelieve.net
                                                                                                                                            		unknown
                                                                                                                                            		unknowntrue
                                                                                                                                              		unknown
                                                                                                                                              womanbranch.net
                                                                                                                                              		unknown
                                                                                                                                              		unknowntrue
                                                                                                                                                		unknown
                                                                                                                                                crowdbranch.net
                                                                                                                                                		unknown
                                                                                                                                                		unknowntrue
                                                                                                                                                  		unknown
                                                                                                                                                  beginbranch.net
                                                                                                                                                  		unknown
                                                                                                                                                  		unknowntrue
                                                                                                                                                    		unknown
                                                                                                                                                    experiencehonor.net
                                                                                                                                                    		unknown
                                                                                                                                                    		unknowntrue
                                                                                                                                                      		unknown
                                                                                                                                                      waterreceive.net
                                                                                                                                                      		unknown
                                                                                                                                                      		unknowntrue
                                                                                                                                                        		unknown
                                                                                                                                                        gentlemansystem.net
                                                                                                                                                        		unknown
                                                                                                                                                        		unknowntrue
                                                                                                                                                          		unknown
                                                                                                                                                          crowdsystem.net
                                                                                                                                                          		unknown
                                                                                                                                                          		unknowntrue
                                                                                                                                                            		unknown
                                                                                                                                                            knownbelieve.net
                                                                                                                                                            		unknown
                                                                                                                                                            		unknowntrue
                                                                                                                                                              		unknown
                                                                                                                                                              knownquarter.net
                                                                                                                                                              		unknown
                                                                                                                                                              		unknowntrue
                                                                                                                                                                		unknown
                                                                                                                                                                beginsystem.net
                                                                                                                                                                		unknown
                                                                                                                                                                		unknowntrue
                                                                                                                                                                  		unknown
                                                                                                                                                                  followsystem.net
                                                                                                                                                                  		unknown
                                                                                                                                                                  		unknowntrue
                                                                                                                                                                    		unknown
                                                                                                                                                                    crowdreceive.net
                                                                                                                                                                    		unknown
                                                                                                                                                                    		unknowntrue
                                                                                                                                                                      		unknown
                                                                                                                                                                      alreadyquarter.net
                                                                                                                                                                      		unknown
                                                                                                                                                                      		unknowntrue
                                                                                                                                                                        		unknown
                                                                                                                                                                        beginquarter.net
                                                                                                                                                                        		unknown
                                                                                                                                                                        		unknowntrue
                                                                                                                                                                          		unknown
                                                                                                                                                                          freshbelieve.net
                                                                                                                                                                          		unknown
                                                                                                                                                                          		unknowntrue
                                                                                                                                                                            		unknown
                                                                                                                                                                            alreadyconsider.net
                                                                                                                                                                            		unknown
                                                                                                                                                                            		unknowntrue
                                                                                                                                                                              		unknown
                                                                                                                                                                              alreadytrust.net
                                                                                                                                                                              		unknown
                                                                                                                                                                              		unknowntrue
                                                                                                                                                                                		unknown
                                                                                                                                                                                freshquarter.net
                                                                                                                                                                                		unknown
                                                                                                                                                                                		unknowntrue
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  gentlemanfriend.net
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  		unknowntrue
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    beginbelieve.net
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    		unknowntrue
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      memberhonor.net
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      		unknowntrue
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        summersystem.net
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        		unknowntrue
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          partyquarter.net
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          		unknowntrue
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            alreadyfancy.net
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            		unknowntrue
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              fightneither.net
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              		unknowntrue
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                alreadybranch.net
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                		unknowntrue
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  partynorth.net
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  		unknowntrue
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    womangeneral.net
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    		unknowntrue
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      thoughtreceive.net
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      		unknowntrue
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        smokegeneral.net
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        		unknowntrue
                                                                                                                                                                                                          		unknown

                                                                                                                                                                                                          URLs from Memory and Binaries

                                                                                                                                                                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                                                                                                                                                                          https://fasthosts.co.uk/yanidfx.exe, 0000000A.00000002.3239685017.0000000001207000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          https://www.fasthosts.co.uk/domain-names/search/?domain=$yanidfx.exe, 00000003.00000002.2205282054.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp, yanidfx.exe, 0000000A.00000002.3239685017.0000000001207000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          https://followfriend.net/index.phpyanidfx.exe, 00000003.00000002.2205282054.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp, yanidfx.exe, 00000003.00000002.2205368302.000000000194D000.00000004.00000010.00020000.00000000.sdmp, yanidfx.exe, 0000000A.00000002.3239801424.0000000001CFD000.00000004.00000010.00020000.00000000.sdmp, yanidfx.exe, 0000000A.00000002.3239685017.0000000001207000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          https://www.fasthosts.co.uk/get-online?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_yanidfx.exe, 00000003.00000002.2205282054.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp, yanidfx.exe, 0000000A.00000002.3239685017.0000000001207000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          https://www.fasthosts.co.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_paryanidfx.exe, 00000003.00000002.2205282054.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp, yanidfx.exe, 00000003.00000002.2205368302.000000000194D000.00000004.00000010.00020000.00000000.sdmp, yanidfx.exe, 0000000A.00000002.3239801424.0000000001CFD000.00000004.00000010.00020000.00000000.sdmp, yanidfx.exe, 0000000A.00000002.3239685017.0000000001207000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                                                                          		unknown

                                                                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                                                                          Public IPs

                                                                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                          85.13.130.3
                                                                                                                                                                                                          		membersystem.netGermany
                                                                                                                                                                                                          		34788NMM-ASD-02742FriedersdorfHauptstrasse68DEfalse
                                                                                                                                                                                                          188.225.40.227
                                                                                                                                                                                                          		followfriend.netRussian Federation
                                                                                                                                                                                                          		9123TIMEWEB-ASRUfalse
                                                                                                                                                                                                          34.246.200.160
                                                                                                                                                                                                          		thoughtbranch.netUnited States
                                                                                                                                                                                                          		16509AMAZON-02USfalse
                                                                                                                                                                                                          170.187.200.48
                                                                                                                                                                                                          		crowdtrust.netUnited States
                                                                                                                                                                                                          		7018ATT-INTERNET4USfalse
                                                                                                                                                                                                          35.164.78.200
                                                                                                                                                                                                          		memberreceive.netUnited States
                                                                                                                                                                                                          		16509AMAZON-02USfalse
                                                                                                                                                                                                          15.197.142.173
                                                                                                                                                                                                          		womanbelieve.netUnited States
                                                                                                                                                                                                          		7430TANDEMUSfalse
                                                                                                                                                                                                          54.244.188.177
                                                                                                                                                                                                          		womanhonor.netUnited States
                                                                                                                                                                                                          		16509AMAZON-02USfalse
                                                                                                                                                                                                          64.190.63.222
                                                                                                                                                                                                          		watersystem.netUnited States
                                                                                                                                                                                                          		11696NBS11696USfalse
                                                                                                                                                                                                          15.197.192.55
                                                                                                                                                                                                          		partybelieve.netUnited States
                                                                                                                                                                                                          		7430TANDEMUSfalse
                                                                                                                                                                                                          3.33.130.190
                                                                                                                                                                                                          		partygeneral.netUnited States
                                                                                                                                                                                                          		8987AMAZONEXPANSIONGBfalse
                                                                                                                                                                                                          213.171.195.105
                                                                                                                                                                                                          		thoughtsystem.netUnited Kingdom
                                                                                                                                                                                                          		8560ONEANDONE-ASBrauerstrasse48DEfalse
                                                                                                                                                                                                          81.169.145.88
                                                                                                                                                                                                          		freshfancy.netGermany
                                                                                                                                                                                                          		6724STRATOSTRATOAGDEfalse

                                                                                                                                                                                                          General Information

                                                                                                                                                                                                          Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                                                                          Analysis ID:1488122
                                                                                                                                                                                                          Start date and time:2024-08-05 16:35:36 +02:00
                                                                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                                                                          Overall analysis duration:0h 7m 27s
                                                                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                                                                          Report type:full
                                                                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                          Run name:Run with higher sleep bypass
                                                                                                                                                                                                          Number of analysed new started processes analysed:14
                                                                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                                                                          Technologies:
                                                                                                                                                                                                          • HCA enabled
                                                                                                                                                                                                          • EGA enabled
                                                                                                                                                                                                          • AMSI enabled
                                                                                                                                                                                                          Analysis Mode:default
                                                                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                                                                          Sample name:7qBBKk0P4l.exe
                                                                                                                                                                                                          renamed because original name is a hash value
                                                                                                                                                                                                          Original Sample Name:3397920e23cf8435201e9e90796b2a8c9ec340e4733cbc8064999e462dc53470.exe
                                                                                                                                                                                                          Detection:MAL
                                                                                                                                                                                                          Classification:mal88.troj.winEXE@15/5@326/12
                                                                                                                                                                                                          EGA Information:
                                                                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                                                                          HCA Information:
                                                                                                                                                                                                          • Successful, ratio: 91%
                                                                                                                                                                                                          • Number of executed functions: 75
                                                                                                                                                                                                          • Number of non-executed functions: 81
                                                                                                                                                                                                          Cookbook Comments:
                                                                                                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                                                                                                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                                                                                                                                                          Warnings

                                                                                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                          • VT rate limit hit for: 7qBBKk0P4l.exe

                                                                                                                                                                                                          Simulations

                                                                                                                                                                                                          Behavior and APIs

                                                                                                                                                                                                          TimeTypeDescription
                                                                                                                                                                                                          10:37:10API Interceptor3687x Sleep call for process: xxxniijvj.exe modified

                                                                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                                                                          IPs

                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                          85.13.130.3mtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • membersystem.net/index.php
                                                                                                                                                                                                          mtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • membersystem.net/index.php
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • membersystem.net/index.php
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • membersystem.net/index.php
                                                                                                                                                                                                          188.225.40.227mtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • followfriend.net/index.php
                                                                                                                                                                                                          mtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • followfriend.net/index.php
                                                                                                                                                                                                          BeR96suzTx.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                          • www.skazhiraku.net/itq4/?ATvHA=k2MpXHpX2FlDSbL&m8=xx/ELnNnKvtlLUNVhX4h3nTX7+vGZrU3iKsqjiSQXnXFY1tr2Fuuzh2bLYvRiJP5MpAf
                                                                                                                                                                                                          Rh3zHXGC0W.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                          • www.ikra-prem.space/g8kn/?3f=SObGRIQc2SXqBOlWxSNvpO1BE/+cxQu6skH9Iz/5ZN4shibJkSmH+F/+6dh/KvA+GdhZXNtYOg==&s2J=v6Ah24bh4tF
                                                                                                                                                                                                          doc88.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                          • www.skazhiraku.net/itq4/?BJ=xx/ELnNnKvtlLUNVhX4h3nTX7+vGZrU3iKsqjiSQXnXFY1tr2Fuuzh2bLbPBtofBSMpY&k6Apv=4hB0VF
                                                                                                                                                                                                          p6le0wM39E.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                          • cq80904.tmweb.ru/vmHttpdefaultDb.php?K5Glm1IjUwWQCq0Uioy42v=MLZsFTiDn8Em9rir7K7wImpq3&EXQnpxYJ4aMICQvs=R7D0m961u58njgszmOLxASR&0xIfyHrB=3XszmcYUw52afU&3fe0eef725958b7929a02603a5aa73a2=f84fad6cd29a3006db8b86eab6e3e434&36f380f5a045f0456c7866159c7edf74=AZ4YzM3YjZzgDNxkzM5UzMhNTNmVTNhNjN0MmZ4EmN4gzYmVjN4kTZ&K5Glm1IjUwWQCq0Uioy42v=MLZsFTiDn8Em9rir7K7wImpq3&EXQnpxYJ4aMICQvs=R7D0m961u58njgszmOLxASR&0xIfyHrB=3XszmcYUw52afU
                                                                                                                                                                                                          UYAfvxRha7.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                          • cq80904.tmweb.ru/vmHttpdefaultDb.php?wNx8559dK63E8kRo7N3gYQ=50VYeNDsGBfOUR3suNfn4yWU&3fe0eef725958b7929a02603a5aa73a2=f84fad6cd29a3006db8b86eab6e3e434&36f380f5a045f0456c7866159c7edf74=AZ1MGNjVWZkZTMmRGOmRjNiZWMlNzYiNGZwEmY2UjNlRGZyMmZyQWM&wNx8559dK63E8kRo7N3gYQ=50VYeNDsGBfOUR3suNfn4yWU
                                                                                                                                                                                                          34.246.200.160mtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • thoughtbranch.net/index.php
                                                                                                                                                                                                          mtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • thoughtbranch.net/index.php
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • thoughtbranch.net/index.php
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • thoughtbranch.net/index.php
                                                                                                                                                                                                          7sAylAXBOb.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • figurewithout.net/index.php
                                                                                                                                                                                                          7sAylAXBOb.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • figurewithout.net/index.php
                                                                                                                                                                                                          5a5O0c0oJP.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • figurewithout.net/index.php
                                                                                                                                                                                                          5a5O0c0oJP.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • figurewithout.net/index.php
                                                                                                                                                                                                          Jla3M8Fe16.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • figurewithout.net/index.php

                                                                                                                                                                                                          Domains

                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                          watersystem.netmtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 64.190.63.222
                                                                                                                                                                                                          mtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 64.190.63.222
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 64.190.63.222
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 64.190.63.222
                                                                                                                                                                                                          crowdtrust.netmtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 170.187.200.48
                                                                                                                                                                                                          mtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 170.187.200.48
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 170.187.200.48
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 170.187.200.48
                                                                                                                                                                                                          thoughtsystem.netmtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 213.171.195.105
                                                                                                                                                                                                          mtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 213.171.195.105
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 213.171.195.105
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 213.171.195.105
                                                                                                                                                                                                          partygeneral.netmtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 3.33.130.190
                                                                                                                                                                                                          mtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 3.33.130.190
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 3.33.130.190
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 3.33.130.190
                                                                                                                                                                                                          membersystem.netmtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.130.3
                                                                                                                                                                                                          mtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.130.3
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.130.3
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.130.3

                                                                                                                                                                                                          ASNs

                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                          ATT-INTERNET4USmtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 170.187.200.48
                                                                                                                                                                                                          mtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 170.187.200.48
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 170.187.200.48
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 170.187.200.48
                                                                                                                                                                                                          View Invoice#98783859 Statement for dpo.lu.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                          • 13.32.27.44
                                                                                                                                                                                                          unLc6VekkL.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                          • 13.143.18.150
                                                                                                                                                                                                          17nDkQW4tK.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                          • 69.236.41.25
                                                                                                                                                                                                          2PQz3l61Pc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                          • 199.186.2.28
                                                                                                                                                                                                          botx.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                          • 75.56.221.43
                                                                                                                                                                                                          TIMEWEB-ASRUmtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 188.225.40.227
                                                                                                                                                                                                          mtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 188.225.40.227
                                                                                                                                                                                                          Runtime Broker.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                          • 185.114.247.170
                                                                                                                                                                                                          r6KYedz4VQ.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                          • 185.114.247.170
                                                                                                                                                                                                          Gz3zPqMdtn.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                          • 185.114.247.170
                                                                                                                                                                                                          cnGgzU2rkd.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                          • 185.114.247.170
                                                                                                                                                                                                          https://diigo.com/0wzrly?ID=QtERFQmXrhNlWxfeW9PbYZfS3+Email=ambre.boyon@gerflor.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 188.225.39.170
                                                                                                                                                                                                          5F6Ny9UaKt.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                          • 185.114.247.170
                                                                                                                                                                                                          LisectAVT_2403002C_62.dllGet hashmaliciousEmotetBrowse
                                                                                                                                                                                                          • 188.225.32.231
                                                                                                                                                                                                          NMM-ASD-02742FriedersdorfHauptstrasse68DEmtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.130.3
                                                                                                                                                                                                          mtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.130.3
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.130.3
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.130.3
                                                                                                                                                                                                          LisectAVT_2403002A_76.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                          • 85.13.147.213
                                                                                                                                                                                                          hNX3ktCRra.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.140.189
                                                                                                                                                                                                          Fzfee1Lgc2.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.155.154
                                                                                                                                                                                                          Yb6ztdvQaB.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.132.87
                                                                                                                                                                                                          SLL8zVmaGj.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.163.148
                                                                                                                                                                                                          AMAZON-02US826bGtzo6j.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 54.231.235.128
                                                                                                                                                                                                          mtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 54.244.188.177
                                                                                                                                                                                                          mtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 54.244.188.177
                                                                                                                                                                                                          Exv453QQIX.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                          • 76.223.105.230
                                                                                                                                                                                                          OneDriveSetup.exeGet hashmaliciousZTratBrowse
                                                                                                                                                                                                          • 3.126.224.214
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 54.244.188.177
                                                                                                                                                                                                          Scanned Docs from Emnes Metal Sdn Bhd_.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                          • 76.223.67.189
                                                                                                                                                                                                          http://verizonwireless-employmentvalidation.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 3.124.93.206
                                                                                                                                                                                                          UjCrfOAkJJiZyZh.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                                                          • 75.2.115.196

                                                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                                                          No context

                                                                                                                                                                                                          Dropped Files

                                                                                                                                                                                                          No context

                                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                                          C:\Windows\hjflhukc\hhziccmdjsti

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\Desktop\7qBBKk0P4l.exe
                                                                                                                                                                                                          File Type:ISO-8859 text, with no line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):6
                                                                                                                                                                                                          Entropy (8bit):2.584962500721156
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:o+k:op
                                                                                                                                                                                                          MD5:869F9B7357D5489D5FE37B208940AFD8
                                                                                                                                                                                                          SHA1:8D4C9419F43D41066C40C67ED43F63A268A7E7AC
                                                                                                                                                                                                          SHA-256:DEE53FC307F455BF9E72689A4472B6E5252C6B36B848C8F531DAD9714A8D3F80
                                                                                                                                                                                                          SHA-512:9B7E12978891487D2BD31DCF0BCF02CFC74331AEBA1372AE9B0DA3B4BD7B1B177F25FD4A9E798D48A7F7C569409647FD1D975C3E4D12631B0953A50BDF71C75D
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview:.RkQ.

                                                                                                                                                                                                          C:\hjflhukc\hhziccmdjsti

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\Desktop\7qBBKk0P4l.exe
                                                                                                                                                                                                          File Type:ISO-8859 text, with no line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):6
                                                                                                                                                                                                          Entropy (8bit):2.584962500721156
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:o+k:op
                                                                                                                                                                                                          MD5:869F9B7357D5489D5FE37B208940AFD8
                                                                                                                                                                                                          SHA1:8D4C9419F43D41066C40C67ED43F63A268A7E7AC
                                                                                                                                                                                                          SHA-256:DEE53FC307F455BF9E72689A4472B6E5252C6B36B848C8F531DAD9714A8D3F80
                                                                                                                                                                                                          SHA-512:9B7E12978891487D2BD31DCF0BCF02CFC74331AEBA1372AE9B0DA3B4BD7B1B177F25FD4A9E798D48A7F7C569409647FD1D975C3E4D12631B0953A50BDF71C75D
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview:.RkQ.

                                                                                                                                                                                                          C:\hjflhukc\psjpq2s5tgtsjq0yguk.exe

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\Desktop\7qBBKk0P4l.exe
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):236032
                                                                                                                                                                                                          Entropy (8bit):7.1119041831804
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6144:nSzlgBOTkmrLSoVjBLW5w+ihTEzD4NptOi9:n+gITkmrWoJZW+PhTEzcNptb
                                                                                                                                                                                                          MD5:94E7772B2B1BDA89B23A2FBA0E57742E
                                                                                                                                                                                                          SHA1:2AF48B80B7354B4A15EFF49AF3F3D70D3E5789A4
                                                                                                                                                                                                          SHA-256:3397920E23CF8435201E9E90796B2A8C9EC340E4733CBC8064999E462DC53470
                                                                                                                                                                                                          SHA-512:28F2B94180CBD451FDF887B6E47DC92596FDFB37D06B0F115B4C4A79524366681E05EB2624922A7311BCB9CA983D275BB10F29338628F8654FD673619669F101
                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i............D..............q......q.....Rich....................PE..L...w..T.....................>....................@..........................@............@.....................................P................................w......................................................T............................text............................... ..`.rdata..............................@..@.data............>..................@....reloc...w.......x..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\hjflhukc\xxxniijvj.exe

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):236032
                                                                                                                                                                                                          Entropy (8bit):7.1119041831804
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6144:nSzlgBOTkmrLSoVjBLW5w+ihTEzD4NptOi9:n+gITkmrWoJZW+PhTEzcNptb
                                                                                                                                                                                                          MD5:94E7772B2B1BDA89B23A2FBA0E57742E
                                                                                                                                                                                                          SHA1:2AF48B80B7354B4A15EFF49AF3F3D70D3E5789A4
                                                                                                                                                                                                          SHA-256:3397920E23CF8435201E9E90796B2A8C9EC340E4733CBC8064999E462DC53470
                                                                                                                                                                                                          SHA-512:28F2B94180CBD451FDF887B6E47DC92596FDFB37D06B0F115B4C4A79524366681E05EB2624922A7311BCB9CA983D275BB10F29338628F8654FD673619669F101
                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i............D..............q......q.....Rich....................PE..L...w..T.....................>....................@..........................@............@.....................................P................................w......................................................T............................text............................... ..`.rdata..............................@..@.data............>..................@....reloc...w.......x..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\hjflhukc\yanidfx.exe

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\hjflhukc\psjpq2s5tgtsjq0yguk.exe
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):236032
                                                                                                                                                                                                          Entropy (8bit):7.1119041831804
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6144:nSzlgBOTkmrLSoVjBLW5w+ihTEzD4NptOi9:n+gITkmrWoJZW+PhTEzcNptb
                                                                                                                                                                                                          MD5:94E7772B2B1BDA89B23A2FBA0E57742E
                                                                                                                                                                                                          SHA1:2AF48B80B7354B4A15EFF49AF3F3D70D3E5789A4
                                                                                                                                                                                                          SHA-256:3397920E23CF8435201E9E90796B2A8C9EC340E4733CBC8064999E462DC53470
                                                                                                                                                                                                          SHA-512:28F2B94180CBD451FDF887B6E47DC92596FDFB37D06B0F115B4C4A79524366681E05EB2624922A7311BCB9CA983D275BB10F29338628F8654FD673619669F101
                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i............D..............q......q.....Rich....................PE..L...w..T.....................>....................@..........................@............@.....................................P................................w......................................................T............................text............................... ..`.rdata..............................@..@.data............>..................@....reloc...w.......x..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          Static File Info

                                                                                                                                                                                                          General

                                                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Entropy (8bit):7.1119041831804
                                                                                                                                                                                                          TrID:
                                                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                          File name:7qBBKk0P4l.exe
                                                                                                                                                                                                          File size:236'032 bytes
                                                                                                                                                                                                          MD5:94e7772b2b1bda89b23a2fba0e57742e
                                                                                                                                                                                                          SHA1:2af48b80b7354b4a15eff49af3f3d70d3e5789a4
                                                                                                                                                                                                          SHA256:3397920e23cf8435201e9e90796b2a8c9ec340e4733cbc8064999e462dc53470
                                                                                                                                                                                                          SHA512:28f2b94180cbd451fdf887b6e47dc92596fdfb37d06b0f115b4c4a79524366681e05eb2624922a7311bcb9ca983d275bb10f29338628f8654fd673619669f101
                                                                                                                                                                                                          SSDEEP:6144:nSzlgBOTkmrLSoVjBLW5w+ihTEzD4NptOi9:n+gITkmrWoJZW+PhTEzcNptb
                                                                                                                                                                                                          TLSH:D234AE27EA481433C92B627C8F4F3BE555BF71735A216A0D87AD29C85CA13CDB23251B
                                                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i..............D................q.......q......Rich....................PE..L...w..T.....................>....................@

                                                                                                                                                                                                          File Icon

                                                                                                                                                                                                          Icon Hash:00928e8e8686b000

                                                                                                                                                                                                          Static PE Info

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Entrypoint:0x42cffe
                                                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                                                          Digitally signed:false
                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                          Time Stamp:0x5415F677 [Sun Sep 14 20:11:35 2014 UTC]
                                                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                                                          OS Version Major:5
                                                                                                                                                                                                          OS Version Minor:1
                                                                                                                                                                                                          File Version Major:5
                                                                                                                                                                                                          File Version Minor:1
                                                                                                                                                                                                          Subsystem Version Major:5
                                                                                                                                                                                                          Subsystem Version Minor:1
                                                                                                                                                                                                          Import Hash:f2a0245d6e1fa4eff8f7908b9115e5a5

                                                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                                                          Instruction
                                                                                                                                                                                                          inc dword ptr [004364E0h]
                                                                                                                                                                                                          mov eax, dword ptr [004364E0h]
                                                                                                                                                                                                          movsx ecx, word ptr [00439A58h]
                                                                                                                                                                                                          shl ecx, 05h
                                                                                                                                                                                                          add ecx, eax
                                                                                                                                                                                                          cmp ecx, 88FDF618h
                                                                                                                                                                                                          jne 00007F4F3D1C8B15h
                                                                                                                                                                                                          movsx ecx, word ptr [00439E9Eh]
                                                                                                                                                                                                          movsx eax, word ptr [00438E72h]
                                                                                                                                                                                                          shl ecx, 09h
                                                                                                                                                                                                          add eax, eax
                                                                                                                                                                                                          or ecx, 8B9FEAD2h
                                                                                                                                                                                                          cmp eax, ecx
                                                                                                                                                                                                          jl 00007F4F3D1C8AEEh
                                                                                                                                                                                                          add dword ptr [004351D4h], 32000450h
                                                                                                                                                                                                          jmp 00007F4F3D1C8AECh
                                                                                                                                                                                                          and dword ptr [004355ACh], FE8EB909h
                                                                                                                                                                                                          call 00007F4F3D1C17E8h
                                                                                                                                                                                                          mov ax, word ptr [00439448h]
                                                                                                                                                                                                          cwde
                                                                                                                                                                                                          and dword ptr [004364CCh], eax
                                                                                                                                                                                                          call 00007F4F3D1B17CEh
                                                                                                                                                                                                          movsx eax, word ptr [0043A870h]
                                                                                                                                                                                                          not eax
                                                                                                                                                                                                          cmp eax, 89F860A1h
                                                                                                                                                                                                          jle 00007F4F3D1C8B08h
                                                                                                                                                                                                          mov ecx, dword ptr [00434EF8h]
                                                                                                                                                                                                          mov eax, dword ptr [00438310h]
                                                                                                                                                                                                          and ecx, 57A11F5Bh
                                                                                                                                                                                                          or eax, 87C03C33h
                                                                                                                                                                                                          inc dword ptr [00434EF8h]
                                                                                                                                                                                                          cmp ecx, eax
                                                                                                                                                                                                          jl 00007F4F3D1C8AE8h
                                                                                                                                                                                                          mov ax, word ptr [00438B68h]
                                                                                                                                                                                                          push esi
                                                                                                                                                                                                          push 0042F15Ch
                                                                                                                                                                                                          push 0042F154h
                                                                                                                                                                                                          call 00007F4F3D1BE89Eh
                                                                                                                                                                                                          add dword ptr [004340B0h], FDBF763Fh
                                                                                                                                                                                                          pop ecx
                                                                                                                                                                                                          pop ecx
                                                                                                                                                                                                          call 00007F4F3D1C5445h
                                                                                                                                                                                                          imul ecx, dword ptr [004347E0h], 0000ED7Bh

                                                                                                                                                                                                          Rich Headers

                                                                                                                                                                                                          Programming Language:
                                                                                                                                                                                                          • [C++] VS2013 UPD4 build 31101
                                                                                                                                                                                                          • [LNK] VS2013 UPD4 build 31101

                                                                                                                                                                                                          Data Directories

                                                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x2f1980x50.rdata
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x3c0000x77e8.reloc
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x2f0000x154.rdata
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                          Sections

                                                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                          .text0x10000x2d4a40x2d600a008b9f965a55234d4e9fec1e12e9ec6False0.7345310347796143data6.839663016682375IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                          .rdata0x2f0000x8be0xa0055aa2668bd66e2095758bac52ad4d6a9False0.4265625data4.9731112242142945IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                          .data0x300000xbaa00x3e00bd6e729852a57125388e38f19ed205d8False0.9037298387096774data7.278103942872461IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                          .reloc0x3c0000x77e80x7800623b73b7d554b0184d990dca084cd43aFalse0.77333984375data6.84069434637676IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                          Imports

                                                                                                                                                                                                          DLLImport
                                                                                                                                                                                                          GDI32.dllGetBkColor, GetDCBrushColor, GetDCPenColor, GetClipRgn, GetMetaRgn, GetCurrentObject, GetDeviceCaps, GetObjectType, GetRandomRgn, GetStretchBltMode, GetSystemPaletteUse, GetTextCharacterExtra, GetTextAlign, GetTextColor, GetTextCharset, GetTextCharsetInfo, GetFontLanguageInfo
                                                                                                                                                                                                          USER32.dllGetMenuContextHelpId, GetCursor, GetWindowLongA, LoadIconA, GetWindowContextHelpId, SetWindowTextA, RemovePropA, GetPropA, GetScrollPos, EndPaint, GetDC, WindowFromDC, GetForegroundWindow, DrawTextA, GetMenuCheckMarkDimensions, GetMenuItemCount, GetMenuItemID, GetMenuState, GetMenu, IsWindowEnabled, EnableWindow, GetQueueStatus, SetFocus, GetDialogBaseUnits, CheckDlgButton, SetDlgItemTextA, GetDlgItemInt, GetDlgItem, EndDialog, MoveWindow, ShowWindow, CallWindowProcA, PostMessageA, SendMessageA, BeginPaint
                                                                                                                                                                                                          KERNEL32.dllMoveFileA, LocalFlags, GlobalHandle, GlobalFlags, GlobalSize, SizeofResource, LockResource, LoadResource, GetProcAddress, GetModuleHandleA, GetTickCount, GetVersion, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentProcess, GetProcessHeap, HeapAlloc, QueryPerformanceCounter, GetLastError, CloseHandle, IsDebuggerPresent, WriteFile, SetFilePointer, GetFileType, GetFileTime, GetDriveTypeA, FlushFileBuffers, FindClose, DeleteFileA, GetStdHandle

                                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                                          Suricata IDS Alerts

                                                                                                                                                                                                          TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                                                                                                                                                                          2024-08-05T16:38:07.114356+0200UDP2018316ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses53568301.1.1.1192.168.2.8
                                                                                                                                                                                                          2024-08-05T16:38:17.877671+0200TCP2815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort4974080192.168.2.8188.225.40.227
                                                                                                                                                                                                          2024-08-05T16:36:45.925960+0200TCP2037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst804970634.246.200.160192.168.2.8
                                                                                                                                                                                                          2024-08-05T16:36:42.598232+0200UDP2018316ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses53568101.1.1.1192.168.2.8
                                                                                                                                                                                                          2024-08-05T16:36:48.099598+0200TCP2815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort4970880192.168.2.815.197.192.55
                                                                                                                                                                                                          2024-08-05T16:36:56.538931+0200TCP2815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort4971980192.168.2.854.244.188.177
                                                                                                                                                                                                          2024-08-05T16:36:43.677692+0200TCP2815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort4970580192.168.2.835.164.78.200
                                                                                                                                                                                                          2024-08-05T16:36:56.545343+0200TCP2037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst804971954.244.188.177192.168.2.8
                                                                                                                                                                                                          2024-08-05T16:36:41.235057+0200UDP2811542ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)53593671.1.1.1192.168.2.8
                                                                                                                                                                                                          2024-08-05T16:38:00.887942+0200TCP2815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort4972880192.168.2.835.164.78.200
                                                                                                                                                                                                          2024-08-05T16:38:02.779063+0200TCP2815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort4972980192.168.2.834.246.200.160
                                                                                                                                                                                                          2024-08-05T16:38:13.014870+0200TCP2815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort4973780192.168.2.854.244.188.177
                                                                                                                                                                                                          2024-08-05T16:38:15.755898+0200TCP2815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort4973880192.168.2.881.169.145.88
                                                                                                                                                                                                          2024-08-05T16:37:58.771271+0200TCP2815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort4972780192.168.2.83.33.130.190
                                                                                                                                                                                                          2024-08-05T16:38:08.756166+0200TCP2815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort4973280192.168.2.885.13.130.3
                                                                                                                                                                                                          2024-08-05T16:36:58.610225+0200TCP2815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort4972080192.168.2.881.169.145.88
                                                                                                                                                                                                          2024-08-05T16:36:41.217947+0200TCP2815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort4970480192.168.2.83.33.130.190
                                                                                                                                                                                                          2024-08-05T16:38:00.892788+0200TCP2037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst804972835.164.78.200192.168.2.8
                                                                                                                                                                                                          2024-08-05T16:38:13.043633+0200UDP2811542ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)53534681.1.1.1192.168.2.8
                                                                                                                                                                                                          2024-08-05T16:36:43.682520+0200TCP2037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst804970535.164.78.200192.168.2.8
                                                                                                                                                                                                          2024-08-05T16:38:10.787983+0200TCP2815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort4973480192.168.2.8170.187.200.48

                                                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                                                          TCP Packets

                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                          Aug 5, 2024 16:36:40.554436922 CEST4970480192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:36:40.559340000 CEST80497043.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:40.559452057 CEST4970480192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:36:40.559609890 CEST4970480192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:36:40.564476013 CEST80497043.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.217849970 CEST80497043.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.217864990 CEST80497043.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.217914104 CEST80497043.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.217947006 CEST4970480192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.217963934 CEST4970480192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.218064070 CEST4970480192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.232707977 CEST80497043.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.934566975 CEST4970580192.168.2.835.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.939970016 CEST804970535.164.78.200192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.940056086 CEST4970580192.168.2.835.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.940088987 CEST4970580192.168.2.835.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.944993019 CEST804970535.164.78.200192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:43.672036886 CEST804970535.164.78.200192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:43.677609921 CEST804970535.164.78.200192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:43.677691936 CEST4970580192.168.2.835.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:36:43.677747011 CEST4970580192.168.2.835.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:36:43.682519913 CEST804970535.164.78.200192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.093135118 CEST4970680192.168.2.834.246.200.160
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.101103067 CEST804970634.246.200.160192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.101236105 CEST4970680192.168.2.834.246.200.160
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.101304054 CEST4970680192.168.2.834.246.200.160
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.106534004 CEST804970634.246.200.160192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.917510986 CEST804970634.246.200.160192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.917798996 CEST804970634.246.200.160192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.917891979 CEST4970680192.168.2.834.246.200.160
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.918608904 CEST4970680192.168.2.834.246.200.160
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.925960064 CEST804970634.246.200.160192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.438234091 CEST4970780192.168.2.815.197.142.173
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.443228006 CEST804970715.197.142.173192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.443387985 CEST4970780192.168.2.815.197.142.173
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.448748112 CEST4970780192.168.2.815.197.142.173
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.453532934 CEST804970715.197.142.173192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.941528082 CEST804970715.197.142.173192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.941752911 CEST4970780192.168.2.815.197.142.173
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.943442106 CEST804970715.197.142.173192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.943525076 CEST4970780192.168.2.815.197.142.173
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.946896076 CEST804970715.197.142.173192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.629715919 CEST4970880192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.634953976 CEST804970815.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.635060072 CEST4970880192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.635165930 CEST4970880192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.640933037 CEST804970815.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.099404097 CEST804970815.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.099508047 CEST804970815.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.099597931 CEST4970880192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.099597931 CEST4970880192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.104832888 CEST804970815.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.886418104 CEST4970980192.168.2.885.13.130.3
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.891345024 CEST804970985.13.130.3192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.891441107 CEST4970980192.168.2.885.13.130.3
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.891526937 CEST4970980192.168.2.885.13.130.3
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.896311998 CEST804970985.13.130.3192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:50.546163082 CEST804970985.13.130.3192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:50.546340942 CEST804970985.13.130.3192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:50.546397924 CEST4970980192.168.2.885.13.130.3
                                                                                                                                                                                                          Aug 5, 2024 16:36:50.546435118 CEST4970980192.168.2.885.13.130.3
                                                                                                                                                                                                          Aug 5, 2024 16:36:50.551281929 CEST804970985.13.130.3192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:50.577109098 CEST4971080192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:36:50.582719088 CEST80497103.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:50.582822084 CEST4971080192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:36:50.588196039 CEST4971080192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:36:50.593147993 CEST80497103.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.041480064 CEST80497103.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.041673899 CEST4971080192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.042150974 CEST80497103.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.042223930 CEST4971080192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.046708107 CEST80497103.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:53.278204918 CEST4971580192.168.2.8170.187.200.48
                                                                                                                                                                                                          Aug 5, 2024 16:36:53.283113956 CEST8049715170.187.200.48192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:53.283189058 CEST4971580192.168.2.8170.187.200.48
                                                                                                                                                                                                          Aug 5, 2024 16:36:53.283257008 CEST4971580192.168.2.8170.187.200.48
                                                                                                                                                                                                          Aug 5, 2024 16:36:53.288091898 CEST8049715170.187.200.48192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:53.790329933 CEST8049715170.187.200.48192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:53.790442944 CEST4971580192.168.2.8170.187.200.48
                                                                                                                                                                                                          Aug 5, 2024 16:36:53.791500092 CEST8049715170.187.200.48192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:53.791551113 CEST4971580192.168.2.8170.187.200.48
                                                                                                                                                                                                          Aug 5, 2024 16:36:53.796842098 CEST8049715170.187.200.48192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.105703115 CEST4971780192.168.2.8213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.110596895 CEST8049717213.171.195.105192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.110692978 CEST4971780192.168.2.8213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.110738039 CEST4971780192.168.2.8213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.115602016 CEST8049717213.171.195.105192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.854599953 CEST8049717213.171.195.105192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.854639053 CEST8049717213.171.195.105192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.854652882 CEST8049717213.171.195.105192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.854697943 CEST4971780192.168.2.8213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.856276035 CEST8049717213.171.195.105192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.856338978 CEST4971780192.168.2.8213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.857335091 CEST8049717213.171.195.105192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.857393980 CEST4971780192.168.2.8213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.857419968 CEST4971780192.168.2.8213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.863058090 CEST8049717213.171.195.105192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.887569904 CEST4971880192.168.2.864.190.63.222
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.893415928 CEST804971864.190.63.222192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.893620014 CEST4971880192.168.2.864.190.63.222
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.893682003 CEST4971880192.168.2.864.190.63.222
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.905126095 CEST804971864.190.63.222192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:55.556778908 CEST804971864.190.63.222192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:55.556982994 CEST804971864.190.63.222192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:55.557136059 CEST4971880192.168.2.864.190.63.222
                                                                                                                                                                                                          Aug 5, 2024 16:36:55.557136059 CEST4971880192.168.2.864.190.63.222
                                                                                                                                                                                                          Aug 5, 2024 16:36:55.562959909 CEST804971864.190.63.222192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:55.796593904 CEST4971980192.168.2.854.244.188.177
                                                                                                                                                                                                          Aug 5, 2024 16:36:55.801454067 CEST804971954.244.188.177192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:55.803678989 CEST4971980192.168.2.854.244.188.177
                                                                                                                                                                                                          Aug 5, 2024 16:36:55.803735971 CEST4971980192.168.2.854.244.188.177
                                                                                                                                                                                                          Aug 5, 2024 16:36:55.808799028 CEST804971954.244.188.177192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.538788080 CEST804971954.244.188.177192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.538830042 CEST804971954.244.188.177192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.538930893 CEST4971980192.168.2.854.244.188.177
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.539038897 CEST4971980192.168.2.854.244.188.177
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.545342922 CEST804971954.244.188.177192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.675641060 CEST4972080192.168.2.881.169.145.88
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.680563927 CEST804972081.169.145.88192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.680665016 CEST4972080192.168.2.881.169.145.88
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.680721998 CEST4972080192.168.2.881.169.145.88
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.943512917 CEST804972081.169.145.88192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:58.610064030 CEST804972081.169.145.88192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:58.610166073 CEST804972081.169.145.88192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:58.610224962 CEST4972080192.168.2.881.169.145.88
                                                                                                                                                                                                          Aug 5, 2024 16:36:58.610260010 CEST4972080192.168.2.881.169.145.88
                                                                                                                                                                                                          Aug 5, 2024 16:36:58.615102053 CEST804972081.169.145.88192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:00.353426933 CEST4972180192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:37:00.358596087 CEST804972115.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:00.358717918 CEST4972180192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:37:00.358747959 CEST4972180192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:37:00.364089966 CEST804972115.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:00.906940937 CEST804972115.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:00.906954050 CEST804972115.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:00.906974077 CEST804972115.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:00.907005072 CEST4972180192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:37:00.907032013 CEST4972180192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:37:00.907104969 CEST4972180192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.218458891 CEST4972180192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.227807045 CEST804972115.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.227921009 CEST4972180192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.231142044 CEST804972115.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.231271982 CEST804972115.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.231324911 CEST4972180192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.870280981 CEST4972280192.168.2.8188.225.40.227
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.875133991 CEST8049722188.225.40.227192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.875263929 CEST4972280192.168.2.8188.225.40.227
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.875263929 CEST4972280192.168.2.8188.225.40.227
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.880064964 CEST8049722188.225.40.227192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:02.572331905 CEST8049722188.225.40.227192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:02.572581053 CEST4972280192.168.2.8188.225.40.227
                                                                                                                                                                                                          Aug 5, 2024 16:37:02.572679043 CEST8049722188.225.40.227192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:02.572762012 CEST4972280192.168.2.8188.225.40.227
                                                                                                                                                                                                          Aug 5, 2024 16:37:02.577877998 CEST8049722188.225.40.227192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.261583090 CEST4972780192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.266720057 CEST80497273.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.266855955 CEST4972780192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.266943932 CEST4972780192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.273786068 CEST80497273.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.771012068 CEST80497273.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.771270990 CEST4972780192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.771368027 CEST80497273.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.771418095 CEST4972780192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.776276112 CEST80497273.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.091139078 CEST4972880192.168.2.835.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.097194910 CEST804972835.164.78.200192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.097263098 CEST4972880192.168.2.835.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.097331047 CEST4972880192.168.2.835.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.102317095 CEST804972835.164.78.200192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.887597084 CEST804972835.164.78.200192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.887870073 CEST804972835.164.78.200192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.887942076 CEST4972880192.168.2.835.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.888004065 CEST4972880192.168.2.835.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.892787933 CEST804972835.164.78.200192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.007817030 CEST4972980192.168.2.834.246.200.160
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.012882948 CEST804972934.246.200.160192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.012969971 CEST4972980192.168.2.834.246.200.160
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.013025045 CEST4972980192.168.2.834.246.200.160
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.019063950 CEST804972934.246.200.160192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.778914928 CEST804972934.246.200.160192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.778991938 CEST804972934.246.200.160192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.779062986 CEST4972980192.168.2.834.246.200.160
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.782071114 CEST4972980192.168.2.834.246.200.160
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.786952019 CEST804972934.246.200.160192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:03.288193941 CEST4973080192.168.2.815.197.142.173
                                                                                                                                                                                                          Aug 5, 2024 16:38:03.293126106 CEST804973015.197.142.173192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:03.293236017 CEST4973080192.168.2.815.197.142.173
                                                                                                                                                                                                          Aug 5, 2024 16:38:03.293293953 CEST4973080192.168.2.815.197.142.173
                                                                                                                                                                                                          Aug 5, 2024 16:38:03.298160076 CEST804973015.197.142.173192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.008315086 CEST804973015.197.142.173192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.008331060 CEST804973015.197.142.173192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.008419037 CEST4973080192.168.2.815.197.142.173
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.008428097 CEST804973015.197.142.173192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.008465052 CEST4973080192.168.2.815.197.142.173
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.008488894 CEST4973080192.168.2.815.197.142.173
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.009181976 CEST804973015.197.142.173192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.009222031 CEST4973080192.168.2.815.197.142.173
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.013334990 CEST804973015.197.142.173192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.809155941 CEST4973180192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.815531015 CEST804973115.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.815610886 CEST4973180192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.815686941 CEST4973180192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.822043896 CEST804973115.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:05.283921003 CEST804973115.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:05.284075022 CEST4973180192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:38:05.284178972 CEST804973115.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:05.284229994 CEST4973180192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:38:05.288949013 CEST804973115.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.095134020 CEST4973280192.168.2.885.13.130.3
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.100043058 CEST804973285.13.130.3192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.100281000 CEST4973280192.168.2.885.13.130.3
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.100370884 CEST4973280192.168.2.885.13.130.3
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.105674982 CEST804973285.13.130.3192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.755995035 CEST804973285.13.130.3192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.756028891 CEST804973285.13.130.3192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.756165981 CEST4973280192.168.2.885.13.130.3
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.756244898 CEST4973280192.168.2.885.13.130.3
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.763381004 CEST804973285.13.130.3192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.771104097 CEST4973380192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.777775049 CEST80497333.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.777879000 CEST4973380192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.777964115 CEST4973380192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.784710884 CEST80497333.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.241031885 CEST80497333.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.241193056 CEST4973380192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.241404057 CEST80497333.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.241461039 CEST4973380192.168.2.83.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.246305943 CEST80497333.33.130.190192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.131545067 CEST4973480192.168.2.8170.187.200.48
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.136418104 CEST8049734170.187.200.48192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.136502981 CEST4973480192.168.2.8170.187.200.48
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.136539936 CEST4973480192.168.2.8170.187.200.48
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.141611099 CEST8049734170.187.200.48192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.787756920 CEST8049734170.187.200.48192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.787982941 CEST4973480192.168.2.8170.187.200.48
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.788003922 CEST8049734170.187.200.48192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.788058043 CEST4973480192.168.2.8170.187.200.48
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.792826891 CEST8049734170.187.200.48192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.995085001 CEST4973580192.168.2.8213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:38:11.000150919 CEST8049735213.171.195.105192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:11.000273943 CEST4973580192.168.2.8213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:38:11.000325918 CEST4973580192.168.2.8213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:38:11.005131960 CEST8049735213.171.195.105192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:11.594600916 CEST8049735213.171.195.105192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:11.594660997 CEST8049735213.171.195.105192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:11.594698906 CEST8049735213.171.195.105192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:11.594733000 CEST8049735213.171.195.105192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:11.594772100 CEST4973580192.168.2.8213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:38:11.594805956 CEST4973580192.168.2.8213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:38:11.594913960 CEST4973580192.168.2.8213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:38:11.595721006 CEST4973680192.168.2.864.190.63.222
                                                                                                                                                                                                          Aug 5, 2024 16:38:11.600110054 CEST8049735213.171.195.105192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:11.600614071 CEST804973664.190.63.222192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:11.600693941 CEST4973680192.168.2.864.190.63.222
                                                                                                                                                                                                          Aug 5, 2024 16:38:11.600789070 CEST4973680192.168.2.864.190.63.222
                                                                                                                                                                                                          Aug 5, 2024 16:38:11.605868101 CEST804973664.190.63.222192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:12.236787081 CEST804973664.190.63.222192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:12.236902952 CEST804973664.190.63.222192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:12.236959934 CEST4973680192.168.2.864.190.63.222
                                                                                                                                                                                                          Aug 5, 2024 16:38:12.237001896 CEST4973680192.168.2.864.190.63.222
                                                                                                                                                                                                          Aug 5, 2024 16:38:12.242227077 CEST804973664.190.63.222192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:12.262264967 CEST4973780192.168.2.854.244.188.177
                                                                                                                                                                                                          Aug 5, 2024 16:38:12.267158985 CEST804973754.244.188.177192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:12.267226934 CEST4973780192.168.2.854.244.188.177
                                                                                                                                                                                                          Aug 5, 2024 16:38:12.267275095 CEST4973780192.168.2.854.244.188.177
                                                                                                                                                                                                          Aug 5, 2024 16:38:12.272150993 CEST804973754.244.188.177192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.014705896 CEST804973754.244.188.177192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.014767885 CEST804973754.244.188.177192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.014869928 CEST4973780192.168.2.854.244.188.177
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.014969110 CEST4973780192.168.2.854.244.188.177
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.019896030 CEST804973754.244.188.177192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.962218046 CEST4973880192.168.2.881.169.145.88
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.967401981 CEST804973881.169.145.88192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.967499971 CEST4973880192.168.2.881.169.145.88
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.967596054 CEST4973880192.168.2.881.169.145.88
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.973997116 CEST804973881.169.145.88192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:15.755718946 CEST804973881.169.145.88192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:15.755784035 CEST804973881.169.145.88192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:15.755897999 CEST4973880192.168.2.881.169.145.88
                                                                                                                                                                                                          Aug 5, 2024 16:38:15.755933046 CEST4973880192.168.2.881.169.145.88
                                                                                                                                                                                                          Aug 5, 2024 16:38:15.762623072 CEST804973881.169.145.88192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.140883923 CEST4973980192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.145975113 CEST804973915.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.146081924 CEST4973980192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.146161079 CEST4973980192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.151073933 CEST804973915.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.644612074 CEST804973915.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.644659042 CEST804973915.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.644670010 CEST804973915.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.644800901 CEST4973980192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.644902945 CEST4973980192.168.2.815.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.652700901 CEST804973915.197.192.55192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:17.192167997 CEST4974080192.168.2.8188.225.40.227
                                                                                                                                                                                                          Aug 5, 2024 16:38:17.197321892 CEST8049740188.225.40.227192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:17.197438002 CEST4974080192.168.2.8188.225.40.227
                                                                                                                                                                                                          Aug 5, 2024 16:38:17.197480917 CEST4974080192.168.2.8188.225.40.227
                                                                                                                                                                                                          Aug 5, 2024 16:38:17.202287912 CEST8049740188.225.40.227192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:17.877573967 CEST8049740188.225.40.227192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:17.877597094 CEST8049740188.225.40.227192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:17.877671003 CEST4974080192.168.2.8188.225.40.227
                                                                                                                                                                                                          Aug 5, 2024 16:38:17.877717018 CEST4974080192.168.2.8188.225.40.227
                                                                                                                                                                                                          Aug 5, 2024 16:38:17.882576942 CEST8049740188.225.40.227192.168.2.8

                                                                                                                                                                                                          UDP Packets

                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                          Aug 5, 2024 16:36:39.353005886 CEST5109053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:39.368855000 CEST53510901.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:39.370682955 CEST6011953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:39.611361027 CEST53601191.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:39.612252951 CEST5568153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:39.854981899 CEST53556811.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:39.856030941 CEST5918753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:39.867891073 CEST53591871.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:39.868695974 CEST6249353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:39.878309011 CEST53624931.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:39.879074097 CEST5867053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:40.118793011 CEST53586701.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:40.119795084 CEST5104253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:40.286669970 CEST53510421.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:40.287440062 CEST5995553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:40.297940969 CEST53599551.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:40.298654079 CEST6011753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:40.540282011 CEST53601171.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:40.541182995 CEST5548153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:40.552257061 CEST53554811.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.218976021 CEST5936753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.235057116 CEST53593671.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.236143112 CEST5991853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.478492022 CEST53599181.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.479392052 CEST5034853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.487771988 CEST53503481.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.488435984 CEST5603753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.496058941 CEST53560371.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.496673107 CEST5589853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.752202988 CEST53558981.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.753242016 CEST5177553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.000659943 CEST53517751.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.001708984 CEST5780153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.015692949 CEST53578011.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.016551018 CEST5018153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.027812004 CEST53501811.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.028527021 CEST4939653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.040721893 CEST53493961.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.041399002 CEST6168053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.058551073 CEST53616801.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.059204102 CEST5111153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.318908930 CEST53511111.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.319832087 CEST5252653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.330058098 CEST53525261.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.331574917 CEST5153853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.574553013 CEST53515381.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.575365067 CEST5428153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.586019993 CEST53542811.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.586740017 CEST5681053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.598232031 CEST53568101.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.599143982 CEST5103153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.613347054 CEST53510311.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.614051104 CEST4944553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.625917912 CEST53494451.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.627573967 CEST6244653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.638657093 CEST53624461.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.639345884 CEST4955453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.649710894 CEST53495541.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.650440931 CEST6208153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.666552067 CEST53620811.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.667460918 CEST6499853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.680490017 CEST53649981.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.683355093 CEST5641853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.693288088 CEST53564181.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.694165945 CEST5026853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.704880953 CEST53502681.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.705434084 CEST6253153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.716902971 CEST53625311.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.717470884 CEST6516753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.729437113 CEST53651671.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.730122089 CEST5452653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.743010044 CEST53545261.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.743774891 CEST5056653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.933907986 CEST53505661.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:43.678503990 CEST5961553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:43.692328930 CEST53596151.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:43.700141907 CEST5742953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:43.752058983 CEST53574291.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:43.752810001 CEST6158153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:43.764357090 CEST53615811.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:43.765305996 CEST6056853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:43.777448893 CEST53605681.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:43.778363943 CEST5663253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.015759945 CEST53566321.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.017153978 CEST5758653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.028564930 CEST53575861.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.029429913 CEST6057153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.278059959 CEST53605711.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.279048920 CEST6466753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.293302059 CEST53646671.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.294002056 CEST6298853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.304867029 CEST53629881.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.305530071 CEST6071053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.322139025 CEST53607101.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.322985888 CEST5930553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.332329035 CEST53593051.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.332981110 CEST6102153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.580202103 CEST53610211.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.581218958 CEST5788053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.597767115 CEST53578801.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.598520994 CEST5438153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.608977079 CEST53543811.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.609754086 CEST5775853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.621057987 CEST53577581.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.621823072 CEST5645953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.863224030 CEST53564591.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.864295006 CEST6385553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.874325991 CEST53638551.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.875132084 CEST5224253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.887716055 CEST53522421.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.888422966 CEST6166153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.091850996 CEST53616611.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.918513060 CEST5801553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.931898117 CEST53580151.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.932651043 CEST5361753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.944937944 CEST53536171.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.945818901 CEST6385153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.958379984 CEST53638511.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.959244967 CEST6245053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.970640898 CEST53624501.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.971379042 CEST5451853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.981431007 CEST53545181.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.982007027 CEST6181953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.159359932 CEST53618191.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.160356045 CEST6289953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.170938969 CEST53628991.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.171907902 CEST6131353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.183216095 CEST53613131.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.184082985 CEST5824253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.423681021 CEST53582421.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.424618959 CEST5826053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.437474966 CEST53582601.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.942486048 CEST6133153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.954034090 CEST53613311.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.954982996 CEST6441153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.198570967 CEST53644111.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.199863911 CEST5883553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.210464001 CEST53588351.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.211167097 CEST5279253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.226707935 CEST53527921.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.227523088 CEST5360853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.246351957 CEST53536081.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.247255087 CEST5704953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.279947042 CEST53570491.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.280801058 CEST5369453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.291918039 CEST53536941.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.292835951 CEST5599653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.628916979 CEST53559961.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.100435019 CEST5313553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.110498905 CEST53531351.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.111423016 CEST5896053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.355052948 CEST53589601.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.356029987 CEST5493353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.369045973 CEST53549331.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.369904995 CEST4999453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.386740923 CEST53499941.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.387667894 CEST6517553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.633297920 CEST53651751.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.634262085 CEST5438253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.649682999 CEST53543821.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.650899887 CEST6386453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.662101984 CEST53638641.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.663028955 CEST6231653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.673151016 CEST53623161.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.673784971 CEST5994453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.686657906 CEST53599441.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.687352896 CEST6491553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.698379040 CEST53649151.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.699014902 CEST5893653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.709713936 CEST53589361.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.710701942 CEST6320653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.721396923 CEST53632061.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.722073078 CEST5842553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.963458061 CEST53584251.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.964668989 CEST5761253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.972209930 CEST53576121.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.973030090 CEST5930753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.215868950 CEST53593071.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.217143059 CEST6385753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.227722883 CEST53638571.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.228580952 CEST5272253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.239301920 CEST53527221.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.240248919 CEST6115553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.506944895 CEST53611551.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.507904053 CEST5852653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.519426107 CEST53585261.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.520250082 CEST5645953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.530726910 CEST53564591.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.531650066 CEST6288953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.542201042 CEST53628891.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.543634892 CEST5357253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.792819977 CEST53535721.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.793900967 CEST5932653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.804862022 CEST53593261.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.805780888 CEST6535853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.818869114 CEST53653581.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.821552038 CEST5742953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.832920074 CEST53574291.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.833841085 CEST6247653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.846533060 CEST53624761.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.850253105 CEST5543553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.884671926 CEST53554351.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:50.547266960 CEST6549453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:50.560969114 CEST53654941.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:50.561996937 CEST5551753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:50.576527119 CEST53555171.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.042473078 CEST5337853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.292993069 CEST53533781.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.294143915 CEST5774653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.536947012 CEST53577461.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.537852049 CEST6271453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.786314011 CEST53627141.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.787070990 CEST5945553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.802022934 CEST53594551.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.802778959 CEST5912953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.813405037 CEST53591291.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.814130068 CEST5253353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.824346066 CEST53525331.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.825092077 CEST5159053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.836872101 CEST53515901.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.837702990 CEST5692153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.088181973 CEST53569211.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.089168072 CEST5039453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.100846052 CEST53503941.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.101660967 CEST5044153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.346534014 CEST53504411.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.347357035 CEST6217953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.358089924 CEST53621791.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.358875990 CEST6361953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.369129896 CEST53636191.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.370096922 CEST5715653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.796561003 CEST53571561.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.797898054 CEST5810653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.810426950 CEST53581061.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.811161041 CEST5615353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.823853970 CEST53561531.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.829648972 CEST5770353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:53.277653933 CEST53577031.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:53.791110039 CEST5266953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:53.802386999 CEST53526691.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:53.803234100 CEST5340853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:53.814697027 CEST53534081.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:53.815788984 CEST5675053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.055990934 CEST53567501.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.056989908 CEST5737053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.068696022 CEST53573701.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.069430113 CEST5772353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.105180025 CEST53577231.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.858067989 CEST5221853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.886974096 CEST53522181.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:55.557658911 CEST6477353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:55.568685055 CEST53647731.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:55.569571972 CEST5278453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:55.584660053 CEST53527841.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:55.585674047 CEST5274453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:55.785990953 CEST53527441.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.539659023 CEST6531753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.552134037 CEST53653171.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.553088903 CEST5913753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.567317963 CEST53591371.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.568094969 CEST6364153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.580863953 CEST53636411.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.581495047 CEST6413553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.595370054 CEST53641351.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.595973969 CEST5752953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.608808041 CEST53575291.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.609473944 CEST6224753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.621980906 CEST53622471.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.622976065 CEST4926653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.638958931 CEST53492661.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.639790058 CEST6345053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.653503895 CEST53634501.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.654500961 CEST4985653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.897937059 CEST53498561.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.899085045 CEST5816253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.912920952 CEST53581621.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.913820982 CEST5921053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.155175924 CEST53592101.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.156533957 CEST6439953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.175685883 CEST53643991.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.176954031 CEST6079653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.212047100 CEST53607961.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.212913990 CEST6490253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.225847960 CEST53649021.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.226860046 CEST6222453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.386040926 CEST53622241.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.387175083 CEST5723753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.633265972 CEST53572371.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.634114027 CEST6182353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.646018982 CEST53618231.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.646895885 CEST6303653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.675052881 CEST53630361.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:58.610924959 CEST6222853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:58.784452915 CEST53622281.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:58.785491943 CEST5975853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.028749943 CEST53597581.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.029863119 CEST5500353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.040896893 CEST53550031.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.041729927 CEST5351753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.054090977 CEST53535171.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.055022955 CEST6439153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.306061029 CEST53643911.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.307311058 CEST6389053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.317742109 CEST53638901.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.318478107 CEST5508253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.331271887 CEST53550821.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.332151890 CEST5960553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.345051050 CEST53596051.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.345741987 CEST5214453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.357047081 CEST53521441.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.357644081 CEST6150153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.367822886 CEST53615011.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.368601084 CEST6397053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.609183073 CEST53639701.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.610183001 CEST5400453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.864170074 CEST53540041.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.865206957 CEST5833853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:00.352580070 CEST53583381.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:00.907918930 CEST6299353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.234253883 CEST53629931.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.235503912 CEST5334753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.246416092 CEST53533471.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.247356892 CEST4921353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.265527010 CEST53492131.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.266585112 CEST4977053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.509727955 CEST53497701.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.510814905 CEST6035553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.523408890 CEST53603551.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.524280071 CEST5235953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.537791014 CEST53523591.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.538729906 CEST6530953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.869175911 CEST53653091.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:02.573220015 CEST6325353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:02.816730976 CEST53632531.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:02.818362951 CEST6410953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:03.069011927 CEST53641091.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:03.069844961 CEST6386653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:03.081201077 CEST53638661.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:03.082120895 CEST5567853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:03.092972040 CEST53556781.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.428836107 CEST6064553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.670433998 CEST53606451.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.674669027 CEST5159853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.927356958 CEST53515981.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.928169966 CEST4944553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.940391064 CEST53494451.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.941281080 CEST5370653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.952907085 CEST53537061.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.953811884 CEST5518853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.965336084 CEST53551881.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.966114044 CEST5318253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.977690935 CEST53531821.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.978588104 CEST5038653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.230727911 CEST53503861.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.231544971 CEST6393153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.246515989 CEST53639311.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.247298956 CEST5488653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.258975029 CEST53548861.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.772082090 CEST5579453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.782063007 CEST53557941.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.783575058 CEST5610553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.794399977 CEST53561051.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.795322895 CEST5580053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.039271116 CEST53558001.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.040324926 CEST5502453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.051409006 CEST53550241.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.052227974 CEST5808053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.062588930 CEST53580801.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.063220978 CEST6339453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.074398041 CEST53633941.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.075149059 CEST6121753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.088793993 CEST53612171.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.089663982 CEST5796753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.100234985 CEST53579671.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.101142883 CEST6180153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.117769957 CEST53618011.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.118431091 CEST5730053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.134715080 CEST53573001.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.135755062 CEST5306753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.379652023 CEST53530671.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.387303114 CEST6159953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.398346901 CEST53615991.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.399113894 CEST5175353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.416244030 CEST53517531.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.417169094 CEST6218753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.428545952 CEST53621871.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.429300070 CEST5019353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.440690041 CEST53501931.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.441529989 CEST6211353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.458669901 CEST53621131.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.459481001 CEST5169153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.700623989 CEST53516911.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.701643944 CEST5464253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.715399981 CEST53546421.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.756491899 CEST4999653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.766896009 CEST53499961.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.767684937 CEST6451653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.778212070 CEST53645161.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.778903008 CEST6074253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.789803982 CEST53607421.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.790527105 CEST5048253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.799540043 CEST53504821.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.800203085 CEST5881053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.812242031 CEST53588101.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.813172102 CEST5878253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.828253984 CEST53587821.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.829050064 CEST5130653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.071831942 CEST53513061.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.075073004 CEST6419253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.086347103 CEST53641921.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.888679981 CEST5654653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.900537014 CEST53565461.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.901315928 CEST5746453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.913670063 CEST53574641.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.914385080 CEST5788553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.155545950 CEST53578851.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.156696081 CEST5371553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.167927980 CEST53537151.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.168790102 CEST5141753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.180170059 CEST53514171.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.180885077 CEST6276853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.352588892 CEST53627681.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.353596926 CEST5114653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.597661972 CEST53511461.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.598681927 CEST6056353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.618999958 CEST53605631.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.619714975 CEST6192553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.632441044 CEST53619251.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.633131027 CEST5869553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.644659996 CEST53586951.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.645250082 CEST5761353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.661240101 CEST53576131.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.662019968 CEST5262553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.679740906 CEST53526251.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.680368900 CEST5785553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.693149090 CEST53578551.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.693762064 CEST5898453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.707020044 CEST53589841.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.707885027 CEST6086953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.720268965 CEST53608691.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.720900059 CEST5237953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.970777988 CEST53523791.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.971864939 CEST5888153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.985738039 CEST53588811.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.986692905 CEST4965353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.006782055 CEST53496531.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.786472082 CEST5040153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.954701900 CEST53504011.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.955905914 CEST5379153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.966984034 CEST53537911.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.967715025 CEST5747353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.981306076 CEST53574731.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.981921911 CEST6139753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.994856119 CEST53613971.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.995558977 CEST5839253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:03.006686926 CEST53583921.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:03.008308887 CEST5730853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:03.019572020 CEST53573081.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:03.020165920 CEST5569453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:03.031160116 CEST53556941.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:03.032104015 CEST6216453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:03.275041103 CEST53621641.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:03.276165009 CEST6030453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:03.286937952 CEST53603041.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.009152889 CEST5550353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.019555092 CEST53555031.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.020471096 CEST5841353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.270334959 CEST53584131.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.271404982 CEST5005153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.285171986 CEST53500511.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.286155939 CEST5425953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.297135115 CEST53542591.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.298084021 CEST5800753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.542114973 CEST53580071.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.543216944 CEST5278253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.795299053 CEST53527821.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.796159983 CEST5314353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.808367014 CEST53531431.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:05.284837008 CEST5706153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:05.527439117 CEST53570611.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:05.528462887 CEST5152553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:05.770265102 CEST53515251.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:05.771229982 CEST5863353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:05.782088041 CEST53586331.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:05.782999039 CEST5837853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:05.795113087 CEST53583781.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:05.796008110 CEST4928153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.037519932 CEST53492811.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.038474083 CEST6363953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.051501036 CEST53636391.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.052314997 CEST5135553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.067466021 CEST53513551.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.068372965 CEST6319853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.079953909 CEST53631981.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.080666065 CEST5678453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.092104912 CEST53567841.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.092946053 CEST5483453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.104203939 CEST53548341.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.105006933 CEST5021353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.350621939 CEST53502131.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.351753950 CEST5588253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.366333961 CEST53558821.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.367357016 CEST6503653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.610652924 CEST53650361.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.611430883 CEST5356853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.853066921 CEST53535681.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.854162931 CEST5023153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.866261959 CEST53502311.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.867189884 CEST5683053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.114356041 CEST53568301.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.115150928 CEST6162453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.126018047 CEST53616241.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.126703978 CEST5692953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.138246059 CEST53569291.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.139151096 CEST4983653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.150002956 CEST53498361.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.150753021 CEST5620853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.403168917 CEST53562081.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.404272079 CEST5997453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.647264004 CEST53599741.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.648349047 CEST5129153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.813163042 CEST53512911.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.814178944 CEST5932053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.828260899 CEST53593201.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.829015017 CEST5969653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.840544939 CEST53596961.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.841326952 CEST5027053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.082031965 CEST53502701.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.083017111 CEST5033253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.094218969 CEST53503321.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.756918907 CEST6117453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.770143032 CEST53611741.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.241879940 CEST5631753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.252569914 CEST53563171.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.253295898 CEST6202053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.494096994 CEST53620201.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.495203972 CEST5388453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.507671118 CEST53538841.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.508620977 CEST5851253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.522731066 CEST53585121.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.523475885 CEST6431953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.537250042 CEST53643191.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.537851095 CEST5599453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.550298929 CEST53559941.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.550875902 CEST5684153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.563360929 CEST53568411.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.563930035 CEST5711153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.575318098 CEST53571111.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.575917959 CEST6461153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.585946083 CEST53646111.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.586576939 CEST4945453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.828493118 CEST53494541.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.829626083 CEST5725653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.079885960 CEST53572561.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.080786943 CEST5217953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.093116999 CEST53521791.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.093772888 CEST6085353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.106477022 CEST53608531.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.107048988 CEST6125853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.118125916 CEST53612581.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.118805885 CEST5607053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.130733967 CEST53560701.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.788712025 CEST5202953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.950330019 CEST53520291.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.951293945 CEST6475953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.964117050 CEST53647591.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.965055943 CEST6241553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.979084969 CEST53624151.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.980199099 CEST6096353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.994060040 CEST53609631.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:12.237627029 CEST5732453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:12.250061989 CEST53573241.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:12.250858068 CEST5632953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:12.261554956 CEST53563291.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.015707016 CEST5176153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.026566982 CEST53517611.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.027214050 CEST5346853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.043632984 CEST53534681.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.044538021 CEST6057253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.056206942 CEST53605721.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.057059050 CEST6215153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.298180103 CEST53621511.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.299190998 CEST6505153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.310750008 CEST53650511.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.311497927 CEST5643553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.555214882 CEST53564351.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.556307077 CEST5935853192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.567203999 CEST53593581.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.567822933 CEST5047153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.817608118 CEST53504711.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.821393967 CEST5476553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.832412958 CEST53547651.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.833159924 CEST5795353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.994288921 CEST53579531.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.995239973 CEST5509453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.244328976 CEST53550941.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.245342016 CEST5477253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.256731987 CEST53547721.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.257494926 CEST6276153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.290611029 CEST53627611.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.291631937 CEST6060753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.536237955 CEST53606071.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.537060976 CEST6538553192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.550556898 CEST53653851.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.551336050 CEST4980353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.794930935 CEST53498031.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.796035051 CEST5953953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.960773945 CEST53595391.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:15.756539106 CEST6060753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:15.768749952 CEST53606071.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:15.770070076 CEST5163953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:15.783431053 CEST53516391.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:15.784178019 CEST5750753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.027815104 CEST53575071.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.028703928 CEST5996653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.040061951 CEST53599661.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.041012049 CEST6164953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.052799940 CEST53616491.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.053503990 CEST6167153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.063801050 CEST53616711.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.064435005 CEST5271353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.076200008 CEST53527131.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.077012062 CEST5645353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.090326071 CEST53564531.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.091434002 CEST6170753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.103250980 CEST53617071.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.104024887 CEST5177153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.117063999 CEST53517711.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.117809057 CEST6342453192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.129182100 CEST53634241.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.129972935 CEST5976353192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.140059948 CEST53597631.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.645587921 CEST5168753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.660269976 CEST53516871.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.661075115 CEST5405653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.902749062 CEST53540561.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.903548956 CEST5630653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.914294958 CEST53563061.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.915522099 CEST6275153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.926187038 CEST53627511.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.927206039 CEST5679653192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:17.175543070 CEST53567961.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:17.176739931 CEST6024753192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:17.191059113 CEST53602471.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:17.878387928 CEST6034953192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:18.120208025 CEST53603491.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:18.121047020 CEST5991253192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:18.132384062 CEST53599121.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:18.133156061 CEST5469053192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:18.145858049 CEST53546901.1.1.1192.168.2.8
                                                                                                                                                                                                          Aug 5, 2024 16:38:18.146609068 CEST5873153192.168.2.81.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:38:18.157897949 CEST53587311.1.1.1192.168.2.8

                                                                                                                                                                                                          DNS Queries

                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                          Aug 5, 2024 16:36:39.353005886 CEST192.168.2.81.1.1.10x8c84Standard query (0)smokeclear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:39.370682955 CEST192.168.2.81.1.1.10x40e4Standard query (0)womangeneral.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:39.612252951 CEST192.168.2.81.1.1.10xa5daStandard query (0)smokegeneral.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:39.856030941 CEST192.168.2.81.1.1.10x7cf8Standard query (0)womaninclude.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:39.868695974 CEST192.168.2.81.1.1.10x5a13Standard query (0)smokeinclude.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:39.879074097 CEST192.168.2.81.1.1.10xf8a9Standard query (0)womannorth.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:40.119795084 CEST192.168.2.81.1.1.10x15edStandard query (0)smokenorth.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:40.287440062 CEST192.168.2.81.1.1.10x9c70Standard query (0)partyclear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:40.298654079 CEST192.168.2.81.1.1.10xfcb8Standard query (0)fightclear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:40.541182995 CEST192.168.2.81.1.1.10x31f9Standard query (0)partygeneral.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.218976021 CEST192.168.2.81.1.1.10xf574Standard query (0)fightgeneral.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.236143112 CEST192.168.2.81.1.1.10xe786Standard query (0)partyinclude.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.479392052 CEST192.168.2.81.1.1.10x427eStandard query (0)fightinclude.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.488435984 CEST192.168.2.81.1.1.10xe47bStandard query (0)partynorth.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.496673107 CEST192.168.2.81.1.1.10xe3e2Standard query (0)fightnorth.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.753242016 CEST192.168.2.81.1.1.10xa396Standard query (0)freshbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.001708984 CEST192.168.2.81.1.1.10x5075Standard query (0)experiencebranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.016551018 CEST192.168.2.81.1.1.10x1d11Standard query (0)freshbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.028527021 CEST192.168.2.81.1.1.10x770Standard query (0)experiencebelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.041399002 CEST192.168.2.81.1.1.10x311aStandard query (0)freshreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.059204102 CEST192.168.2.81.1.1.10x13bfStandard query (0)experiencereceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.319832087 CEST192.168.2.81.1.1.10xba01Standard query (0)freshquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.331574917 CEST192.168.2.81.1.1.10xea77Standard query (0)experiencequarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.575365067 CEST192.168.2.81.1.1.10x6dd9Standard query (0)gentlemanbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.586740017 CEST192.168.2.81.1.1.10x32cbStandard query (0)alreadybranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.599143982 CEST192.168.2.81.1.1.10x5306Standard query (0)gentlemanbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.614051104 CEST192.168.2.81.1.1.10x6cafStandard query (0)alreadybelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.627573967 CEST192.168.2.81.1.1.10xbe45Standard query (0)gentlemanreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.639345884 CEST192.168.2.81.1.1.10x1493Standard query (0)alreadyreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.650440931 CEST192.168.2.81.1.1.10x35ccStandard query (0)gentlemanquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.667460918 CEST192.168.2.81.1.1.10x7027Standard query (0)alreadyquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.683355093 CEST192.168.2.81.1.1.10xf224Standard query (0)followbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.694165945 CEST192.168.2.81.1.1.10xc09Standard query (0)memberbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.705434084 CEST192.168.2.81.1.1.10x44dcStandard query (0)followbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.717470884 CEST192.168.2.81.1.1.10x8bd7Standard query (0)memberbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.730122089 CEST192.168.2.81.1.1.10xd2f9Standard query (0)followreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.743774891 CEST192.168.2.81.1.1.10x2355Standard query (0)memberreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:43.678503990 CEST192.168.2.81.1.1.10x8114Standard query (0)followquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:43.700141907 CEST192.168.2.81.1.1.10x6443Standard query (0)memberquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:43.752810001 CEST192.168.2.81.1.1.10x3845Standard query (0)beginbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:43.765305996 CEST192.168.2.81.1.1.10xe433Standard query (0)knownbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:43.778363943 CEST192.168.2.81.1.1.10xea7aStandard query (0)beginbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.017153978 CEST192.168.2.81.1.1.10x3ab3Standard query (0)knownbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.029429913 CEST192.168.2.81.1.1.10x8097Standard query (0)beginreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.279048920 CEST192.168.2.81.1.1.10x35b6Standard query (0)knownreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.294002056 CEST192.168.2.81.1.1.10x861bStandard query (0)beginquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.305530071 CEST192.168.2.81.1.1.10x3333Standard query (0)knownquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.322985888 CEST192.168.2.81.1.1.10x390bStandard query (0)summerbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.332981110 CEST192.168.2.81.1.1.10x5141Standard query (0)crowdbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.581218958 CEST192.168.2.81.1.1.10x14b6Standard query (0)summerbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.598520994 CEST192.168.2.81.1.1.10x6331Standard query (0)crowdbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.609754086 CEST192.168.2.81.1.1.10x82bdStandard query (0)summerreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.621823072 CEST192.168.2.81.1.1.10x96c8Standard query (0)crowdreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.864295006 CEST192.168.2.81.1.1.10x1938Standard query (0)summerquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.875132084 CEST192.168.2.81.1.1.10x99e7Standard query (0)crowdquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.888422966 CEST192.168.2.81.1.1.10x207bStandard query (0)thoughtbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.918513060 CEST192.168.2.81.1.1.10xff51Standard query (0)waterbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.932651043 CEST192.168.2.81.1.1.10x1daaStandard query (0)thoughtbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.945818901 CEST192.168.2.81.1.1.10x6c04Standard query (0)waterbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.959244967 CEST192.168.2.81.1.1.10x9a33Standard query (0)thoughtreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.971379042 CEST192.168.2.81.1.1.10x3afStandard query (0)waterreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.982007027 CEST192.168.2.81.1.1.10x7187Standard query (0)thoughtquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.160356045 CEST192.168.2.81.1.1.10xf8f4Standard query (0)waterquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.171907902 CEST192.168.2.81.1.1.10x2f0bStandard query (0)womanbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.184082985 CEST192.168.2.81.1.1.10xe4f5Standard query (0)smokebranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.424618959 CEST192.168.2.81.1.1.10x6d7eStandard query (0)womanbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.942486048 CEST192.168.2.81.1.1.10x3dbcStandard query (0)smokebelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.954982996 CEST192.168.2.81.1.1.10x359Standard query (0)womanreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.199863911 CEST192.168.2.81.1.1.10xd753Standard query (0)smokereceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.211167097 CEST192.168.2.81.1.1.10x8ff9Standard query (0)womanquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.227523088 CEST192.168.2.81.1.1.10xb38fStandard query (0)smokequarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.247255087 CEST192.168.2.81.1.1.10x4110Standard query (0)partybranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.280801058 CEST192.168.2.81.1.1.10x90daStandard query (0)fightbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.292835951 CEST192.168.2.81.1.1.10x37afStandard query (0)partybelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.100435019 CEST192.168.2.81.1.1.10xd84Standard query (0)fightbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.111423016 CEST192.168.2.81.1.1.10xff68Standard query (0)partyreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.356029987 CEST192.168.2.81.1.1.10x9407Standard query (0)fightreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.369904995 CEST192.168.2.81.1.1.10x4f4Standard query (0)partyquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.387667894 CEST192.168.2.81.1.1.10xd298Standard query (0)fightquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.634262085 CEST192.168.2.81.1.1.10x8360Standard query (0)freshhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.650899887 CEST192.168.2.81.1.1.10xc4d5Standard query (0)experiencehonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.663028955 CEST192.168.2.81.1.1.10x93eeStandard query (0)freshneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.673784971 CEST192.168.2.81.1.1.10x1d2cStandard query (0)experienceneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.687352896 CEST192.168.2.81.1.1.10x8c51Standard query (0)freshsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.699014902 CEST192.168.2.81.1.1.10xbb44Standard query (0)experiencesystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.710701942 CEST192.168.2.81.1.1.10x620fStandard query (0)freshtrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.722073078 CEST192.168.2.81.1.1.10x966bStandard query (0)experiencetrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.964668989 CEST192.168.2.81.1.1.10xa003Standard query (0)gentlemanhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.973030090 CEST192.168.2.81.1.1.10x849dStandard query (0)alreadyhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.217143059 CEST192.168.2.81.1.1.10xede0Standard query (0)gentlemanneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.228580952 CEST192.168.2.81.1.1.10xae85Standard query (0)alreadyneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.240248919 CEST192.168.2.81.1.1.10xe524Standard query (0)gentlemansystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.507904053 CEST192.168.2.81.1.1.10xc5ffStandard query (0)alreadysystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.520250082 CEST192.168.2.81.1.1.10xbf93Standard query (0)gentlemantrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.531650066 CEST192.168.2.81.1.1.10x220cStandard query (0)alreadytrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.543634892 CEST192.168.2.81.1.1.10xe85Standard query (0)followhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.793900967 CEST192.168.2.81.1.1.10x9bceStandard query (0)memberhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.805780888 CEST192.168.2.81.1.1.10x2ad0Standard query (0)followneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.821552038 CEST192.168.2.81.1.1.10x7a61Standard query (0)memberneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.833841085 CEST192.168.2.81.1.1.10xacd1Standard query (0)followsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.850253105 CEST192.168.2.81.1.1.10x2f34Standard query (0)membersystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:50.547266960 CEST192.168.2.81.1.1.10xb845Standard query (0)followtrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:50.561996937 CEST192.168.2.81.1.1.10x6ea7Standard query (0)membertrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.042473078 CEST192.168.2.81.1.1.10x7501Standard query (0)beginhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.294143915 CEST192.168.2.81.1.1.10x582dStandard query (0)knownhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.537852049 CEST192.168.2.81.1.1.10xabdeStandard query (0)beginneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.787070990 CEST192.168.2.81.1.1.10x1f4eStandard query (0)knownneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.802778959 CEST192.168.2.81.1.1.10x8c0aStandard query (0)beginsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.814130068 CEST192.168.2.81.1.1.10xf37Standard query (0)knownsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.825092077 CEST192.168.2.81.1.1.10xb68aStandard query (0)begintrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.837702990 CEST192.168.2.81.1.1.10xba61Standard query (0)knowntrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.089168072 CEST192.168.2.81.1.1.10x3292Standard query (0)summerhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.101660967 CEST192.168.2.81.1.1.10x8c2bStandard query (0)crowdhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.347357035 CEST192.168.2.81.1.1.10xf4e6Standard query (0)summerneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.358875990 CEST192.168.2.81.1.1.10x5b04Standard query (0)crowdneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.370096922 CEST192.168.2.81.1.1.10xc28cStandard query (0)summersystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.797898054 CEST192.168.2.81.1.1.10xd01Standard query (0)crowdsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.811161041 CEST192.168.2.81.1.1.10x3194Standard query (0)summertrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.829648972 CEST192.168.2.81.1.1.10xd224Standard query (0)crowdtrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:53.791110039 CEST192.168.2.81.1.1.10xc030Standard query (0)thoughthonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:53.803234100 CEST192.168.2.81.1.1.10xd321Standard query (0)waterhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:53.815788984 CEST192.168.2.81.1.1.10x5f01Standard query (0)thoughtneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.056989908 CEST192.168.2.81.1.1.10x30c5Standard query (0)waterneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.069430113 CEST192.168.2.81.1.1.10x46ccStandard query (0)thoughtsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.858067989 CEST192.168.2.81.1.1.10x8445Standard query (0)watersystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:55.557658911 CEST192.168.2.81.1.1.10x4f9fStandard query (0)thoughttrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:55.569571972 CEST192.168.2.81.1.1.10x2034Standard query (0)watertrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:55.585674047 CEST192.168.2.81.1.1.10xe854Standard query (0)womanhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.539659023 CEST192.168.2.81.1.1.10x896dStandard query (0)smokehonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.553088903 CEST192.168.2.81.1.1.10x538bStandard query (0)womanneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.568094969 CEST192.168.2.81.1.1.10x64f2Standard query (0)smokeneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.581495047 CEST192.168.2.81.1.1.10x2764Standard query (0)womansystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.595973969 CEST192.168.2.81.1.1.10x3175Standard query (0)smokesystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.609473944 CEST192.168.2.81.1.1.10x5f99Standard query (0)womantrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.622976065 CEST192.168.2.81.1.1.10x792dStandard query (0)smoketrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.639790058 CEST192.168.2.81.1.1.10x2562Standard query (0)partyhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.654500961 CEST192.168.2.81.1.1.10x6fe9Standard query (0)fighthonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.899085045 CEST192.168.2.81.1.1.10x31d5Standard query (0)partyneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.913820982 CEST192.168.2.81.1.1.10x93b1Standard query (0)fightneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.156533957 CEST192.168.2.81.1.1.10x59d2Standard query (0)partysystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.176954031 CEST192.168.2.81.1.1.10x827eStandard query (0)fightsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.212913990 CEST192.168.2.81.1.1.10xd58cStandard query (0)partytrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.226860046 CEST192.168.2.81.1.1.10x85f1Standard query (0)fighttrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.387175083 CEST192.168.2.81.1.1.10xe118Standard query (0)freshlaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.634114027 CEST192.168.2.81.1.1.10xb103Standard query (0)experiencelaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.646895885 CEST192.168.2.81.1.1.10x4bStandard query (0)freshfancy.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:58.610924959 CEST192.168.2.81.1.1.10x58e2Standard query (0)experiencefancy.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:58.785491943 CEST192.168.2.81.1.1.10xd46bStandard query (0)freshconsider.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.029863119 CEST192.168.2.81.1.1.10xed3aStandard query (0)experienceconsider.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.041729927 CEST192.168.2.81.1.1.10x8b5fStandard query (0)freshfriend.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.055022955 CEST192.168.2.81.1.1.10xdf34Standard query (0)experiencefriend.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.307311058 CEST192.168.2.81.1.1.10x48dStandard query (0)gentlemanlaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.318478107 CEST192.168.2.81.1.1.10xfc4eStandard query (0)alreadylaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.332151890 CEST192.168.2.81.1.1.10xadacStandard query (0)gentlemanfancy.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.345741987 CEST192.168.2.81.1.1.10x697fStandard query (0)alreadyfancy.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.357644081 CEST192.168.2.81.1.1.10x74bfStandard query (0)gentlemanconsider.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.368601084 CEST192.168.2.81.1.1.10xd76eStandard query (0)alreadyconsider.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.610183001 CEST192.168.2.81.1.1.10xf840Standard query (0)gentlemanfriend.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.865206957 CEST192.168.2.81.1.1.10xdef4Standard query (0)alreadyfriend.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:00.907918930 CEST192.168.2.81.1.1.10x2a0aStandard query (0)followlaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.235503912 CEST192.168.2.81.1.1.10xd999Standard query (0)memberlaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.247356892 CEST192.168.2.81.1.1.10xde29Standard query (0)followfancy.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.266585112 CEST192.168.2.81.1.1.10xa401Standard query (0)memberfancy.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.510814905 CEST192.168.2.81.1.1.10x65b5Standard query (0)followconsider.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.524280071 CEST192.168.2.81.1.1.10x2520Standard query (0)memberconsider.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.538729906 CEST192.168.2.81.1.1.10xc37aStandard query (0)followfriend.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:02.573220015 CEST192.168.2.81.1.1.10xf611Standard query (0)memberfriend.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:02.818362951 CEST192.168.2.81.1.1.10xc68fStandard query (0)beginlaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:03.069844961 CEST192.168.2.81.1.1.10x5750Standard query (0)knownlaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:03.082120895 CEST192.168.2.81.1.1.10x610cStandard query (0)beginfancy.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.428836107 CEST192.168.2.81.1.1.10x5c02Standard query (0)smokeclear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.674669027 CEST192.168.2.81.1.1.10x308fStandard query (0)womangeneral.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.928169966 CEST192.168.2.81.1.1.10xc24aStandard query (0)smokegeneral.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.941281080 CEST192.168.2.81.1.1.10x6718Standard query (0)womaninclude.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.953811884 CEST192.168.2.81.1.1.10x72bfStandard query (0)smokeinclude.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.966114044 CEST192.168.2.81.1.1.10xc648Standard query (0)womannorth.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.978588104 CEST192.168.2.81.1.1.10x9804Standard query (0)smokenorth.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.231544971 CEST192.168.2.81.1.1.10x3a25Standard query (0)partyclear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.247298956 CEST192.168.2.81.1.1.10x8d4bStandard query (0)fightclear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.772082090 CEST192.168.2.81.1.1.10x6cd6Standard query (0)fightgeneral.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.783575058 CEST192.168.2.81.1.1.10xc2fStandard query (0)partyinclude.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.795322895 CEST192.168.2.81.1.1.10xd7Standard query (0)fightinclude.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.040324926 CEST192.168.2.81.1.1.10x7ed8Standard query (0)partynorth.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.052227974 CEST192.168.2.81.1.1.10xef46Standard query (0)fightnorth.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.063220978 CEST192.168.2.81.1.1.10x344fStandard query (0)freshbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.075149059 CEST192.168.2.81.1.1.10x3fbStandard query (0)experiencebranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.089663982 CEST192.168.2.81.1.1.10x5901Standard query (0)freshbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.101142883 CEST192.168.2.81.1.1.10x880fStandard query (0)experiencebelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.118431091 CEST192.168.2.81.1.1.10xe3b4Standard query (0)freshreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.135755062 CEST192.168.2.81.1.1.10x8b82Standard query (0)experiencereceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.387303114 CEST192.168.2.81.1.1.10x168dStandard query (0)freshquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.399113894 CEST192.168.2.81.1.1.10x9d3cStandard query (0)experiencequarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.417169094 CEST192.168.2.81.1.1.10xb3eaStandard query (0)gentlemanbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.429300070 CEST192.168.2.81.1.1.10x7de8Standard query (0)alreadybranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.441529989 CEST192.168.2.81.1.1.10x5c5eStandard query (0)gentlemanbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.459481001 CEST192.168.2.81.1.1.10xb3f9Standard query (0)alreadybelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.701643944 CEST192.168.2.81.1.1.10x768aStandard query (0)gentlemanreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.756491899 CEST192.168.2.81.1.1.10x4c79Standard query (0)alreadyreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.767684937 CEST192.168.2.81.1.1.10xc27eStandard query (0)gentlemanquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.778903008 CEST192.168.2.81.1.1.10xab1aStandard query (0)alreadyquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.790527105 CEST192.168.2.81.1.1.10xe776Standard query (0)followbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.800203085 CEST192.168.2.81.1.1.10xb007Standard query (0)memberbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.813172102 CEST192.168.2.81.1.1.10x137fStandard query (0)followbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.829050064 CEST192.168.2.81.1.1.10x7dc0Standard query (0)memberbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.075073004 CEST192.168.2.81.1.1.10xa9e1Standard query (0)followreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.888679981 CEST192.168.2.81.1.1.10xa60eStandard query (0)followquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.901315928 CEST192.168.2.81.1.1.10x5060Standard query (0)memberquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.914385080 CEST192.168.2.81.1.1.10xd899Standard query (0)beginbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.156696081 CEST192.168.2.81.1.1.10x604dStandard query (0)knownbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.168790102 CEST192.168.2.81.1.1.10xae39Standard query (0)beginbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.180885077 CEST192.168.2.81.1.1.10xa4a5Standard query (0)knownbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.353596926 CEST192.168.2.81.1.1.10x2f8aStandard query (0)beginreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.598681927 CEST192.168.2.81.1.1.10x4f81Standard query (0)knownreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.619714975 CEST192.168.2.81.1.1.10xea2cStandard query (0)beginquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.633131027 CEST192.168.2.81.1.1.10x364fStandard query (0)knownquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.645250082 CEST192.168.2.81.1.1.10x542eStandard query (0)summerbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.662019968 CEST192.168.2.81.1.1.10x6d8dStandard query (0)crowdbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.680368900 CEST192.168.2.81.1.1.10x567cStandard query (0)summerbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.693762064 CEST192.168.2.81.1.1.10xee5dStandard query (0)crowdbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.707885027 CEST192.168.2.81.1.1.10x5b10Standard query (0)summerreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.720900059 CEST192.168.2.81.1.1.10xbc0Standard query (0)crowdreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.971864939 CEST192.168.2.81.1.1.10x573eStandard query (0)summerquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.986692905 CEST192.168.2.81.1.1.10x6268Standard query (0)crowdquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.786472082 CEST192.168.2.81.1.1.10x54c6Standard query (0)waterbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.955905914 CEST192.168.2.81.1.1.10xc3ccStandard query (0)thoughtbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.967715025 CEST192.168.2.81.1.1.10x1dd1Standard query (0)waterbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.981921911 CEST192.168.2.81.1.1.10xf04fStandard query (0)thoughtreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.995558977 CEST192.168.2.81.1.1.10xa661Standard query (0)waterreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:03.008308887 CEST192.168.2.81.1.1.10x25bdStandard query (0)thoughtquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:03.020165920 CEST192.168.2.81.1.1.10xd781Standard query (0)waterquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:03.032104015 CEST192.168.2.81.1.1.10x9a24Standard query (0)womanbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:03.276165009 CEST192.168.2.81.1.1.10x193eStandard query (0)smokebranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.009152889 CEST192.168.2.81.1.1.10x8dedStandard query (0)smokebelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.020471096 CEST192.168.2.81.1.1.10x5480Standard query (0)womanreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.271404982 CEST192.168.2.81.1.1.10x40c5Standard query (0)smokereceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.286155939 CEST192.168.2.81.1.1.10x223Standard query (0)womanquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.298084021 CEST192.168.2.81.1.1.10x76d5Standard query (0)smokequarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.543216944 CEST192.168.2.81.1.1.10x5501Standard query (0)partybranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.796159983 CEST192.168.2.81.1.1.10x4cf5Standard query (0)fightbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:05.284837008 CEST192.168.2.81.1.1.10x561bStandard query (0)fightbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:05.528462887 CEST192.168.2.81.1.1.10xa0acStandard query (0)partyreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:05.771229982 CEST192.168.2.81.1.1.10xdc5dStandard query (0)fightreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:05.782999039 CEST192.168.2.81.1.1.10xcd94Standard query (0)partyquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:05.796008110 CEST192.168.2.81.1.1.10xe5ebStandard query (0)fightquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.038474083 CEST192.168.2.81.1.1.10x1901Standard query (0)freshhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.052314997 CEST192.168.2.81.1.1.10xf747Standard query (0)experiencehonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.068372965 CEST192.168.2.81.1.1.10x7f18Standard query (0)freshneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.080666065 CEST192.168.2.81.1.1.10xec21Standard query (0)experienceneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.092946053 CEST192.168.2.81.1.1.10x5746Standard query (0)freshsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.105006933 CEST192.168.2.81.1.1.10x2cf2Standard query (0)experiencesystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.351753950 CEST192.168.2.81.1.1.10xcdcStandard query (0)freshtrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.367357016 CEST192.168.2.81.1.1.10x7c1eStandard query (0)experiencetrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.611430883 CEST192.168.2.81.1.1.10xab9cStandard query (0)gentlemanhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.854162931 CEST192.168.2.81.1.1.10x7b7eStandard query (0)alreadyhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.867189884 CEST192.168.2.81.1.1.10x4d18Standard query (0)gentlemanneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.115150928 CEST192.168.2.81.1.1.10xa064Standard query (0)alreadyneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.126703978 CEST192.168.2.81.1.1.10x3444Standard query (0)gentlemansystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.139151096 CEST192.168.2.81.1.1.10x63c3Standard query (0)alreadysystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.150753021 CEST192.168.2.81.1.1.10x3d4eStandard query (0)gentlemantrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.404272079 CEST192.168.2.81.1.1.10xcc57Standard query (0)alreadytrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.648349047 CEST192.168.2.81.1.1.10x9fa3Standard query (0)followhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.814178944 CEST192.168.2.81.1.1.10xfa02Standard query (0)memberhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.829015017 CEST192.168.2.81.1.1.10x1b16Standard query (0)followneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.841326952 CEST192.168.2.81.1.1.10x9a4bStandard query (0)memberneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.083017111 CEST192.168.2.81.1.1.10x72ecStandard query (0)followsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.756918907 CEST192.168.2.81.1.1.10xeaddStandard query (0)followtrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.241879940 CEST192.168.2.81.1.1.10x6c32Standard query (0)beginhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.253295898 CEST192.168.2.81.1.1.10x60b6Standard query (0)knownhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.495203972 CEST192.168.2.81.1.1.10x3075Standard query (0)beginneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.508620977 CEST192.168.2.81.1.1.10x5a00Standard query (0)knownneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.523475885 CEST192.168.2.81.1.1.10xe56cStandard query (0)beginsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.537851095 CEST192.168.2.81.1.1.10xbe2eStandard query (0)knownsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.550875902 CEST192.168.2.81.1.1.10x2439Standard query (0)begintrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.563930035 CEST192.168.2.81.1.1.10xff4bStandard query (0)knowntrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.575917959 CEST192.168.2.81.1.1.10xca31Standard query (0)summerhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.586576939 CEST192.168.2.81.1.1.10x6712Standard query (0)crowdhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.829626083 CEST192.168.2.81.1.1.10xda55Standard query (0)summerneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.080786943 CEST192.168.2.81.1.1.10x1776Standard query (0)crowdneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.093772888 CEST192.168.2.81.1.1.10xe088Standard query (0)summersystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.107048988 CEST192.168.2.81.1.1.10xd1aaStandard query (0)crowdsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.118805885 CEST192.168.2.81.1.1.10x9af6Standard query (0)summertrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.788712025 CEST192.168.2.81.1.1.10xdaf2Standard query (0)thoughthonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.951293945 CEST192.168.2.81.1.1.10x7387Standard query (0)waterhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.965055943 CEST192.168.2.81.1.1.10xae34Standard query (0)thoughtneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.980199099 CEST192.168.2.81.1.1.10xaa28Standard query (0)waterneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:12.237627029 CEST192.168.2.81.1.1.10xf6dStandard query (0)thoughttrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:12.250858068 CEST192.168.2.81.1.1.10x291cStandard query (0)watertrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.015707016 CEST192.168.2.81.1.1.10xaffeStandard query (0)smokehonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.027214050 CEST192.168.2.81.1.1.10xb17cStandard query (0)womanneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.044538021 CEST192.168.2.81.1.1.10xcebdStandard query (0)smokeneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.057059050 CEST192.168.2.81.1.1.10x5376Standard query (0)womansystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.299190998 CEST192.168.2.81.1.1.10x53fStandard query (0)smokesystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.311497927 CEST192.168.2.81.1.1.10xc9f4Standard query (0)womantrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.556307077 CEST192.168.2.81.1.1.10xd5Standard query (0)smoketrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.567822933 CEST192.168.2.81.1.1.10xb081Standard query (0)partyhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.821393967 CEST192.168.2.81.1.1.10x5b70Standard query (0)fighthonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.833159924 CEST192.168.2.81.1.1.10x30f8Standard query (0)partyneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.995239973 CEST192.168.2.81.1.1.10xb098Standard query (0)fightneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.245342016 CEST192.168.2.81.1.1.10x4234Standard query (0)partysystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.257494926 CEST192.168.2.81.1.1.10x3889Standard query (0)fightsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.291631937 CEST192.168.2.81.1.1.10x9fe3Standard query (0)partytrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.537060976 CEST192.168.2.81.1.1.10x2a72Standard query (0)fighttrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.551336050 CEST192.168.2.81.1.1.10x7288Standard query (0)freshlaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.796035051 CEST192.168.2.81.1.1.10xcb3dStandard query (0)experiencelaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:15.756539106 CEST192.168.2.81.1.1.10x17c9Standard query (0)experiencefancy.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:15.770070076 CEST192.168.2.81.1.1.10xf21bStandard query (0)freshconsider.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:15.784178019 CEST192.168.2.81.1.1.10x2631Standard query (0)experienceconsider.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.028703928 CEST192.168.2.81.1.1.10x526fStandard query (0)freshfriend.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.041012049 CEST192.168.2.81.1.1.10x1d4aStandard query (0)experiencefriend.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.053503990 CEST192.168.2.81.1.1.10xf291Standard query (0)gentlemanlaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.064435005 CEST192.168.2.81.1.1.10x2b29Standard query (0)alreadylaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.077012062 CEST192.168.2.81.1.1.10x9313Standard query (0)gentlemanfancy.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.091434002 CEST192.168.2.81.1.1.10xedeeStandard query (0)alreadyfancy.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.104024887 CEST192.168.2.81.1.1.10x1d3Standard query (0)gentlemanconsider.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.117809057 CEST192.168.2.81.1.1.10xa2b9Standard query (0)alreadyconsider.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.129972935 CEST192.168.2.81.1.1.10xea7dStandard query (0)gentlemanfriend.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.645587921 CEST192.168.2.81.1.1.10xa449Standard query (0)followlaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.661075115 CEST192.168.2.81.1.1.10x23e7Standard query (0)memberlaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.903548956 CEST192.168.2.81.1.1.10x5e39Standard query (0)followfancy.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.915522099 CEST192.168.2.81.1.1.10x1717Standard query (0)memberfancy.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.927206039 CEST192.168.2.81.1.1.10xac98Standard query (0)followconsider.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:17.176739931 CEST192.168.2.81.1.1.10x269fStandard query (0)memberconsider.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:17.878387928 CEST192.168.2.81.1.1.10xebfaStandard query (0)memberfriend.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:18.121047020 CEST192.168.2.81.1.1.10xaf2aStandard query (0)beginlaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:18.133156061 CEST192.168.2.81.1.1.10x2632Standard query (0)knownlaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:18.146609068 CEST192.168.2.81.1.1.10x7fbStandard query (0)beginfancy.netA (IP address)IN (0x0001)false

                                                                                                                                                                                                          DNS Answers

                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                          Aug 5, 2024 16:36:39.368855000 CEST1.1.1.1192.168.2.80x8c84Name error (3)smokeclear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:39.611361027 CEST1.1.1.1192.168.2.80x40e4Name error (3)womangeneral.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:39.854981899 CEST1.1.1.1192.168.2.80xa5daName error (3)smokegeneral.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:39.867891073 CEST1.1.1.1192.168.2.80x7cf8Name error (3)womaninclude.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:39.878309011 CEST1.1.1.1192.168.2.80x5a13Name error (3)smokeinclude.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:40.118793011 CEST1.1.1.1192.168.2.80xf8a9Name error (3)womannorth.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:40.286669970 CEST1.1.1.1192.168.2.80x15edName error (3)smokenorth.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:40.297940969 CEST1.1.1.1192.168.2.80x9c70Name error (3)partyclear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:40.540282011 CEST1.1.1.1192.168.2.80xfcb8Name error (3)fightclear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:40.552257061 CEST1.1.1.1192.168.2.80x31f9No error (0)partygeneral.net3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:40.552257061 CEST1.1.1.1192.168.2.80x31f9No error (0)partygeneral.net15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.235057116 CEST1.1.1.1192.168.2.80xf574Name error (3)fightgeneral.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.478492022 CEST1.1.1.1192.168.2.80xe786Name error (3)partyinclude.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.487771988 CEST1.1.1.1192.168.2.80x427eName error (3)fightinclude.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.496058941 CEST1.1.1.1192.168.2.80xe47bName error (3)partynorth.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.752202988 CEST1.1.1.1192.168.2.80xe3e2Name error (3)fightnorth.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.000659943 CEST1.1.1.1192.168.2.80xa396Name error (3)freshbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.015692949 CEST1.1.1.1192.168.2.80x5075Name error (3)experiencebranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.027812004 CEST1.1.1.1192.168.2.80x1d11Name error (3)freshbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.040721893 CEST1.1.1.1192.168.2.80x770Name error (3)experiencebelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.058551073 CEST1.1.1.1192.168.2.80x311aName error (3)freshreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.318908930 CEST1.1.1.1192.168.2.80x13bfName error (3)experiencereceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.330058098 CEST1.1.1.1192.168.2.80xba01Name error (3)freshquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.574553013 CEST1.1.1.1192.168.2.80xea77Name error (3)experiencequarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.586019993 CEST1.1.1.1192.168.2.80x6dd9Name error (3)gentlemanbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.598232031 CEST1.1.1.1192.168.2.80x32cbName error (3)alreadybranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.613347054 CEST1.1.1.1192.168.2.80x5306Name error (3)gentlemanbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.625917912 CEST1.1.1.1192.168.2.80x6cafName error (3)alreadybelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.638657093 CEST1.1.1.1192.168.2.80xbe45Name error (3)gentlemanreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.649710894 CEST1.1.1.1192.168.2.80x1493Name error (3)alreadyreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.666552067 CEST1.1.1.1192.168.2.80x35ccName error (3)gentlemanquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.680490017 CEST1.1.1.1192.168.2.80x7027Name error (3)alreadyquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.693288088 CEST1.1.1.1192.168.2.80xf224Name error (3)followbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.704880953 CEST1.1.1.1192.168.2.80xc09Name error (3)memberbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.716902971 CEST1.1.1.1192.168.2.80x44dcName error (3)followbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.729437113 CEST1.1.1.1192.168.2.80x8bd7Name error (3)memberbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.743010044 CEST1.1.1.1192.168.2.80xd2f9Name error (3)followreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.933907986 CEST1.1.1.1192.168.2.80x2355No error (0)memberreceive.net35.164.78.200A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:43.692328930 CEST1.1.1.1192.168.2.80x8114Name error (3)followquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:43.752058983 CEST1.1.1.1192.168.2.80x6443Name error (3)memberquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:43.764357090 CEST1.1.1.1192.168.2.80x3845Name error (3)beginbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:43.777448893 CEST1.1.1.1192.168.2.80xe433Name error (3)knownbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.015759945 CEST1.1.1.1192.168.2.80xea7aName error (3)beginbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.028564930 CEST1.1.1.1192.168.2.80x3ab3Name error (3)knownbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.278059959 CEST1.1.1.1192.168.2.80x8097Name error (3)beginreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.293302059 CEST1.1.1.1192.168.2.80x35b6Name error (3)knownreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.304867029 CEST1.1.1.1192.168.2.80x861bName error (3)beginquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.322139025 CEST1.1.1.1192.168.2.80x3333Name error (3)knownquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.332329035 CEST1.1.1.1192.168.2.80x390bName error (3)summerbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.580202103 CEST1.1.1.1192.168.2.80x5141Name error (3)crowdbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.597767115 CEST1.1.1.1192.168.2.80x14b6Name error (3)summerbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.608977079 CEST1.1.1.1192.168.2.80x6331Name error (3)crowdbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.621057987 CEST1.1.1.1192.168.2.80x82bdName error (3)summerreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.863224030 CEST1.1.1.1192.168.2.80x96c8Name error (3)crowdreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.874325991 CEST1.1.1.1192.168.2.80x1938Name error (3)summerquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:44.887716055 CEST1.1.1.1192.168.2.80x99e7Name error (3)crowdquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.091850996 CEST1.1.1.1192.168.2.80x207bNo error (0)thoughtbranch.net34.246.200.160A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.931898117 CEST1.1.1.1192.168.2.80xff51Name error (3)waterbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.944937944 CEST1.1.1.1192.168.2.80x1daaName error (3)thoughtbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.958379984 CEST1.1.1.1192.168.2.80x6c04Name error (3)waterbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.970640898 CEST1.1.1.1192.168.2.80x9a33Name error (3)thoughtreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.981431007 CEST1.1.1.1192.168.2.80x3afName error (3)waterreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.159359932 CEST1.1.1.1192.168.2.80x7187Name error (3)thoughtquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.170938969 CEST1.1.1.1192.168.2.80xf8f4Name error (3)waterquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.183216095 CEST1.1.1.1192.168.2.80x2f0bName error (3)womanbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.423681021 CEST1.1.1.1192.168.2.80xe4f5Name error (3)smokebranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.437474966 CEST1.1.1.1192.168.2.80x6d7eNo error (0)womanbelieve.net15.197.142.173A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.437474966 CEST1.1.1.1192.168.2.80x6d7eNo error (0)womanbelieve.net3.33.152.147A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.954034090 CEST1.1.1.1192.168.2.80x3dbcName error (3)smokebelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.198570967 CEST1.1.1.1192.168.2.80x359Name error (3)womanreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.210464001 CEST1.1.1.1192.168.2.80xd753Name error (3)smokereceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.226707935 CEST1.1.1.1192.168.2.80x8ff9Name error (3)womanquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.246351957 CEST1.1.1.1192.168.2.80xb38fName error (3)smokequarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.279947042 CEST1.1.1.1192.168.2.80x4110Name error (3)partybranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.291918039 CEST1.1.1.1192.168.2.80x90daName error (3)fightbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.628916979 CEST1.1.1.1192.168.2.80x37afNo error (0)partybelieve.net15.197.192.55A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.110498905 CEST1.1.1.1192.168.2.80xd84Name error (3)fightbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.355052948 CEST1.1.1.1192.168.2.80xff68Name error (3)partyreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.369045973 CEST1.1.1.1192.168.2.80x9407Name error (3)fightreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.386740923 CEST1.1.1.1192.168.2.80x4f4Name error (3)partyquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.633297920 CEST1.1.1.1192.168.2.80xd298Name error (3)fightquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.649682999 CEST1.1.1.1192.168.2.80x8360Name error (3)freshhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.662101984 CEST1.1.1.1192.168.2.80xc4d5Name error (3)experiencehonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.673151016 CEST1.1.1.1192.168.2.80x93eeName error (3)freshneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.686657906 CEST1.1.1.1192.168.2.80x1d2cName error (3)experienceneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.698379040 CEST1.1.1.1192.168.2.80x8c51Name error (3)freshsystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.709713936 CEST1.1.1.1192.168.2.80xbb44Name error (3)experiencesystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.721396923 CEST1.1.1.1192.168.2.80x620fName error (3)freshtrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.963458061 CEST1.1.1.1192.168.2.80x966bName error (3)experiencetrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.972209930 CEST1.1.1.1192.168.2.80xa003Name error (3)gentlemanhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.215868950 CEST1.1.1.1192.168.2.80x849dName error (3)alreadyhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.227722883 CEST1.1.1.1192.168.2.80xede0Name error (3)gentlemanneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.239301920 CEST1.1.1.1192.168.2.80xae85Name error (3)alreadyneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.506944895 CEST1.1.1.1192.168.2.80xe524Name error (3)gentlemansystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.519426107 CEST1.1.1.1192.168.2.80xc5ffName error (3)alreadysystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.530726910 CEST1.1.1.1192.168.2.80xbf93Name error (3)gentlemantrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.542201042 CEST1.1.1.1192.168.2.80x220cName error (3)alreadytrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.792819977 CEST1.1.1.1192.168.2.80xe85Name error (3)followhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.804862022 CEST1.1.1.1192.168.2.80x9bceName error (3)memberhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.818869114 CEST1.1.1.1192.168.2.80x2ad0Name error (3)followneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.832920074 CEST1.1.1.1192.168.2.80x7a61Name error (3)memberneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.846533060 CEST1.1.1.1192.168.2.80xacd1Name error (3)followsystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.884671926 CEST1.1.1.1192.168.2.80x2f34No error (0)membersystem.net85.13.130.3A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:50.560969114 CEST1.1.1.1192.168.2.80xb845Name error (3)followtrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:50.576527119 CEST1.1.1.1192.168.2.80x6ea7No error (0)membertrust.net3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:50.576527119 CEST1.1.1.1192.168.2.80x6ea7No error (0)membertrust.net15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.292993069 CEST1.1.1.1192.168.2.80x7501Name error (3)beginhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.536947012 CEST1.1.1.1192.168.2.80x582dName error (3)knownhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.786314011 CEST1.1.1.1192.168.2.80xabdeName error (3)beginneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.802022934 CEST1.1.1.1192.168.2.80x1f4eName error (3)knownneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.813405037 CEST1.1.1.1192.168.2.80x8c0aName error (3)beginsystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.824346066 CEST1.1.1.1192.168.2.80xf37Name error (3)knownsystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.836872101 CEST1.1.1.1192.168.2.80xb68aName error (3)begintrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.088181973 CEST1.1.1.1192.168.2.80xba61Name error (3)knowntrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.100846052 CEST1.1.1.1192.168.2.80x3292Name error (3)summerhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.346534014 CEST1.1.1.1192.168.2.80x8c2bName error (3)crowdhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.358089924 CEST1.1.1.1192.168.2.80xf4e6Name error (3)summerneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.369129896 CEST1.1.1.1192.168.2.80x5b04Name error (3)crowdneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.796561003 CEST1.1.1.1192.168.2.80xc28cName error (3)summersystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.810426950 CEST1.1.1.1192.168.2.80xd01Name error (3)crowdsystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:52.823853970 CEST1.1.1.1192.168.2.80x3194Name error (3)summertrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:53.277653933 CEST1.1.1.1192.168.2.80xd224No error (0)crowdtrust.net170.187.200.48A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:53.802386999 CEST1.1.1.1192.168.2.80xc030Name error (3)thoughthonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:53.814697027 CEST1.1.1.1192.168.2.80xd321Name error (3)waterhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.055990934 CEST1.1.1.1192.168.2.80x5f01Name error (3)thoughtneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.068696022 CEST1.1.1.1192.168.2.80x30c5Name error (3)waterneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.105180025 CEST1.1.1.1192.168.2.80x46ccNo error (0)thoughtsystem.net213.171.195.105A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.886974096 CEST1.1.1.1192.168.2.80x8445No error (0)watersystem.net64.190.63.222A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:55.568685055 CEST1.1.1.1192.168.2.80x4f9fName error (3)thoughttrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:55.584660053 CEST1.1.1.1192.168.2.80x2034Name error (3)watertrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:55.785990953 CEST1.1.1.1192.168.2.80xe854No error (0)womanhonor.net54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.552134037 CEST1.1.1.1192.168.2.80x896dName error (3)smokehonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.567317963 CEST1.1.1.1192.168.2.80x538bName error (3)womanneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.580863953 CEST1.1.1.1192.168.2.80x64f2Name error (3)smokeneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.595370054 CEST1.1.1.1192.168.2.80x2764Name error (3)womansystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.608808041 CEST1.1.1.1192.168.2.80x3175Name error (3)smokesystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.621980906 CEST1.1.1.1192.168.2.80x5f99Name error (3)womantrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.638958931 CEST1.1.1.1192.168.2.80x792dName error (3)smoketrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.653503895 CEST1.1.1.1192.168.2.80x2562Name error (3)partyhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.897937059 CEST1.1.1.1192.168.2.80x6fe9Name error (3)fighthonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.912920952 CEST1.1.1.1192.168.2.80x31d5Name error (3)partyneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.155175924 CEST1.1.1.1192.168.2.80x93b1Name error (3)fightneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.175685883 CEST1.1.1.1192.168.2.80x59d2Name error (3)partysystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.225847960 CEST1.1.1.1192.168.2.80xd58cName error (3)partytrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.386040926 CEST1.1.1.1192.168.2.80x85f1Name error (3)fighttrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.633265972 CEST1.1.1.1192.168.2.80xe118Name error (3)freshlaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.646018982 CEST1.1.1.1192.168.2.80xb103Name error (3)experiencelaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.675052881 CEST1.1.1.1192.168.2.80x4bNo error (0)freshfancy.net81.169.145.88A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:58.784452915 CEST1.1.1.1192.168.2.80x58e2Name error (3)experiencefancy.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.028749943 CEST1.1.1.1192.168.2.80xd46bName error (3)freshconsider.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.040896893 CEST1.1.1.1192.168.2.80xed3aName error (3)experienceconsider.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.054090977 CEST1.1.1.1192.168.2.80x8b5fName error (3)freshfriend.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.306061029 CEST1.1.1.1192.168.2.80xdf34Name error (3)experiencefriend.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.317742109 CEST1.1.1.1192.168.2.80x48dName error (3)gentlemanlaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.331271887 CEST1.1.1.1192.168.2.80xfc4eName error (3)alreadylaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.345051050 CEST1.1.1.1192.168.2.80xadacName error (3)gentlemanfancy.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.357047081 CEST1.1.1.1192.168.2.80x697fName error (3)alreadyfancy.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.367822886 CEST1.1.1.1192.168.2.80x74bfName error (3)gentlemanconsider.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.609183073 CEST1.1.1.1192.168.2.80xd76eName error (3)alreadyconsider.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:36:59.864170074 CEST1.1.1.1192.168.2.80xf840Name error (3)gentlemanfriend.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:00.352580070 CEST1.1.1.1192.168.2.80xdef4No error (0)alreadyfriend.net15.197.192.55A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.234253883 CEST1.1.1.1192.168.2.80x2a0aName error (3)followlaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.246416092 CEST1.1.1.1192.168.2.80xd999Name error (3)memberlaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.265527010 CEST1.1.1.1192.168.2.80xde29Name error (3)followfancy.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.509727955 CEST1.1.1.1192.168.2.80xa401Name error (3)memberfancy.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.523408890 CEST1.1.1.1192.168.2.80x65b5Name error (3)followconsider.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.537791014 CEST1.1.1.1192.168.2.80x2520Name error (3)memberconsider.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.869175911 CEST1.1.1.1192.168.2.80xc37aNo error (0)followfriend.net188.225.40.227A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:02.816730976 CEST1.1.1.1192.168.2.80xf611Name error (3)memberfriend.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:03.069011927 CEST1.1.1.1192.168.2.80xc68fName error (3)beginlaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:03.081201077 CEST1.1.1.1192.168.2.80x5750Name error (3)knownlaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:03.092972040 CEST1.1.1.1192.168.2.80x610cName error (3)beginfancy.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.670433998 CEST1.1.1.1192.168.2.80x5c02Name error (3)smokeclear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.927356958 CEST1.1.1.1192.168.2.80x308fName error (3)womangeneral.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.940391064 CEST1.1.1.1192.168.2.80xc24aName error (3)smokegeneral.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.952907085 CEST1.1.1.1192.168.2.80x6718Name error (3)womaninclude.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.965336084 CEST1.1.1.1192.168.2.80x72bfName error (3)smokeinclude.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:57.977690935 CEST1.1.1.1192.168.2.80xc648Name error (3)womannorth.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.230727911 CEST1.1.1.1192.168.2.80x9804Name error (3)smokenorth.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.246515989 CEST1.1.1.1192.168.2.80x3a25Name error (3)partyclear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.258975029 CEST1.1.1.1192.168.2.80x8d4bName error (3)fightclear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.782063007 CEST1.1.1.1192.168.2.80x6cd6Name error (3)fightgeneral.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.794399977 CEST1.1.1.1192.168.2.80xc2fName error (3)partyinclude.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.039271116 CEST1.1.1.1192.168.2.80xd7Name error (3)fightinclude.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.051409006 CEST1.1.1.1192.168.2.80x7ed8Name error (3)partynorth.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.062588930 CEST1.1.1.1192.168.2.80xef46Name error (3)fightnorth.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.074398041 CEST1.1.1.1192.168.2.80x344fName error (3)freshbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.088793993 CEST1.1.1.1192.168.2.80x3fbName error (3)experiencebranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.100234985 CEST1.1.1.1192.168.2.80x5901Name error (3)freshbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.117769957 CEST1.1.1.1192.168.2.80x880fName error (3)experiencebelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.134715080 CEST1.1.1.1192.168.2.80xe3b4Name error (3)freshreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.379652023 CEST1.1.1.1192.168.2.80x8b82Name error (3)experiencereceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.398346901 CEST1.1.1.1192.168.2.80x168dName error (3)freshquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.416244030 CEST1.1.1.1192.168.2.80x9d3cName error (3)experiencequarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.428545952 CEST1.1.1.1192.168.2.80xb3eaName error (3)gentlemanbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.440690041 CEST1.1.1.1192.168.2.80x7de8Name error (3)alreadybranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.458669901 CEST1.1.1.1192.168.2.80x5c5eName error (3)gentlemanbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.700623989 CEST1.1.1.1192.168.2.80xb3f9Name error (3)alreadybelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.715399981 CEST1.1.1.1192.168.2.80x768aName error (3)gentlemanreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.766896009 CEST1.1.1.1192.168.2.80x4c79Name error (3)alreadyreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.778212070 CEST1.1.1.1192.168.2.80xc27eName error (3)gentlemanquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.789803982 CEST1.1.1.1192.168.2.80xab1aName error (3)alreadyquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.799540043 CEST1.1.1.1192.168.2.80xe776Name error (3)followbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.812242031 CEST1.1.1.1192.168.2.80xb007Name error (3)memberbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:37:59.828253984 CEST1.1.1.1192.168.2.80x137fName error (3)followbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.071831942 CEST1.1.1.1192.168.2.80x7dc0Name error (3)memberbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.086347103 CEST1.1.1.1192.168.2.80xa9e1Name error (3)followreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.900537014 CEST1.1.1.1192.168.2.80xa60eName error (3)followquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.913670063 CEST1.1.1.1192.168.2.80x5060Name error (3)memberquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.155545950 CEST1.1.1.1192.168.2.80xd899Name error (3)beginbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.167927980 CEST1.1.1.1192.168.2.80x604dName error (3)knownbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.180170059 CEST1.1.1.1192.168.2.80xae39Name error (3)beginbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.352588892 CEST1.1.1.1192.168.2.80xa4a5Name error (3)knownbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.597661972 CEST1.1.1.1192.168.2.80x2f8aName error (3)beginreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.618999958 CEST1.1.1.1192.168.2.80x4f81Name error (3)knownreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.632441044 CEST1.1.1.1192.168.2.80xea2cName error (3)beginquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.644659996 CEST1.1.1.1192.168.2.80x364fName error (3)knownquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.661240101 CEST1.1.1.1192.168.2.80x542eName error (3)summerbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.679740906 CEST1.1.1.1192.168.2.80x6d8dName error (3)crowdbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.693149090 CEST1.1.1.1192.168.2.80x567cName error (3)summerbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.707020044 CEST1.1.1.1192.168.2.80xee5dName error (3)crowdbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.720268965 CEST1.1.1.1192.168.2.80x5b10Name error (3)summerreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.970777988 CEST1.1.1.1192.168.2.80xbc0Name error (3)crowdreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:01.985738039 CEST1.1.1.1192.168.2.80x573eName error (3)summerquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.006782055 CEST1.1.1.1192.168.2.80x6268Name error (3)crowdquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.954701900 CEST1.1.1.1192.168.2.80x54c6Name error (3)waterbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.966984034 CEST1.1.1.1192.168.2.80xc3ccName error (3)thoughtbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.981306076 CEST1.1.1.1192.168.2.80x1dd1Name error (3)waterbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.994856119 CEST1.1.1.1192.168.2.80xf04fName error (3)thoughtreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:03.006686926 CEST1.1.1.1192.168.2.80xa661Name error (3)waterreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:03.019572020 CEST1.1.1.1192.168.2.80x25bdName error (3)thoughtquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:03.031160116 CEST1.1.1.1192.168.2.80xd781Name error (3)waterquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:03.275041103 CEST1.1.1.1192.168.2.80x9a24Name error (3)womanbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:03.286937952 CEST1.1.1.1192.168.2.80x193eName error (3)smokebranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.019555092 CEST1.1.1.1192.168.2.80x8dedName error (3)smokebelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.270334959 CEST1.1.1.1192.168.2.80x5480Name error (3)womanreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.285171986 CEST1.1.1.1192.168.2.80x40c5Name error (3)smokereceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.297135115 CEST1.1.1.1192.168.2.80x223Name error (3)womanquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.542114973 CEST1.1.1.1192.168.2.80x76d5Name error (3)smokequarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.795299053 CEST1.1.1.1192.168.2.80x5501Name error (3)partybranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.808367014 CEST1.1.1.1192.168.2.80x4cf5Name error (3)fightbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:05.527439117 CEST1.1.1.1192.168.2.80x561bName error (3)fightbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:05.770265102 CEST1.1.1.1192.168.2.80xa0acName error (3)partyreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:05.782088041 CEST1.1.1.1192.168.2.80xdc5dName error (3)fightreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:05.795113087 CEST1.1.1.1192.168.2.80xcd94Name error (3)partyquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.037519932 CEST1.1.1.1192.168.2.80xe5ebName error (3)fightquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.051501036 CEST1.1.1.1192.168.2.80x1901Name error (3)freshhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.067466021 CEST1.1.1.1192.168.2.80xf747Name error (3)experiencehonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.079953909 CEST1.1.1.1192.168.2.80x7f18Name error (3)freshneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.092104912 CEST1.1.1.1192.168.2.80xec21Name error (3)experienceneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.104203939 CEST1.1.1.1192.168.2.80x5746Name error (3)freshsystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.350621939 CEST1.1.1.1192.168.2.80x2cf2Name error (3)experiencesystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.366333961 CEST1.1.1.1192.168.2.80xcdcName error (3)freshtrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.610652924 CEST1.1.1.1192.168.2.80x7c1eName error (3)experiencetrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.853066921 CEST1.1.1.1192.168.2.80xab9cName error (3)gentlemanhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:06.866261959 CEST1.1.1.1192.168.2.80x7b7eName error (3)alreadyhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.114356041 CEST1.1.1.1192.168.2.80x4d18Name error (3)gentlemanneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.126018047 CEST1.1.1.1192.168.2.80xa064Name error (3)alreadyneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.138246059 CEST1.1.1.1192.168.2.80x3444Name error (3)gentlemansystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.150002956 CEST1.1.1.1192.168.2.80x63c3Name error (3)alreadysystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.403168917 CEST1.1.1.1192.168.2.80x3d4eName error (3)gentlemantrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.647264004 CEST1.1.1.1192.168.2.80xcc57Name error (3)alreadytrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.813163042 CEST1.1.1.1192.168.2.80x9fa3Name error (3)followhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.828260899 CEST1.1.1.1192.168.2.80xfa02Name error (3)memberhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:07.840544939 CEST1.1.1.1192.168.2.80x1b16Name error (3)followneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.082031965 CEST1.1.1.1192.168.2.80x9a4bName error (3)memberneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.094218969 CEST1.1.1.1192.168.2.80x72ecName error (3)followsystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.770143032 CEST1.1.1.1192.168.2.80xeaddName error (3)followtrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.252569914 CEST1.1.1.1192.168.2.80x6c32Name error (3)beginhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.494096994 CEST1.1.1.1192.168.2.80x60b6Name error (3)knownhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.507671118 CEST1.1.1.1192.168.2.80x3075Name error (3)beginneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.522731066 CEST1.1.1.1192.168.2.80x5a00Name error (3)knownneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.537250042 CEST1.1.1.1192.168.2.80xe56cName error (3)beginsystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.550298929 CEST1.1.1.1192.168.2.80xbe2eName error (3)knownsystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.563360929 CEST1.1.1.1192.168.2.80x2439Name error (3)begintrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.575318098 CEST1.1.1.1192.168.2.80xff4bName error (3)knowntrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.585946083 CEST1.1.1.1192.168.2.80xca31Name error (3)summerhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.828493118 CEST1.1.1.1192.168.2.80x6712Name error (3)crowdhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.079885960 CEST1.1.1.1192.168.2.80xda55Name error (3)summerneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.093116999 CEST1.1.1.1192.168.2.80x1776Name error (3)crowdneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.106477022 CEST1.1.1.1192.168.2.80xe088Name error (3)summersystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.118125916 CEST1.1.1.1192.168.2.80xd1aaName error (3)crowdsystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.130733967 CEST1.1.1.1192.168.2.80x9af6Name error (3)summertrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.950330019 CEST1.1.1.1192.168.2.80xdaf2Name error (3)thoughthonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.964117050 CEST1.1.1.1192.168.2.80x7387Name error (3)waterhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.979084969 CEST1.1.1.1192.168.2.80xae34Name error (3)thoughtneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.994060040 CEST1.1.1.1192.168.2.80xaa28Name error (3)waterneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:12.250061989 CEST1.1.1.1192.168.2.80xf6dName error (3)thoughttrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:12.261554956 CEST1.1.1.1192.168.2.80x291cName error (3)watertrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.026566982 CEST1.1.1.1192.168.2.80xaffeName error (3)smokehonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.043632984 CEST1.1.1.1192.168.2.80xb17cName error (3)womanneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.056206942 CEST1.1.1.1192.168.2.80xcebdName error (3)smokeneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.298180103 CEST1.1.1.1192.168.2.80x5376Name error (3)womansystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.310750008 CEST1.1.1.1192.168.2.80x53fName error (3)smokesystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.555214882 CEST1.1.1.1192.168.2.80xc9f4Name error (3)womantrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.567203999 CEST1.1.1.1192.168.2.80xd5Name error (3)smoketrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.817608118 CEST1.1.1.1192.168.2.80xb081Name error (3)partyhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.832412958 CEST1.1.1.1192.168.2.80x5b70Name error (3)fighthonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.994288921 CEST1.1.1.1192.168.2.80x30f8Name error (3)partyneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.244328976 CEST1.1.1.1192.168.2.80xb098Name error (3)fightneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.256731987 CEST1.1.1.1192.168.2.80x4234Name error (3)partysystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.536237955 CEST1.1.1.1192.168.2.80x9fe3Name error (3)partytrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.550556898 CEST1.1.1.1192.168.2.80x2a72Name error (3)fighttrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.794930935 CEST1.1.1.1192.168.2.80x7288Name error (3)freshlaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.960773945 CEST1.1.1.1192.168.2.80xcb3dName error (3)experiencelaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:15.768749952 CEST1.1.1.1192.168.2.80x17c9Name error (3)experiencefancy.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:15.783431053 CEST1.1.1.1192.168.2.80xf21bName error (3)freshconsider.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.027815104 CEST1.1.1.1192.168.2.80x2631Name error (3)experienceconsider.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.040061951 CEST1.1.1.1192.168.2.80x526fName error (3)freshfriend.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.052799940 CEST1.1.1.1192.168.2.80x1d4aName error (3)experiencefriend.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.063801050 CEST1.1.1.1192.168.2.80xf291Name error (3)gentlemanlaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.076200008 CEST1.1.1.1192.168.2.80x2b29Name error (3)alreadylaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.090326071 CEST1.1.1.1192.168.2.80x9313Name error (3)gentlemanfancy.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.103250980 CEST1.1.1.1192.168.2.80xedeeName error (3)alreadyfancy.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.117063999 CEST1.1.1.1192.168.2.80x1d3Name error (3)gentlemanconsider.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.129182100 CEST1.1.1.1192.168.2.80xa2b9Name error (3)alreadyconsider.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.140059948 CEST1.1.1.1192.168.2.80xea7dName error (3)gentlemanfriend.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.660269976 CEST1.1.1.1192.168.2.80xa449Name error (3)followlaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.902749062 CEST1.1.1.1192.168.2.80x23e7Name error (3)memberlaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.914294958 CEST1.1.1.1192.168.2.80x5e39Name error (3)followfancy.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.926187038 CEST1.1.1.1192.168.2.80x1717Name error (3)memberfancy.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:17.175543070 CEST1.1.1.1192.168.2.80xac98Name error (3)followconsider.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:17.191059113 CEST1.1.1.1192.168.2.80x269fName error (3)memberconsider.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:18.120208025 CEST1.1.1.1192.168.2.80xebfaName error (3)memberfriend.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:18.132384062 CEST1.1.1.1192.168.2.80xaf2aName error (3)beginlaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:18.145858049 CEST1.1.1.1192.168.2.80x2632Name error (3)knownlaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:38:18.157897949 CEST1.1.1.1192.168.2.80x7fbName error (3)beginfancy.netnonenoneA (IP address)IN (0x0001)false

                                                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                                                          • partygeneral.net
                                                                                                                                                                                                          • memberreceive.net
                                                                                                                                                                                                          • thoughtbranch.net
                                                                                                                                                                                                          • womanbelieve.net
                                                                                                                                                                                                          • partybelieve.net
                                                                                                                                                                                                          • membersystem.net
                                                                                                                                                                                                          • membertrust.net
                                                                                                                                                                                                          • crowdtrust.net
                                                                                                                                                                                                          • thoughtsystem.net
                                                                                                                                                                                                          • watersystem.net
                                                                                                                                                                                                          • womanhonor.net
                                                                                                                                                                                                          • freshfancy.net
                                                                                                                                                                                                          • alreadyfriend.net
                                                                                                                                                                                                          • followfriend.net

                                                                                                                                                                                                          HTTP Packets

                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          0192.168.2.8497043.33.130.190803120C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:36:40.559609890 CEST83OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: partygeneral.net
                                                                                                                                                                                                          Aug 5, 2024 16:36:41.217849970 CEST254INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: openresty
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:36:40 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 114
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          1192.168.2.84970535.164.78.200803120C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:36:42.940088987 CEST84OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: memberreceive.net
                                                                                                                                                                                                          Aug 5, 2024 16:36:43.672036886 CEST382INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: nginx
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:36:43 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: btst=7c34a62bd93b3d9cf221de17cf0be2e2|8.46.123.33|1722868603|1722868603|0|1|0; path=/; domain=.memberreceive.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                          Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          2192.168.2.84970634.246.200.160803120C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.101304054 CEST84OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: thoughtbranch.net
                                                                                                                                                                                                          Aug 5, 2024 16:36:45.917510986 CEST382INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: nginx
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:36:45 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: btst=dec91b6a3b5276c42277e59e91626051|8.46.123.33|1722868605|1722868605|0|1|0; path=/; domain=.thoughtbranch.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                          Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          3192.168.2.84970715.197.142.173803120C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.448748112 CEST83OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: womanbelieve.net
                                                                                                                                                                                                          Aug 5, 2024 16:36:46.941528082 CEST266INHTTP/1.1 403 Forbidden
                                                                                                                                                                                                          Server: awselb/2.0
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:36:46 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 118
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                          Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          4192.168.2.84970815.197.192.55803120C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:36:47.635165930 CEST83OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: partybelieve.net
                                                                                                                                                                                                          Aug 5, 2024 16:36:48.099404097 CEST254INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: openresty
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:36:48 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 114
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          5192.168.2.84970985.13.130.3803120C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:36:49.891526937 CEST83OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: membersystem.net
                                                                                                                                                                                                          Aug 5, 2024 16:36:50.546163082 CEST452INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:36:50 GMT
                                                                                                                                                                                                          Server: Apache
                                                                                                                                                                                                          Location: https://all-inkl.com/index.php
                                                                                                                                                                                                          Content-Length: 238
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 6c 6c 2d 69 6e 6b 6c 2e 63 6f 6d 2f 69 6e 64 65 78 2e 70 68 70 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://all-inkl.com/index.php">here</a>.</p></body></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          6192.168.2.8497103.33.130.190803120C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:36:50.588196039 CEST82OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: membertrust.net
                                                                                                                                                                                                          Aug 5, 2024 16:36:51.041480064 CEST254INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: openresty
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:36:50 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 114
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          7192.168.2.849715170.187.200.48803120C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:36:53.283257008 CEST81OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: crowdtrust.net
                                                                                                                                                                                                          Aug 5, 2024 16:36:53.790329933 CEST289INHTTP/1.1 404 Not Found
                                                                                                                                                                                                          Server: nginx
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:36:53 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 146
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          8192.168.2.849717213.171.195.105803120C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.110738039 CEST84OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: thoughtsystem.net
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.854599953 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                          server: nginx/1.20.1
                                                                                                                                                                                                          date: Mon, 05 Aug 2024 14:36:54 GMT
                                                                                                                                                                                                          content-type: text/html
                                                                                                                                                                                                          content-length: 2873
                                                                                                                                                                                                          last-modified: Tue, 16 Jul 2024 14:31:13 GMT
                                                                                                                                                                                                          etag: "66968431-b39"
                                                                                                                                                                                                          accept-ranges: bytes
                                                                                                                                                                                                          connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 70 61 72 6b 69 6e 67 20 70 61 67 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 73 2f 63 73 73 2f 69 6e 64 65 78 2e 63 73 73 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 61 74 69 63 2e 66 61 73 [TRUNCATED]
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Domain parking page</title> <link rel="stylesheet" href="/styles/css/index.css"> <link rel="shortcut icon" href="https://static.fasthosts.co.uk/icons/favicon.ico" type="image/x-icon" /> ... Global site tag (gtag.js) - Google Analytics --> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-199510482-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-199510482-1'); </script> </head><body> <div class="container"> <nav class="logo"> <a href="https://fasthosts.co.uk/" rel="nofollow"> <img src="/assets/fasthosts-logo-secondary.svg" alt="Fasthosts"></img> </a> </nav> <main> <h2>Welcome to <span class="domain
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.854639053 CEST1236INData Raw: 56 61 72 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 68 32 3e 0a 20 20 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 69 73 20 70 61 72 6b 65 64 20 66 6f 72 20 46 52 45 45 20 62 79 0a 20 20 20 20 20 20 20
                                                                                                                                                                                                          Data Ascii: Var"></span></h2> <p> This domain name is parked for FREE by <strong><a href="https://fasthosts.co.uk/" rel="nofollow">fasthosts.co.uk</a></strong> </p> <div class="row"> <div class="card card--is-cta
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.854652882 CEST448INData Raw: 66 61 73 74 68 6f 73 74 73 2e 63 6f 2e 75 6b 2f 63 6f 6e 74 61 63 74 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 64 6f 6d 61 69 6e 70 61 72 6b 69 6e 67 26 75 74 6d 5f 6d 65 64 69 75 6d 3d 72 65 66 65 72 72 61 6c 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d
                                                                                                                                                                                                          Data Ascii: fasthosts.co.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_parking_contact">Contact us</a> </main> </div> <script> const cleanHostname = document.location.hostname.indexOf("www.") && document.location.hos
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.856276035 CEST187INData Raw: 61 22 29 2e 68 72 65 66 20 3d 20 60 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 68 6f 73 74 73 2e 63 6f 2e 75 6b 2f 64 6f 6d 61 69 6e 2d 6e 61 6d 65 73 2f 73 65 61 72 63 68 2f 3f 64 6f 6d 61 69 6e 3d 24 7b 63 6c 65 61 6e 48 6f 73 74 6e 61 6d
                                                                                                                                                                                                          Data Ascii: a").href = `https://www.fasthosts.co.uk/domain-names/search/?domain=${cleanHostname}&utm_source=domainparking&utm_medium=referral&utm_campaign=fh_parking_dac` </script></body></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          9192.168.2.84971864.190.63.222803120C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:36:54.893682003 CEST82OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: watersystem.net
                                                                                                                                                                                                          Aug 5, 2024 16:36:55.556778908 CEST208INHTTP/1.1 403 Forbidden
                                                                                                                                                                                                          content-length: 93
                                                                                                                                                                                                          cache-control: no-cache
                                                                                                                                                                                                          content-type: text/html
                                                                                                                                                                                                          connection: close
                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                                                          Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          10192.168.2.84971954.244.188.177803120C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:36:55.803735971 CEST81OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: womanhonor.net
                                                                                                                                                                                                          Aug 5, 2024 16:36:56.538788080 CEST379INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: nginx
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:36:56 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: btst=e4a1af7da9e412ba0271885a2c80464f|8.46.123.33|1722868616|1722868616|0|1|0; path=/; domain=.womanhonor.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                          Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          11192.168.2.84972081.169.145.88803120C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:36:57.680721998 CEST81OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: freshfancy.net
                                                                                                                                                                                                          Aug 5, 2024 16:36:58.610064030 CEST374INHTTP/1.1 404 Not Found
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:36:58 GMT
                                                                                                                                                                                                          Server: Apache/2.4.61 (Unix)
                                                                                                                                                                                                          Content-Length: 196
                                                                                                                                                                                                          Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          12192.168.2.84972115.197.192.55803120C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:37:00.358747959 CEST84OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: alreadyfriend.net
                                                                                                                                                                                                          Aug 5, 2024 16:37:00.906940937 CEST254INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: openresty
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:37:00 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 114
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.227807045 CEST254INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: openresty
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:37:00 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 114
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          13192.168.2.849722188.225.40.227803120C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:37:01.875263929 CEST83OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: followfriend.net
                                                                                                                                                                                                          Aug 5, 2024 16:37:02.572331905 CEST373INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                          Server: nginx/1.26.1
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:37:02 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 169
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Location: https://followfriend.net/index.php
                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.26.1</center></body></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          14192.168.2.8497273.33.130.190805676C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.266943932 CEST83OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: partygeneral.net
                                                                                                                                                                                                          Aug 5, 2024 16:37:58.771012068 CEST254INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: openresty
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:37:58 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 114
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          15192.168.2.84972835.164.78.200805676C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.097331047 CEST84OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: memberreceive.net
                                                                                                                                                                                                          Aug 5, 2024 16:38:00.887597084 CEST382INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: nginx
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:38:00 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: btst=aadcae1f12773c796f272798cf7090a4|8.46.123.33|1722868680|1722868680|0|1|0; path=/; domain=.memberreceive.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                          Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          16192.168.2.84972934.246.200.160805676C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.013025045 CEST84OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: thoughtbranch.net
                                                                                                                                                                                                          Aug 5, 2024 16:38:02.778914928 CEST382INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: nginx
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:38:02 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: btst=bae3360cd5ee8165131b6b50ebc8380c|8.46.123.33|1722868682|1722868682|0|1|0; path=/; domain=.thoughtbranch.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                          Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          17192.168.2.84973015.197.142.173805676C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:38:03.293293953 CEST83OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: womanbelieve.net
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.008315086 CEST266INHTTP/1.1 403 Forbidden
                                                                                                                                                                                                          Server: awselb/2.0
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:38:03 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 118
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                          Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.009181976 CEST266INHTTP/1.1 403 Forbidden
                                                                                                                                                                                                          Server: awselb/2.0
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:38:03 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 118
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                          Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          18192.168.2.84973115.197.192.55805676C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:38:04.815686941 CEST83OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: partybelieve.net
                                                                                                                                                                                                          Aug 5, 2024 16:38:05.283921003 CEST254INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: openresty
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:38:05 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 114
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          19192.168.2.84973285.13.130.3805676C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.100370884 CEST83OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: membersystem.net
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.755995035 CEST452INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:38:08 GMT
                                                                                                                                                                                                          Server: Apache
                                                                                                                                                                                                          Location: https://all-inkl.com/index.php
                                                                                                                                                                                                          Content-Length: 238
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 6c 6c 2d 69 6e 6b 6c 2e 63 6f 6d 2f 69 6e 64 65 78 2e 70 68 70 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://all-inkl.com/index.php">here</a>.</p></body></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          20192.168.2.8497333.33.130.190805676C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:38:08.777964115 CEST82OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: membertrust.net
                                                                                                                                                                                                          Aug 5, 2024 16:38:09.241031885 CEST254INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: openresty
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:38:09 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 114
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          21192.168.2.849734170.187.200.48805676C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.136539936 CEST81OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: crowdtrust.net
                                                                                                                                                                                                          Aug 5, 2024 16:38:10.787756920 CEST289INHTTP/1.1 404 Not Found
                                                                                                                                                                                                          Server: nginx
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:38:10 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 146
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          22192.168.2.849735213.171.195.105805676C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:38:11.000325918 CEST84OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: thoughtsystem.net
                                                                                                                                                                                                          Aug 5, 2024 16:38:11.594600916 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                          server: nginx/1.20.1
                                                                                                                                                                                                          date: Mon, 05 Aug 2024 14:38:11 GMT
                                                                                                                                                                                                          content-type: text/html
                                                                                                                                                                                                          content-length: 2873
                                                                                                                                                                                                          last-modified: Tue, 16 Jul 2024 13:11:33 GMT
                                                                                                                                                                                                          etag: "66967185-b39"
                                                                                                                                                                                                          accept-ranges: bytes
                                                                                                                                                                                                          connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 70 61 72 6b 69 6e 67 20 70 61 67 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 73 2f 63 73 73 2f 69 6e 64 65 78 2e 63 73 73 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 61 74 69 63 2e 66 61 73 [TRUNCATED]
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Domain parking page</title> <link rel="stylesheet" href="/styles/css/index.css"> <link rel="shortcut icon" href="https://static.fasthosts.co.uk/icons/favicon.ico" type="image/x-icon" /> ... Global site tag (gtag.js) - Google Analytics --> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-199510482-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-199510482-1'); </script> </head><body> <div class="container"> <nav class="logo"> <a href="https://fasthosts.co.uk/" rel="nofollow"> <img src="/assets/fasthosts-logo-secondary.svg" alt="Fasthosts"></img> </a> </nav> <main> <h2>Welcome to <span class="domain
                                                                                                                                                                                                          Aug 5, 2024 16:38:11.594660997 CEST1236INData Raw: 56 61 72 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 68 32 3e 0a 20 20 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 69 73 20 70 61 72 6b 65 64 20 66 6f 72 20 46 52 45 45 20 62 79 0a 20 20 20 20 20 20 20
                                                                                                                                                                                                          Data Ascii: Var"></span></h2> <p> This domain name is parked for FREE by <strong><a href="https://fasthosts.co.uk/" rel="nofollow">fasthosts.co.uk</a></strong> </p> <div class="row"> <div class="card card--is-cta
                                                                                                                                                                                                          Aug 5, 2024 16:38:11.594698906 CEST635INData Raw: 66 61 73 74 68 6f 73 74 73 2e 63 6f 2e 75 6b 2f 63 6f 6e 74 61 63 74 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 64 6f 6d 61 69 6e 70 61 72 6b 69 6e 67 26 75 74 6d 5f 6d 65 64 69 75 6d 3d 72 65 66 65 72 72 61 6c 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d
                                                                                                                                                                                                          Data Ascii: fasthosts.co.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_parking_contact">Contact us</a> </main> </div> <script> const cleanHostname = document.location.hostname.indexOf("www.") && document.location.hos


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          23192.168.2.84973664.190.63.222805676C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:38:11.600789070 CEST82OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: watersystem.net
                                                                                                                                                                                                          Aug 5, 2024 16:38:12.236787081 CEST208INHTTP/1.1 403 Forbidden
                                                                                                                                                                                                          content-length: 93
                                                                                                                                                                                                          cache-control: no-cache
                                                                                                                                                                                                          content-type: text/html
                                                                                                                                                                                                          connection: close
                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                                                          Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          24192.168.2.84973754.244.188.177805676C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:38:12.267275095 CEST81OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: womanhonor.net
                                                                                                                                                                                                          Aug 5, 2024 16:38:13.014705896 CEST379INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: nginx
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:38:12 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: btst=606a76b356da1ad614efd10971699cc1|8.46.123.33|1722868692|1722868692|0|1|0; path=/; domain=.womanhonor.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                          Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          25192.168.2.84973881.169.145.88805676C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:38:14.967596054 CEST81OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: freshfancy.net
                                                                                                                                                                                                          Aug 5, 2024 16:38:15.755718946 CEST374INHTTP/1.1 404 Not Found
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:38:15 GMT
                                                                                                                                                                                                          Server: Apache/2.4.61 (Unix)
                                                                                                                                                                                                          Content-Length: 196
                                                                                                                                                                                                          Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          26192.168.2.84973915.197.192.55805676C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.146161079 CEST84OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: alreadyfriend.net
                                                                                                                                                                                                          Aug 5, 2024 16:38:16.644612074 CEST254INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: openresty
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:38:16 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 114
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          27192.168.2.849740188.225.40.227805676C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:38:17.197480917 CEST83OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: followfriend.net
                                                                                                                                                                                                          Aug 5, 2024 16:38:17.877573967 CEST373INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                          Server: nginx/1.26.1
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:38:17 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 169
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Location: https://followfriend.net/index.php
                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.26.1</center></body></html>


                                                                                                                                                                                                          Statistics

                                                                                                                                                                                                          CPU Usage

                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                          Memory Usage

                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                                                          Behavior

                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                          System Behavior

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:0
                                                                                                                                                                                                          Start time:10:36:34
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\Users\user\Desktop\7qBBKk0P4l.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\7qBBKk0P4l.exe"
                                                                                                                                                                                                          Imagebase:0xae0000
                                                                                                                                                                                                          File size:236'032 bytes
                                                                                                                                                                                                          MD5 hash:94E7772B2B1BDA89B23A2FBA0E57742E
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:2
                                                                                                                                                                                                          Start time:10:36:34
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\hjflhukc\psjpq2s5tgtsjq0yguk.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\hjflhukc\psjpq2s5tgtsjq0yguk.exe"
                                                                                                                                                                                                          Imagebase:0x5f0000
                                                                                                                                                                                                          File size:236'032 bytes
                                                                                                                                                                                                          MD5 hash:94E7772B2B1BDA89B23A2FBA0E57742E
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                          • Detection: 100%, Avira
                                                                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                          • Detection: 92%, ReversingLabs
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:3
                                                                                                                                                                                                          Start time:10:36:34
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          Imagebase:0x740000
                                                                                                                                                                                                          File size:236'032 bytes
                                                                                                                                                                                                          MD5 hash:94E7772B2B1BDA89B23A2FBA0E57742E
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                          • Detection: 100%, Avira
                                                                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                          • Detection: 92%, ReversingLabs
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:4
                                                                                                                                                                                                          Start time:10:36:36
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\hjflhukc\xxxniijvj.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:tgtbxnf8r33w "c:\hjflhukc\yanidfx.exe"
                                                                                                                                                                                                          Imagebase:0xce0000
                                                                                                                                                                                                          File size:236'032 bytes
                                                                                                                                                                                                          MD5 hash:94E7772B2B1BDA89B23A2FBA0E57742E
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                          • Detection: 100%, Avira
                                                                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                          • Detection: 92%, ReversingLabs
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:5
                                                                                                                                                                                                          Start time:10:36:37
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\hjflhukc\yanidfx.exe"
                                                                                                                                                                                                          Imagebase:0x740000
                                                                                                                                                                                                          File size:236'032 bytes
                                                                                                                                                                                                          MD5 hash:94E7772B2B1BDA89B23A2FBA0E57742E
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:9
                                                                                                                                                                                                          Start time:10:37:20
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                                                                                                          Imagebase:0x7ff67e6d0000
                                                                                                                                                                                                          File size:55'320 bytes
                                                                                                                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:10
                                                                                                                                                                                                          Start time:10:37:53
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"c:\hjflhukc\yanidfx.exe"
                                                                                                                                                                                                          Imagebase:0x740000
                                                                                                                                                                                                          File size:236'032 bytes
                                                                                                                                                                                                          MD5 hash:94E7772B2B1BDA89B23A2FBA0E57742E
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:11
                                                                                                                                                                                                          Start time:10:37:54
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\hjflhukc\xxxniijvj.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:tgtbxnf8r33w "c:\hjflhukc\yanidfx.exe"
                                                                                                                                                                                                          Imagebase:0x40000
                                                                                                                                                                                                          File size:236'032 bytes
                                                                                                                                                                                                          MD5 hash:94E7772B2B1BDA89B23A2FBA0E57742E
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:13
                                                                                                                                                                                                          Start time:10:39:30
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\hjflhukc\yanidfx.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"c:\hjflhukc\yanidfx.exe"
                                                                                                                                                                                                          Imagebase:0x740000
                                                                                                                                                                                                          File size:236'032 bytes
                                                                                                                                                                                                          MD5 hash:94E7772B2B1BDA89B23A2FBA0E57742E
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          Disassembly

                                                                                                                                                                                                          Reset < >

                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                            Execution Coverage:9%
                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                            Signature Coverage:52%
                                                                                                                                                                                                            Total number of Nodes:1325
                                                                                                                                                                                                            Total number of Limit Nodes:6
                                                                                                                                                                                                            execution_graph 8267 aef02c 8268 aef065 8267->8268 8269 ae3e8c GetSystemTimeAsFileTime 8268->8269 8271 aef079 8269->8271 8270 aef15a 8271->8270 8272 ae3e8c GetSystemTimeAsFileTime 8271->8272 8275 aef104 8272->8275 8273 aef10f Sleep 8274 ae3e8c GetSystemTimeAsFileTime 8273->8274 8274->8275 8275->8270 8275->8273 9161 ae3b2c 9162 aef793 lstrlen 9161->9162 9163 ae3b68 9162->9163 9164 afa805 2 API calls 9163->9164 9165 ae3b88 9164->9165 9166 af8251 2 API calls 9165->9166 9167 ae3bc6 CreateFileA 9166->9167 9168 ae3c14 Mailbox 9167->9168 8133 b040bb 8134 b040c6 8133->8134 8137 aedd8f 8134->8137 8138 aedda0 8137->8138 8139 b02f94 8 API calls 8138->8139 8140 aeddad 8139->8140 8389 b095bd 8390 b095c3 Mailbox 8389->8390 8391 b090f1 Mailbox 4 API calls 8390->8391 8392 b09605 Mailbox 8391->8392 8141 af54a1 8142 af54ba 8141->8142 8143 af550a Mailbox 8141->8143 8144 af55fd CreateProcessA 8143->8144 8145 af5677 8144->8145 8146 af5633 CloseHandle CloseHandle 8144->8146 8146->8145 7887 b0cdbf 7888 b0ce1b 7887->7888 7891 afff2a 7888->7891 7892 af8251 2 API calls 7891->7892 7893 afff31 7892->7893 7894 afa805 2 API calls 7893->7894 7895 afff74 7894->7895 7896 af8251 2 API calls 7895->7896 7897 afff88 7896->7897 7898 afa805 2 API calls 7897->7898 7899 afffc7 7898->7899 7900 af8251 2 API calls 7899->7900 7901 afffdb 7900->7901 7902 afa805 2 API calls 7901->7902 7903 b0001a 7902->7903 7904 af8251 2 API calls 7903->7904 7905 b0002e 7904->7905 7906 afa805 2 API calls 7905->7906 7907 b00063 7906->7907 7908 af8251 2 API calls 7907->7908 7909 b00077 7908->7909 7910 afa805 2 API calls 7909->7910 7911 b000f0 7910->7911 7912 af8251 2 API calls 7911->7912 7913 b00126 7912->7913 7914 afa805 2 API calls 7913->7914 7915 b001a6 7914->7915 7916 af8251 2 API calls 7915->7916 7917 b001c4 7916->7917 7918 afa805 2 API calls 7917->7918 7919 b00238 7918->7919 7920 af8251 2 API calls 7919->7920 7921 b00252 7920->7921 7922 afa805 2 API calls 7921->7922 7923 b00283 7922->7923 7924 af8251 2 API calls 7923->7924 7925 b002bf 7924->7925 7926 afa805 2 API calls 7925->7926 7927 b00325 7926->7927 7928 af8251 2 API calls 7927->7928 7929 b00339 7928->7929 7930 afa805 2 API calls 7929->7930 7931 b0036a 7930->7931 7932 af8251 2 API calls 7931->7932 7933 b003bd 7932->7933 7934 afa805 2 API calls 7933->7934 7935 b00402 7934->7935 7936 af8251 2 API calls 7935->7936 7937 b00422 7936->7937 7938 afa805 2 API calls 7937->7938 7939 b00469 7938->7939 7940 af8251 2 API calls 7939->7940 7941 b004b2 7940->7941 7942 af8251 2 API calls 7941->7942 7943 b00503 Mailbox 7942->7943 7944 aede5a Mailbox 2 API calls 7943->7944 7945 b0053b 7944->7945 7946 b0d256 3 API calls 7945->7946 7947 b0054a 7946->7947 7948 afa805 2 API calls 7947->7948 7949 b00560 GetEnvironmentVariableA 7948->7949 7950 b005b2 7949->7950 7951 af8251 2 API calls 7950->7951 7952 b005d0 CreateMutexA CreateMutexA CreateMutexA 7951->7952 7953 b00665 7952->7953 7954 b00809 7953->7954 7956 b006c9 7953->7956 7957 b006de GetTickCount 7953->7957 7980 ae88a8 7954->7980 7956->7957 7958 b006f2 7957->7958 7961 afa805 2 API calls 7958->7961 7960 b00818 GetCommandLineA 7962 b008a8 7960->7962 7964 b00710 7961->7964 7963 afa805 2 API calls 7962->7963 7966 b008c5 7963->7966 7965 af8251 2 API calls 7964->7965 7967 b007b7 7965->7967 7968 af8251 2 API calls 7966->7968 7967->7954 7969 b0092f 7968->7969 7970 afa805 2 API calls 7969->7970 7971 b00996 7970->7971 7972 af8251 2 API calls 7971->7972 7973 b00a10 7972->7973 8083 af15e5 7973->8083 7981 ae88cc 7980->7981 7982 ae88ea GetVersionExA 7981->7982 8086 aee769 7982->8086 7988 ae89fc 7991 ae8a89 CreateDirectoryA 7988->7991 7989 ae8b28 7990 afa805 2 API calls 7989->7990 7993 ae8bc2 7990->7993 7992 afa805 2 API calls 7991->7992 7994 ae8ae2 7992->7994 7995 ae846d 9 API calls 7993->7995 7998 af8251 2 API calls 7994->7998 7996 ae8be9 7995->7996 7997 af8251 2 API calls 7996->7997 7999 ae8c06 Mailbox 7997->7999 7998->7989 8109 aec622 7999->8109 8001 ae8d6f 8002 afc0de 6 API calls 8001->8002 8006 ae8d85 8002->8006 8003 ae8cfe DeleteFileA 8004 ae8d3d RemoveDirectoryA 8003->8004 8005 ae8d2b 8003->8005 8004->8001 8005->8004 8008 ae8dc3 CreateDirectoryA 8006->8008 8009 ae8e00 8008->8009 8010 aef793 lstrlen 8009->8010 8011 ae8e64 CreateDirectoryA 8010->8011 8013 afa805 2 API calls 8011->8013 8014 ae8eb8 8013->8014 8015 afa805 2 API calls 8014->8015 8016 ae8f10 8015->8016 8017 af8251 2 API calls 8016->8017 8018 ae8f6c 8017->8018 8019 ae846d 9 API calls 8018->8019 8020 ae8f89 8019->8020 8021 af8251 2 API calls 8020->8021 8022 ae8f9b Mailbox 8021->8022 8023 aec622 5 API calls 8022->8023 8024 ae8fca 8023->8024 8025 ae9769 8024->8025 8027 ae906c 8024->8027 8028 ae8fec 8024->8028 8026 aef793 lstrlen 8025->8026 8030 ae977f SetFileAttributesA 8026->8030 8029 afa805 2 API calls 8027->8029 8031 afa805 2 API calls 8028->8031 8032 ae9082 8029->8032 8039 ae97e1 Mailbox 8030->8039 8033 ae900e 8031->8033 8034 af074e wvsprintfA 8032->8034 8035 af074e wvsprintfA 8033->8035 8036 ae90a0 8034->8036 8037 ae9034 8035->8037 8038 af8251 2 API calls 8036->8038 8040 af8251 2 API calls 8037->8040 8041 ae905d 8038->8041 8039->7960 8040->8041 8042 ae9128 8041->8042 8043 ae9144 CreateDirectoryA 8042->8043 8044 ae917e 8043->8044 8045 aef793 lstrlen 8044->8045 8046 ae91cd CreateDirectoryA 8045->8046 8047 afa805 2 API calls 8046->8047 8048 ae9210 8047->8048 8049 afa805 2 API calls 8048->8049 8050 ae923f 8049->8050 8051 af8251 2 API calls 8050->8051 8052 ae927a 8051->8052 8053 ae846d 9 API calls 8052->8053 8054 ae928f 8053->8054 8055 af8251 2 API calls 8054->8055 8056 ae9307 Mailbox 8055->8056 8057 aec622 5 API calls 8056->8057 8058 ae9336 8057->8058 8059 ae9716 8058->8059 8060 ae9341 GetTempPathA 8058->8060 8059->8025 8061 b042b6 lstrlen 8060->8061 8062 ae938b 8061->8062 8063 aef793 lstrlen 8062->8063 8064 ae94ae CreateDirectoryA 8063->8064 8065 ae94fd 8064->8065 8066 afa805 2 API calls 8065->8066 8067 ae9519 8066->8067 8068 afa805 2 API calls 8067->8068 8069 ae9577 8068->8069 8070 af8251 2 API calls 8069->8070 8071 ae95a4 8070->8071 8072 ae846d 9 API calls 8071->8072 8073 ae95ba 8072->8073 8074 af8251 2 API calls 8073->8074 8075 ae95dc Mailbox 8074->8075 8076 aec622 5 API calls 8075->8076 8077 ae960b 8076->8077 8077->8059 8078 ae9633 GetTempPathA 8077->8078 8079 ae9670 8078->8079 8080 afa805 2 API calls 8079->8080 8081 ae96a4 8080->8081 8082 af8251 2 API calls 8081->8082 8082->8059 8131 afbf87 8083->8131 8085 af1600 ExitProcess 8088 aee79e AllocateAndInitializeSid 8086->8088 8089 ae8954 8088->8089 8090 aee883 CheckTokenMembership 8088->8090 8093 ae457c 8089->8093 8091 aee89f 8090->8091 8092 aee8c9 FreeSid 8090->8092 8091->8092 8092->8089 8094 ae4595 8093->8094 8095 afa805 2 API calls 8094->8095 8096 ae45da GetProcAddress 8095->8096 8097 af8251 2 API calls 8096->8097 8098 ae4613 8097->8098 8099 ae4623 GetCurrentProcess 8098->8099 8100 ae463a 8098->8100 8099->8100 8100->7989 8101 afc0de GetWindowsDirectoryA 8100->8101 8102 afc125 8101->8102 8103 afa805 2 API calls 8102->8103 8108 afc1b6 8102->8108 8104 afc164 8103->8104 8105 af8251 2 API calls 8104->8105 8106 afc1a4 8105->8106 8107 b042b6 lstrlen 8106->8107 8107->8108 8108->7988 8110 aec62f 8109->8110 8127 aeb7cd WaitForSingleObject 8110->8127 8113 aec6ef CreateFileA 8117 aec75d 8113->8117 8120 aec79f Mailbox 8113->8120 8114 aec6b3 8129 ae4eb1 ReleaseMutex 8114->8129 8118 ae4eb1 ReleaseMutex 8117->8118 8119 ae8c6e 8118->8119 8119->8001 8119->8003 8121 aec8fa WriteFile 8120->8121 8121->8120 8122 aec94e CloseHandle 8121->8122 8125 ae4eb1 ReleaseMutex 8122->8125 8126 aec9a7 8125->8126 8126->8119 8128 aeb846 8127->8128 8128->8113 8128->8114 8130 ae4ecb 8129->8130 8130->8119 8132 afbfa3 8131->8132 8132->8085 8393 ae59a1 8396 b0cf7e 8393->8396 8397 b0236a lstrlen 8396->8397 8398 ae59af 8397->8398 8276 ae4e3c 8277 ae4e47 8276->8277 8278 af56c6 8 API calls 8277->8278 8279 ae4e9b 8278->8279 8402 ae11b7 8403 ae1214 8402->8403 8406 ae122a Mailbox 8402->8406 8404 b042b6 lstrlen 8404->8406 8405 af074e wvsprintfA 8405->8406 8406->8403 8406->8404 8406->8405 8284 aefa34 8287 ae7fce 8284->8287 8286 aefa42 8288 b042b6 lstrlen 8287->8288 8289 ae7fe9 Mailbox 8288->8289 8289->8286 8407 ae81b5 8408 ae81dc 8407->8408 8413 ae3b08 8408->8413 8411 afbf07 8 API calls 8412 ae8276 8411->8412 8414 ae3b16 8413->8414 8415 aedd8f 8 API calls 8414->8415 8416 ae3b27 8415->8416 8416->8411 8417 aee9b3 8418 af9a0f 8 API calls 8417->8418 8419 aee9e3 8418->8419 8422 ae5724 8419->8422 8423 ae573e Mailbox 8422->8423 8424 b09883 8 API calls 8423->8424 8425 ae5789 8424->8425 8426 b035ad 8427 b035f3 OpenSCManagerA 8426->8427 8429 b036a9 CreateServiceA 8427->8429 8430 b038db 8427->8430 8431 b036f0 ChangeServiceConfig2A StartServiceA CloseServiceHandle 8429->8431 8432 b03777 OpenServiceA 8429->8432 8434 b0388e CloseServiceHandle 8431->8434 8436 b037eb 8432->8436 8434->8430 8437 b03811 StartServiceA CloseServiceHandle 8436->8437 8438 b03866 8436->8438 8437->8438 8438->8434 8151 af7686 8154 aefc1b 8151->8154 8155 b094b4 Mailbox 2 API calls 8154->8155 8156 aefc29 8155->8156 8445 aead87 8446 aeada3 8445->8446 8501 ae501c 8446->8501 8448 aeae0e 8449 b0443e 4 API calls 8448->8449 8454 aeb26c Mailbox 8448->8454 8450 aeaeff 8449->8450 8451 afa805 2 API calls 8450->8451 8452 aeaf15 8451->8452 8453 ae846d 9 API calls 8452->8453 8455 aeaf2d 8453->8455 8456 af8251 2 API calls 8455->8456 8457 aeaf56 8456->8457 8504 b02306 8457->8504 8462 ae5724 8 API calls 8463 aeaf88 Mailbox 8462->8463 8464 afa805 2 API calls 8463->8464 8465 aeafc5 8464->8465 8510 af0b92 8465->8510 8468 ae5724 8 API calls 8469 aeafee Mailbox 8468->8469 8470 af8251 2 API calls 8469->8470 8471 aeb00f 8470->8471 8472 aefe4b 8 API calls 8471->8472 8473 aeb02d 8472->8473 8474 ae5724 8 API calls 8473->8474 8475 aeb036 Mailbox 8474->8475 8513 af1c14 8475->8513 8477 aeb066 8517 ae60ad 8477->8517 8479 aeb085 Mailbox 8571 af5fba 8479->8571 8481 aeb0c9 8598 ae7ef1 8481->8598 8484 afa805 2 API calls 8485 aeb0f8 8484->8485 8486 af0b92 9 API calls 8485->8486 8487 aeb149 8486->8487 8488 ae5724 8 API calls 8487->8488 8489 aeb155 Mailbox 8488->8489 8490 af8251 2 API calls 8489->8490 8491 aeb174 Mailbox 8490->8491 8492 b09883 8 API calls 8491->8492 8493 aeb19a 8492->8493 8494 b09707 Mailbox 8 API calls 8493->8494 8495 aeb1ea 8494->8495 8496 afa805 2 API calls 8495->8496 8497 aeb217 8496->8497 8602 af8695 8497->8602 8499 aeb235 8500 af8251 2 API calls 8499->8500 8500->8454 8502 b09883 8 API calls 8501->8502 8503 ae5042 SetEvent 8502->8503 8503->8448 8702 ae4f0b 8504->8702 8507 af1bc3 8508 b07848 8 API calls 8507->8508 8509 aeaf7c 8508->8509 8509->8462 8710 af23e9 8510->8710 8514 af1c36 Mailbox 8513->8514 8515 aebdcb 8 API calls 8514->8515 8516 af1ce6 Mailbox 8515->8516 8516->8477 8518 ae6101 8517->8518 8519 afa805 2 API calls 8518->8519 8524 ae623b Mailbox 8518->8524 8520 ae61a7 8519->8520 8521 ae846d 9 API calls 8520->8521 8522 ae61d6 8521->8522 8523 af8251 2 API calls 8522->8523 8523->8524 8525 ae6321 8524->8525 8528 ae63fd 8524->8528 8526 afa805 2 API calls 8525->8526 8527 ae635d 8526->8527 8529 ae846d 9 API calls 8527->8529 8531 afa805 2 API calls 8528->8531 8530 ae6381 8529->8530 8532 af8251 2 API calls 8530->8532 8533 ae6487 Mailbox 8531->8533 8534 ae639c Mailbox 8532->8534 8716 af7ab8 8533->8716 8534->8479 8537 af8251 2 API calls 8538 ae64eb 8537->8538 8539 ae651c 8538->8539 8540 ae6598 8538->8540 8541 afa805 2 API calls 8539->8541 8728 ae8036 8540->8728 8543 ae6532 8541->8543 8545 ae846d 9 API calls 8543->8545 8548 ae6548 8545->8548 8546 ae65cb 8552 afa805 2 API calls 8546->8552 8547 ae6668 8549 aeddd3 lstrlen 8547->8549 8550 af8251 2 API calls 8548->8550 8551 ae66a4 8549->8551 8550->8534 8732 afae3b 8551->8732 8553 ae65f2 8552->8553 8555 ae846d 9 API calls 8553->8555 8556 ae6612 8555->8556 8558 af8251 2 API calls 8556->8558 8558->8534 8561 afa805 2 API calls 8562 ae6718 8561->8562 8563 af8251 2 API calls 8562->8563 8564 ae6775 8563->8564 8565 b042b6 lstrlen 8564->8565 8566 ae67c4 8565->8566 8567 aec622 5 API calls 8566->8567 8568 ae67e3 8567->8568 8740 b0d831 8568->8740 8572 af6020 8571->8572 8573 afa805 2 API calls 8572->8573 8574 af604e 8573->8574 8575 afa805 2 API calls 8574->8575 8576 af6067 8575->8576 8577 afa805 2 API calls 8576->8577 8578 af60be 8577->8578 8579 af8251 2 API calls 8578->8579 8580 af60d2 8579->8580 8581 afa805 2 API calls 8580->8581 8582 af6144 8581->8582 8583 af8251 2 API calls 8582->8583 8584 af61a1 8583->8584 8585 af8251 2 API calls 8584->8585 8596 af621c 8585->8596 8586 af6a70 8587 af8251 2 API calls 8586->8587 8589 af6b1c Mailbox 8587->8589 8589->8481 8590 af07f5 8 API calls 8595 af664d Mailbox 8590->8595 8591 ae5071 9 API calls 8591->8595 8592 ae5071 9 API calls 8592->8596 8593 af6983 8593->8586 8594 af07f5 8 API calls 8593->8594 8597 ae5071 9 API calls 8593->8597 8594->8593 8595->8586 8595->8590 8595->8591 8595->8593 8596->8592 8596->8595 8938 af07f5 8596->8938 8597->8593 8599 ae7f14 8598->8599 8600 aedd8f 8 API calls 8599->8600 8601 ae7f37 8600->8601 8601->8484 8603 af86b6 8602->8603 8604 ae3e8c GetSystemTimeAsFileTime 8603->8604 8605 af8873 8604->8605 8606 b042b6 lstrlen 8605->8606 8612 af88d0 8606->8612 8607 af9185 Mailbox 8607->8499 8608 b042b6 lstrlen 8609 af8a48 8608->8609 8610 b042b6 lstrlen 8609->8610 8611 af8a56 8610->8611 8611->8607 8613 afa805 2 API calls 8611->8613 8612->8607 8612->8608 8614 af8ad5 8613->8614 8615 ae846d 9 API calls 8614->8615 8616 af8b0f 8615->8616 8617 af8251 2 API calls 8616->8617 8618 af8b3d Mailbox 8617->8618 8619 afa805 2 API calls 8618->8619 8635 af8d19 8618->8635 8621 af8b9e 8619->8621 8620 af0b92 9 API calls 8622 af8dbe 8620->8622 8623 af23e9 9 API calls 8621->8623 8624 ae5724 8 API calls 8622->8624 8627 af8bc8 Mailbox 8623->8627 8625 af8dca Mailbox 8624->8625 8626 afa805 2 API calls 8625->8626 8628 af8ded 8626->8628 8629 af8251 2 API calls 8627->8629 8630 af0b92 9 API calls 8628->8630 8634 af8bf7 8629->8634 8631 af8e04 8630->8631 8632 ae5724 8 API calls 8631->8632 8633 af8e10 Mailbox 8632->8633 8636 af8251 2 API calls 8633->8636 8634->8635 8637 af1c14 8 API calls 8634->8637 8635->8620 8638 af8e3b 8636->8638 8639 af8c77 8637->8639 8641 af0b92 9 API calls 8638->8641 8640 afa805 2 API calls 8639->8640 8642 af8cbd 8640->8642 8643 af8e8b 8641->8643 8645 ae846d 9 API calls 8642->8645 8644 ae5724 8 API calls 8643->8644 8648 af8e9a Mailbox 8644->8648 8646 af8cff 8645->8646 8647 af8251 2 API calls 8646->8647 8647->8635 8650 afa805 2 API calls 8648->8650 8685 af9051 Mailbox 8648->8685 8649 afa805 2 API calls 8651 af9087 8649->8651 8652 af8f09 8650->8652 8654 af0b92 9 API calls 8651->8654 8653 af0b92 9 API calls 8652->8653 8655 af8f23 8653->8655 8656 af90d7 8654->8656 8657 ae5724 8 API calls 8655->8657 8658 ae5724 8 API calls 8656->8658 8659 af8f32 Mailbox 8657->8659 8660 af90e3 Mailbox 8658->8660 8661 afa805 2 API calls 8659->8661 8662 af8251 2 API calls 8660->8662 8663 af8f5b 8661->8663 8664 af90fd 8662->8664 8665 af8251 2 API calls 8663->8665 8666 af9142 socket 8664->8666 8667 ae5724 8 API calls 8664->8667 8668 af8fbc Mailbox 8665->8668 8666->8607 8669 af9197 8666->8669 8667->8666 8672 af074e wvsprintfA 8668->8672 8670 af91bb setsockopt 8669->8670 8671 af91f3 gethostbyname 8669->8671 8670->8671 8671->8607 8675 af9289 inet_ntoa inet_addr 8671->8675 8674 af8fdd 8672->8674 8676 af8251 2 API calls 8674->8676 8679 af92ef 8675->8679 8680 af92f9 htons connect 8675->8680 8678 af8ff4 8676->8678 8681 af0b92 9 API calls 8678->8681 8679->8680 8680->8607 8683 af932f Mailbox 8680->8683 8682 af9042 8681->8682 8684 ae5724 8 API calls 8682->8684 8686 af939f send 8683->8686 8684->8685 8685->8649 8687 af93bb Mailbox 8686->8687 8687->8607 8688 b09707 Mailbox 8 API calls 8687->8688 8701 af93df Mailbox 8688->8701 8689 af946b recv 8689->8701 8690 af9784 closesocket 8690->8607 8693 af97e1 8690->8693 8694 af1c14 8 API calls 8693->8694 8694->8607 8695 af7f29 Mailbox 8 API calls 8695->8701 8696 b09883 8 API calls 8696->8701 8697 afa805 GetProcessHeap RtlAllocateHeap 8697->8701 8698 af23e9 9 API calls 8698->8701 8699 af8251 GetProcessHeap RtlFreeHeap 8699->8701 8701->8689 8701->8690 8701->8695 8701->8696 8701->8697 8701->8698 8701->8699 8945 b0d5e8 8701->8945 8949 aef1bd 8701->8949 8703 ae4f16 8702->8703 8706 aee739 8703->8706 8707 aee751 8706->8707 8708 aedd8f 8 API calls 8707->8708 8709 ae4f36 8708->8709 8709->8507 8711 af23f5 8710->8711 8712 b042b6 lstrlen 8711->8712 8713 af2488 8712->8713 8714 b02f94 8 API calls 8713->8714 8715 aeafe2 8714->8715 8715->8468 8717 af7ae2 8716->8717 8724 ae64bc 8717->8724 8769 b06c12 8717->8769 8721 af7c94 Mailbox 8796 af761b 8721->8796 8723 af7d11 8723->8721 8779 afbff6 8723->8779 8724->8537 8726 af7dab 8786 af70e6 8726->8786 8729 ae804b GetModuleFileNameA 8728->8729 8731 ae65c2 8729->8731 8731->8546 8731->8547 8733 afae5e 8732->8733 8734 aebece 8 API calls 8733->8734 8735 ae66de 8733->8735 8734->8735 8736 b03ca3 8735->8736 8737 ae6702 8736->8737 8738 b03cd9 8736->8738 8737->8561 8738->8737 8739 afae3b 8 API calls 8738->8739 8739->8738 8741 b0d84e Mailbox 8740->8741 8742 b0d94f CreatePipe 8741->8742 8743 b0d999 8742->8743 8744 b0d9ad SetHandleInformation 8742->8744 8746 b09707 Mailbox 8 API calls 8743->8746 8747 ae6894 DeleteFileA 8743->8747 8748 b0da12 8744->8748 8749 b0da3b CreatePipe 8744->8749 8746->8747 8747->8534 8748->8749 8750 b0da52 8749->8750 8751 b0da66 SetHandleInformation 8749->8751 8752 b0de64 CloseHandle 8750->8752 8754 b0da9a Mailbox 8751->8754 8752->8743 8753 b0de7b CloseHandle 8752->8753 8753->8743 8755 b0db76 CreateProcessA 8754->8755 8756 b0dbe0 CloseHandle 8755->8756 8757 b0dc04 WriteFile 8755->8757 8760 b0ddd2 CloseHandle 8756->8760 8757->8756 8759 b0dc3e CloseHandle CloseHandle 8757->8759 8763 b0dca1 8759->8763 8760->8752 8931 b04101 8763->8931 8767 b0dd6c CloseHandle CloseHandle 8767->8760 8770 b06c2d 8769->8770 8771 ae4088 4 API calls 8770->8771 8772 b06cb8 8771->8772 8773 af7c5d 8772->8773 8774 ae86e2 4 API calls 8772->8774 8773->8721 8775 ae86e2 8773->8775 8774->8773 8776 ae86f8 8775->8776 8777 ae4088 4 API calls 8776->8777 8778 ae873e Mailbox 8777->8778 8778->8723 8799 ae7bf8 8779->8799 8783 afc05c 8811 ae774c 8783->8811 8785 afc089 Mailbox 8785->8726 8787 af70f3 8786->8787 8792 af71ef 8787->8792 8823 afa4b9 8787->8823 8790 afa805 2 API calls 8793 af740b 8790->8793 8791 afa805 2 API calls 8791->8792 8792->8721 8793->8792 8794 af8251 2 API calls 8793->8794 8795 af745e 8794->8795 8795->8791 8795->8792 8797 b0572d 2 API calls 8796->8797 8798 af7661 8797->8798 8798->8724 8800 ae7c25 8799->8800 8801 afa805 2 API calls 8800->8801 8802 ae7c4e Mailbox 8801->8802 8803 af8251 2 API calls 8802->8803 8804 ae7c82 8803->8804 8805 af0ce6 8804->8805 8806 af0d32 Mailbox 8805->8806 8808 af1054 Mailbox 8806->8808 8809 af0ecd 8806->8809 8817 af0113 8806->8817 8808->8783 8809->8808 8810 af0113 4 API calls 8809->8810 8810->8809 8812 ae77a8 Mailbox 8811->8812 8813 af0ce6 4 API calls 8812->8813 8814 ae7a60 8813->8814 8815 af0ce6 4 API calls 8814->8815 8816 ae7ab2 8815->8816 8816->8785 8818 af0132 Mailbox 8817->8818 8819 afa805 2 API calls 8818->8819 8820 af0318 8819->8820 8821 af8251 2 API calls 8820->8821 8822 af05f9 8821->8822 8822->8809 8824 afa506 8823->8824 8825 b06c12 4 API calls 8824->8825 8826 afa539 8825->8826 8828 afa58e 8826->8828 8829 afa563 8826->8829 8833 afa5e4 8826->8833 8827 b0572d 2 API calls 8831 af719b 8827->8831 8834 ae69a8 8828->8834 8830 b0572d 2 API calls 8829->8830 8830->8831 8831->8790 8831->8792 8831->8795 8833->8827 8835 ae69c7 Mailbox 8834->8835 8836 ae4088 4 API calls 8835->8836 8847 ae76f7 8835->8847 8837 ae6c45 8836->8837 8839 ae4088 4 API calls 8837->8839 8868 ae70f3 8837->8868 8838 ae76cf 8841 ae76fc 8838->8841 8842 ae76e7 8838->8842 8840 ae6c6a 8839->8840 8846 ae4088 4 API calls 8840->8846 8840->8868 8845 b0572d 2 API calls 8841->8845 8844 b0572d 2 API calls 8842->8844 8843 b0572d 2 API calls 8843->8868 8844->8847 8845->8847 8848 ae6c97 8846->8848 8847->8833 8849 ae86e2 4 API calls 8848->8849 8859 ae6cb9 Mailbox 8848->8859 8848->8868 8850 ae6d18 8849->8850 8850->8868 8869 aedec6 8850->8869 8852 ae6e4c 8856 ae85a4 4 API calls 8852->8856 8853 ae6e3d 8855 b02405 4 API calls 8853->8855 8858 ae6e47 8855->8858 8856->8858 8860 ae85a4 4 API calls 8858->8860 8859->8852 8859->8853 8859->8868 8861 ae6ec5 8860->8861 8862 ae4088 4 API calls 8861->8862 8861->8868 8863 ae6f71 8862->8863 8864 ae85a4 4 API calls 8863->8864 8863->8868 8866 ae6f9e 8864->8866 8865 ae4088 4 API calls 8865->8866 8866->8865 8867 ae85a4 4 API calls 8866->8867 8866->8868 8867->8866 8868->8838 8868->8843 8870 aedf1f 8869->8870 8871 ae4088 4 API calls 8870->8871 8872 ae6d62 8870->8872 8871->8872 8872->8868 8873 b02405 8872->8873 8874 b02431 8873->8874 8881 ae9903 8874->8881 8876 b02450 8877 aee4e4 4 API calls 8876->8877 8878 b024b6 8876->8878 8879 b0248c 8876->8879 8877->8876 8878->8859 8879->8878 8921 af6d72 8879->8921 8882 ae9924 8881->8882 8883 ae99a4 8882->8883 8884 ae9a10 8882->8884 8887 ae9952 8882->8887 8885 ae99c4 8883->8885 8886 ae86e2 4 API calls 8883->8886 8888 ae85a4 4 API calls 8884->8888 8885->8887 8889 ae85a4 4 API calls 8885->8889 8914 ae99ea 8885->8914 8886->8885 8887->8876 8891 ae9a45 8888->8891 8889->8914 8890 b0572d 2 API calls 8890->8887 8892 ae85a4 4 API calls 8891->8892 8891->8914 8893 ae9aaa 8892->8893 8894 ae4088 4 API calls 8893->8894 8893->8914 8895 ae9aed 8894->8895 8896 ae86e2 4 API calls 8895->8896 8895->8914 8897 ae9b25 8896->8897 8898 ae4088 4 API calls 8897->8898 8897->8914 8899 ae9b46 8898->8899 8900 ae4088 4 API calls 8899->8900 8899->8914 8901 ae9b73 8900->8901 8902 aedec6 4 API calls 8901->8902 8903 ae9c7b 8901->8903 8901->8914 8904 ae9c56 8902->8904 8905 aedec6 4 API calls 8903->8905 8903->8914 8906 aedec6 4 API calls 8904->8906 8904->8914 8907 ae9d47 8905->8907 8906->8903 8908 af6d72 4 API calls 8907->8908 8916 ae9e51 8907->8916 8908->8907 8909 aea66b 8910 ae85a4 4 API calls 8909->8910 8911 aea6fa 8909->8911 8910->8911 8912 ae85a4 4 API calls 8911->8912 8911->8914 8912->8914 8913 ae534c GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 8913->8916 8914->8887 8914->8890 8915 ae86e2 GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 8915->8916 8916->8909 8916->8913 8916->8914 8916->8915 8917 aedec6 GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 8916->8917 8918 af6d72 4 API calls 8916->8918 8919 ae85a4 4 API calls 8916->8919 8920 aee4e4 4 API calls 8916->8920 8917->8916 8918->8916 8919->8916 8920->8916 8922 af6d97 8921->8922 8923 af6f07 8922->8923 8924 af6dd4 8922->8924 8925 aeb38e 4 API calls 8923->8925 8926 af6e66 8924->8926 8927 af6df4 8924->8927 8930 af6e24 8925->8930 8929 b058f9 4 API calls 8926->8929 8928 b058f9 4 API calls 8927->8928 8928->8930 8929->8930 8930->8879 8933 b0410e 8931->8933 8932 b09707 Mailbox 8 API calls 8936 b0419c 8932->8936 8933->8932 8934 b041f1 ReadFile 8935 b04256 WaitForSingleObject 8934->8935 8934->8936 8935->8767 8936->8934 8936->8935 8937 b09883 8 API calls 8936->8937 8937->8936 8941 aeba10 8938->8941 8940 af0802 8940->8596 8942 aeba25 Mailbox 8941->8942 8943 b094ec Mailbox 8 API calls 8942->8943 8944 aeba30 Mailbox 8943->8944 8944->8940 8946 b0d5ff 8945->8946 8947 ae3e8c GetSystemTimeAsFileTime 8946->8947 8948 b0d628 8946->8948 8947->8948 8948->8701 8950 aef206 8949->8950 8951 afa805 2 API calls 8950->8951 8952 aef22f 8951->8952 8953 af23e9 9 API calls 8952->8953 8954 aef250 Mailbox 8953->8954 8955 af8251 2 API calls 8954->8955 8956 aef28d 8955->8956 8957 afa805 2 API calls 8956->8957 8962 aef2a5 8956->8962 8958 aef2cb 8957->8958 8959 af23e9 9 API calls 8958->8959 8960 aef2e2 Mailbox 8959->8960 8961 af8251 2 API calls 8960->8961 8961->8962 8962->8701 8294 b0d01d 8295 b0d03a 8294->8295 8301 b05d58 8295->8301 8299 b0d108 ExitProcess 8300 b0d067 8300->8299 8302 b05d93 8301->8302 8312 ae565e 8302->8312 8304 b05dbb 8305 af5d50 8304->8305 8306 af5d87 GetStdHandle 8305->8306 8307 af5d74 8305->8307 8308 af5dc5 GetStdHandle 8306->8308 8309 af5db3 8306->8309 8307->8306 8310 af5dfa GetStdHandle 8308->8310 8309->8308 8310->8300 8313 ae56c5 GetProcessHeap HeapAlloc 8312->8313 8314 ae5695 8312->8314 8313->8304 8314->8313 7621 ae519e 7624 b023a6 7621->7624 7623 ae51b3 7625 b023c0 7624->7625 7626 b023e2 GetProcessHeap RtlAllocateHeap 7624->7626 7625->7626 7626->7623 7627 afaf1f 7628 afaf3f 7627->7628 7633 af111e 7628->7633 7630 afaf7b 7660 af54d8 7630->7660 7632 afafe0 Mailbox 7634 af114d 7633->7634 7635 af11d9 CreateFileA 7634->7635 7636 af1219 7635->7636 7637 af124b ReadFile FindCloseChangeNotification 7636->7637 7638 af15a4 7636->7638 7639 af129d 7637->7639 7638->7630 7640 af12bd GetTickCount 7639->7640 7667 ae51ca 7640->7667 7642 af12de 7671 b042b6 7642->7671 7644 af1310 7674 afa805 7644->7674 7646 af1378 7677 af8251 7646->7677 7648 af14e0 CreateFileA 7650 af154f 7648->7650 7650->7638 7652 af1564 WriteFile CloseHandle 7650->7652 7652->7638 7653 afa805 2 API calls 7654 af147e 7653->7654 7655 b042b6 lstrlen 7654->7655 7656 af14a0 7655->7656 7681 af074e 7656->7681 7658 af14a9 7659 af8251 2 API calls 7658->7659 7659->7648 7661 af54ea Mailbox 7660->7661 7662 af55fd CreateProcessA 7661->7662 7663 af5677 7662->7663 7664 af5633 7662->7664 7663->7632 7665 af564f CloseHandle CloseHandle 7664->7665 7666 af5645 7664->7666 7665->7663 7666->7665 7668 ae51ea 7667->7668 7669 b042b6 lstrlen 7668->7669 7670 ae5235 7669->7670 7670->7642 7672 b042cf lstrlen 7671->7672 7672->7644 7675 b023a6 Mailbox 2 API calls 7674->7675 7676 afa878 Mailbox 7675->7676 7676->7646 7678 af8268 Mailbox 7677->7678 7684 aede5a GetProcessHeap RtlFreeHeap 7678->7684 7682 af0764 wvsprintfA 7681->7682 7682->7658 7685 aede8a 7684->7685 7685->7648 7685->7653 8971 aec9ed 8972 aeca6f RegisterServiceCtrlHandlerA 8971->8972 8974 aecb13 SetServiceStatus CreateEventA 8972->8974 8985 aecda7 8972->8985 8976 aecbde SetServiceStatus 8974->8976 8977 aecbcd 8974->8977 8978 aecc00 8976->8978 8977->8976 8979 aecc42 WaitForSingleObject 8978->8979 8979->8979 8980 aecc6f 8979->8980 8981 aeb7cd WaitForSingleObject 8980->8981 8982 aecc84 SetServiceStatus CloseHandle 8981->8982 8983 aecd01 SetServiceStatus 8982->8983 8983->8985 8986 b0cffe 8987 b0d050 8986->8987 8988 b05d58 2 API calls 8987->8988 8989 b0d055 8988->8989 8990 af5d50 3 API calls 8989->8990 8991 b0d067 8990->8991 8992 b0d108 ExitProcess 8991->8992 9193 afb360 9194 afb378 9193->9194 9195 b042b6 lstrlen 9194->9195 9196 afb3a5 9195->9196 9199 aefc31 9196->9199 9202 b098df 9199->9202 9201 aefc47 9203 b09923 9202->9203 9204 b09982 9203->9204 9206 b0998f 9203->9206 9205 aebdcb 8 API calls 9204->9205 9208 b0998d Mailbox 9205->9208 9207 aedbdf 8 API calls 9206->9207 9206->9208 9207->9208 9208->9201 8157 b04ee1 8158 b04efa 8157->8158 8161 b0d527 8158->8161 8160 b04f99 8162 b0d544 8161->8162 8165 aedbdf 8162->8165 8164 b0d559 Mailbox 8164->8160 8166 aedbf5 Mailbox 8165->8166 8167 aef821 Mailbox 8 API calls 8166->8167 8168 aedc18 8167->8168 8168->8164 8321 ae507a 8322 b042b6 lstrlen 8321->8322 8323 ae50a9 8322->8323 8169 aee2f9 8170 aee30a 8169->8170 8171 aeb7cd WaitForSingleObject 8170->8171 8172 aee324 8171->8172 8173 af15e5 ExitProcess 8172->8173 8174 aee35a 8173->8174 8175 b074e8 StartServiceCtrlDispatcherA 8324 aeba72 8326 aebb03 SetServiceStatus 8324->8326 8329 aeba89 8324->8329 8331 aebb88 SetEvent 8326->8331 8329->8326 8332 aebaa1 SetServiceStatus 8329->8332 8330 aebcd8 8331->8330 8332->8330 8333 ae444e 8334 ae446b 8333->8334 8337 aee4e4 8334->8337 8338 aee513 8337->8338 8339 aee69a 8338->8339 8340 aee553 8338->8340 8355 aeb38e 8339->8355 8342 aee576 8340->8342 8343 aee621 8340->8343 8347 b058f9 8342->8347 8344 b058f9 4 API calls 8343->8344 8346 ae4575 8344->8346 8348 b05931 8347->8348 8350 b059a1 8348->8350 8354 b05937 8348->8354 8363 ae85a4 8348->8363 8351 ae85a4 4 API calls 8350->8351 8353 b059f4 8350->8353 8351->8353 8367 b0572d 8353->8367 8354->8346 8356 aeb3c3 8355->8356 8357 ae85a4 4 API calls 8356->8357 8358 aeb456 8356->8358 8357->8358 8359 ae4088 4 API calls 8358->8359 8360 aeb7b4 8358->8360 8361 aeb4c3 8359->8361 8360->8346 8361->8360 8362 ae4088 4 API calls 8361->8362 8362->8361 8364 ae85be 8363->8364 8366 ae860a Mailbox 8364->8366 8371 ae4088 8364->8371 8366->8350 8369 b05761 Mailbox 8367->8369 8368 b058d3 8368->8354 8369->8368 8370 aede5a Mailbox 2 API calls 8369->8370 8370->8369 8372 ae40bc 8371->8372 8376 ae40d8 8371->8376 8373 b023a6 Mailbox 2 API calls 8372->8373 8374 ae40d1 Mailbox 8373->8374 8375 aede5a Mailbox 2 API calls 8374->8375 8374->8376 8375->8376 8376->8366 7686 b024d3 7687 b0250c 7686->7687 7717 b0d256 GetSystemTime 7687->7717 7689 b0261c 7722 ae5c39 7689->7722 7691 b02645 7736 aef793 7691->7736 7694 afa805 2 API calls 7695 b026ad 7694->7695 7696 af8251 2 API calls 7695->7696 7697 b02706 7696->7697 7716 b027ba Mailbox 7697->7716 7741 ae3e8c 7697->7741 7699 b0473b 12 API calls 7699->7716 7704 ae3e8c GetSystemTimeAsFileTime 7704->7716 7705 af54d8 3 API calls 7705->7716 7707 af8251 GetProcessHeap RtlFreeHeap 7707->7716 7708 b07dc0 50 API calls 7708->7716 7709 b04927 32 API calls 7709->7716 7713 ae5724 8 API calls 7713->7716 7714 afa805 GetProcessHeap RtlAllocateHeap 7714->7716 7715 af8695 21 API calls 7715->7716 7716->7697 7716->7699 7716->7704 7716->7705 7716->7707 7716->7708 7716->7709 7716->7713 7716->7714 7716->7715 7745 b0443e 7716->7745 7757 ae846d 7716->7757 7761 ae695e 7716->7761 7764 aefe4b 7716->7764 7768 b09707 7716->7768 7780 af571f 7716->7780 7718 b0d2ec 7717->7718 7719 ae3e8c GetSystemTimeAsFileTime 7718->7719 7720 b0d368 GetTickCount 7719->7720 7721 b0d39b 7720->7721 7721->7689 7723 ae5c69 7722->7723 7724 b042b6 lstrlen 7723->7724 7731 ae6052 Mailbox 7723->7731 7725 ae5dce Sleep 7724->7725 7726 ae5e25 7725->7726 7727 afa805 2 API calls 7726->7727 7728 ae5e52 7727->7728 7729 af8251 2 API calls 7728->7729 7730 ae5e87 FindFirstFileA 7729->7730 7730->7731 7732 ae5ecd 7730->7732 7731->7691 7733 ae5fdb DeleteFileA 7732->7733 7734 ae6018 FindNextFileA 7732->7734 7733->7732 7733->7734 7734->7732 7735 ae602e FindClose 7734->7735 7735->7731 7791 aeddd3 7736->7791 7739 b042b6 lstrlen 7740 aef80a 7739->7740 7740->7694 7742 ae3ebf GetSystemTimeAsFileTime 7741->7742 7744 ae3f11 __aulldiv 7742->7744 7744->7697 7746 b04470 7745->7746 7747 afa805 2 API calls 7746->7747 7748 b044cd 7747->7748 7749 afa805 2 API calls 7748->7749 7750 b044fc 7749->7750 7795 aea928 7750->7795 7753 af8251 2 API calls 7754 b04546 7753->7754 7755 af8251 2 API calls 7754->7755 7756 b0456f 7755->7756 7756->7716 7758 ae848a 7757->7758 7801 ae4f47 7758->7801 7830 b09883 7761->7830 7763 ae6983 7763->7716 7765 aefe66 Mailbox 7764->7765 7766 b09883 8 API calls 7765->7766 7767 aeff60 Mailbox 7765->7767 7766->7767 7767->7716 7769 b094ec Mailbox 8 API calls 7768->7769 7770 b02cf0 Sleep 7769->7770 7771 af2192 7770->7771 7772 af21ab 7771->7772 7773 af22b7 DeleteFileA 7772->7773 7778 af233c 7772->7778 7779 af23d9 7772->7779 7834 af9ef6 7772->7834 7773->7772 7775 af23c2 7843 ae5430 7775->7843 7778->7775 7839 aeb920 7778->7839 7779->7716 7781 af5751 CreateToolhelp32Snapshot 7780->7781 7785 af5828 7781->7785 7783 af5a95 Mailbox 7783->7716 7784 af58da Process32First 7786 af5a6c CloseHandle 7784->7786 7788 af590e 7784->7788 7785->7783 7785->7784 7786->7783 7789 af5a29 7788->7789 7790 af59c2 Process32Next 7788->7790 7881 af20d8 lstrlen 7788->7881 7789->7786 7790->7788 7792 aede20 7791->7792 7793 b042b6 lstrlen 7792->7793 7794 aede3f 7793->7794 7794->7739 7794->7740 7796 aea95f Mailbox 7795->7796 7797 afa805 2 API calls 7796->7797 7798 aeac5d 7797->7798 7799 af8251 2 API calls 7798->7799 7800 aeac90 7799->7800 7800->7753 7802 ae4f6e 7801->7802 7803 b042b6 lstrlen 7802->7803 7804 ae4f99 7803->7804 7807 b02f94 7804->7807 7806 ae4fa3 7806->7716 7810 b094ec 7807->7810 7809 b02fac Mailbox 7809->7806 7811 b09509 Mailbox 7810->7811 7813 b0950e Mailbox 7811->7813 7814 aef821 7811->7814 7813->7809 7815 aef845 7814->7815 7817 aef85a Mailbox 7815->7817 7818 af7f29 7815->7818 7817->7813 7820 af7f48 Mailbox 7818->7820 7819 af8135 7827 b090f1 7819->7827 7820->7819 7822 af802a 7820->7822 7826 af8109 Mailbox 7820->7826 7823 b023a6 Mailbox 2 API calls 7822->7823 7824 af8057 Mailbox 7823->7824 7825 aede5a Mailbox 2 API calls 7824->7825 7825->7826 7826->7817 7828 b09152 GetProcessHeap HeapAlloc 7827->7828 7829 b0912b GetProcessHeap RtlReAllocateHeap 7827->7829 7828->7826 7829->7826 7831 b09898 Mailbox 7830->7831 7832 b094ec Mailbox 8 API calls 7831->7832 7833 b098a3 Mailbox 7832->7833 7833->7763 7847 af5b3e 7834->7847 7836 af9f0d 7851 ae82bf 7836->7851 7840 aeb93a 7839->7840 7841 aeb97f 7840->7841 7866 aede9c 7840->7866 7841->7778 7844 ae5438 7843->7844 7877 b094b4 7844->7877 7848 af5b5a Mailbox 7847->7848 7849 af7f29 Mailbox 8 API calls 7848->7849 7850 af5b64 Mailbox 7849->7850 7850->7836 7853 ae82cc 7851->7853 7852 ae82dc 7852->7772 7853->7852 7855 af9a0f 7853->7855 7858 b07848 7855->7858 7857 af9a1d 7857->7852 7859 b0785a Mailbox 7858->7859 7862 b04333 7859->7862 7861 b07870 Mailbox 7861->7857 7863 b0433e 7862->7863 7864 aef821 Mailbox 8 API calls 7863->7864 7865 b043a8 7864->7865 7865->7861 7869 ae84ea 7866->7869 7870 ae8529 7869->7870 7873 aebdcb 7870->7873 7872 ae854b 7872->7841 7874 aebde1 Mailbox 7873->7874 7875 af7f29 Mailbox 8 API calls 7874->7875 7876 aebe04 Mailbox 7875->7876 7876->7872 7878 b094e3 7877->7878 7879 b094bd Mailbox 7877->7879 7880 aede5a Mailbox 2 API calls 7879->7880 7880->7878 7882 af210f CharLowerBuffA 7881->7882 7882->7788 8176 af98cc 8181 af1da2 8176->8181 8179 b09883 8 API calls 8180 af9994 8179->8180 8186 aedb48 8181->8186 8183 af1e43 8183->8179 8185 af1db4 8185->8183 8190 aebece 8185->8190 8187 aedb5b Mailbox 8186->8187 8188 aedb9f 8186->8188 8189 b09707 Mailbox 8 API calls 8187->8189 8188->8185 8189->8188 8191 aebf08 8190->8191 8192 aeb7cd WaitForSingleObject 8191->8192 8193 aebfa2 8192->8193 8194 afa805 2 API calls 8193->8194 8203 aec09d 8193->8203 8195 aebfe5 GetProcAddress 8194->8195 8196 afa805 2 API calls 8195->8196 8198 aec033 8196->8198 8197 ae4eb1 ReleaseMutex 8199 aec2bd 8197->8199 8200 af8251 2 API calls 8198->8200 8199->8185 8201 aec06d GetProcAddress 8200->8201 8202 af8251 2 API calls 8201->8202 8202->8203 8203->8197 8204 af1ecc 8205 af1ee8 Mailbox 8204->8205 8208 afa7bc 8205->8208 8207 af1f5b 8209 aef821 Mailbox 8 API calls 8208->8209 8210 afa7d6 Mailbox 8209->8210 8210->8207 8377 afb046 8378 afb068 CreateFileA 8377->8378 8380 afb142 GetFileTime 8378->8380 8385 afb11b 8378->8385 8381 afb177 CloseHandle 8380->8381 8383 afb1c7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 8380->8383 8381->8385 8384 afb264 GetFileSize CloseHandle 8383->8384 8384->8385 8211 ae50c3 8212 ae50e0 8211->8212 8213 b042b6 lstrlen 8212->8213 8214 ae510f Mailbox 8213->8214 8215 af7f29 Mailbox 8 API calls 8214->8215 8216 ae5123 8215->8216 8221 ae5071 8216->8221 8222 aeacbe 8221->8222 8223 b042b6 lstrlen 8222->8223 8224 aead02 8223->8224 8225 b09883 8 API calls 8224->8225 8226 ae5145 8225->8226 8227 afbf07 8226->8227 8228 afbf15 Mailbox 8227->8228 8229 b09883 8 API calls 8228->8229 8230 ae5183 8229->8230 9209 b02f5d ExitProcess 9210 b0395f 9211 b03980 9210->9211 9212 aef793 lstrlen 9211->9212 9213 b039f3 9212->9213 9214 afa805 2 API calls 9213->9214 9219 b03a11 Mailbox 9213->9219 9215 b03ace 9214->9215 9216 af8251 2 API calls 9215->9216 9217 b03b0d 9216->9217 9220 af9b78 9217->9220 9221 af9b85 9220->9221 9222 b09707 Mailbox 8 API calls 9221->9222 9223 af9c02 9222->9223 9224 aeb7cd WaitForSingleObject 9223->9224 9225 af9c24 CreateFileA 9224->9225 9226 af9c5a 9225->9226 9229 af9c78 Mailbox 9225->9229 9228 ae4eb1 ReleaseMutex 9226->9228 9227 af9c8b ReadFile 9227->9229 9230 af9e2f Mailbox 9228->9230 9229->9227 9231 af7f29 Mailbox 8 API calls 9229->9231 9232 af9e6a CloseHandle 9229->9232 9233 b09883 8 API calls 9229->9233 9234 af9dbc CloseHandle 9229->9234 9230->9219 9231->9229 9232->9226 9233->9229 9235 af9dd9 9234->9235 9236 ae4eb1 ReleaseMutex 9235->9236 9236->9230 8239 aebcdc 8240 aebcfa 8239->8240 8241 b09707 Mailbox 8 API calls 8240->8241 8242 aebd13 8241->8242 8247 ae563a 8242->8247 8244 aebd3a Mailbox 8245 b09707 Mailbox 8 API calls 8244->8245 8246 aebdb8 8245->8246 8248 ae5648 8247->8248 8249 aedd8f 8 API calls 8248->8249 8250 ae5659 8249->8250 8250->8244 8251 b084c2 8254 ae8020 8251->8254 8257 b0236a 8254->8257 8256 ae802b 8258 b042b6 lstrlen 8257->8258 8259 b02378 8258->8259 8259->8256 9007 afb3db 9008 afb41c 9007->9008 9009 afb4ff GetComputerNameA 9008->9009 9010 afb536 9009->9010 9011 afb59e 9009->9011 9013 afa805 2 API calls 9010->9013 9012 afa805 2 API calls 9011->9012 9014 afb5fa 9012->9014 9015 afb552 9013->9015 9017 af8251 2 API calls 9014->9017 9016 af8251 2 API calls 9015->9016 9016->9011 9018 afb63d 9017->9018 9019 ae846d 9 API calls 9018->9019 9020 afb661 9019->9020 9021 ae695e 8 API calls 9020->9021 9022 afb6db Mailbox 9021->9022 9101 b084d7 9022->9101 9025 b042b6 lstrlen 9026 afb7d9 9025->9026 9027 af0b92 9 API calls 9026->9027 9028 afb825 9027->9028 9029 ae5724 8 API calls 9028->9029 9030 afb834 Mailbox 9029->9030 9031 ae695e 8 API calls 9030->9031 9032 afb891 9031->9032 9033 af0b92 9 API calls 9032->9033 9034 afb92e 9033->9034 9035 ae5724 8 API calls 9034->9035 9036 afb93d Mailbox 9035->9036 9037 ae695e 8 API calls 9036->9037 9038 afb964 9037->9038 9039 af0b92 9 API calls 9038->9039 9040 afb988 9039->9040 9041 ae5724 8 API calls 9040->9041 9042 afb997 Mailbox 9041->9042 9043 ae695e 8 API calls 9042->9043 9044 afb9cf 9043->9044 9045 af0b92 9 API calls 9044->9045 9046 afb9fe 9045->9046 9047 ae5724 8 API calls 9046->9047 9048 afba0a Mailbox 9047->9048 9049 ae695e 8 API calls 9048->9049 9050 afba25 9049->9050 9051 af0b92 9 API calls 9050->9051 9052 afba48 9051->9052 9053 ae5724 8 API calls 9052->9053 9054 afba57 Mailbox 9053->9054 9055 ae695e 8 API calls 9054->9055 9056 afba79 9055->9056 9057 afa805 2 API calls 9056->9057 9058 afba95 9057->9058 9059 af0b92 9 API calls 9058->9059 9060 afbab9 9059->9060 9061 ae5724 8 API calls 9060->9061 9062 afbac8 Mailbox 9061->9062 9063 af8251 2 API calls 9062->9063 9064 afbaf7 9063->9064 9065 ae695e 8 API calls 9064->9065 9066 afbb1f 9065->9066 9067 af0b92 9 API calls 9066->9067 9068 afbb3d 9067->9068 9069 ae5724 8 API calls 9068->9069 9070 afbb49 Mailbox 9069->9070 9071 ae695e 8 API calls 9070->9071 9072 afbb75 9071->9072 9073 af0b92 9 API calls 9072->9073 9074 afbb96 9073->9074 9075 ae5724 8 API calls 9074->9075 9076 afbba5 Mailbox 9075->9076 9077 ae695e 8 API calls 9076->9077 9078 afbbcb 9077->9078 9136 ae3cdc 9078->9136 9082 afbc06 9083 af0b92 9 API calls 9082->9083 9084 afbc12 9083->9084 9085 ae5724 8 API calls 9084->9085 9086 afbc21 Mailbox 9085->9086 9087 ae695e 8 API calls 9086->9087 9088 afbc3f 9087->9088 9089 af0b92 9 API calls 9088->9089 9090 afbc85 9089->9090 9091 ae5724 8 API calls 9090->9091 9092 afbc94 Mailbox 9091->9092 9093 af5fba 9 API calls 9092->9093 9094 afbccc 9093->9094 9095 b09707 Mailbox 8 API calls 9094->9095 9096 afbd04 Mailbox 9095->9096 9097 b09883 8 API calls 9096->9097 9098 afbd30 9097->9098 9146 aeee34 9098->9146 9100 afbd6e Mailbox 9102 b08577 9101->9102 9103 afa805 2 API calls 9102->9103 9104 b08652 9103->9104 9105 af8251 2 API calls 9104->9105 9106 b086d5 GetProcessHeap 9105->9106 9107 b08711 9106->9107 9113 afb7c4 9106->9113 9108 afa805 2 API calls 9107->9108 9109 b08739 LoadLibraryA 9108->9109 9111 af8251 2 API calls 9109->9111 9112 b0878f 9111->9112 9112->9113 9114 afa805 2 API calls 9112->9114 9113->9025 9115 b08837 GetProcAddress 9114->9115 9116 af8251 2 API calls 9115->9116 9117 b0886e 9116->9117 9118 b08886 FreeLibrary 9117->9118 9119 b088ac HeapAlloc 9117->9119 9118->9113 9120 b08926 9119->9120 9121 b088fb FreeLibrary 9119->9121 9122 b0896c HeapFree 9120->9122 9126 b08a27 9120->9126 9121->9113 9123 b0898e HeapAlloc 9122->9123 9125 b089fb FreeLibrary 9123->9125 9123->9126 9125->9113 9127 afa805 2 API calls 9126->9127 9135 b08d26 Mailbox 9126->9135 9129 b08ac3 9127->9129 9128 b09094 HeapFree FreeLibrary 9128->9113 9130 af8251 2 API calls 9129->9130 9131 b08b17 9130->9131 9132 afa805 2 API calls 9131->9132 9131->9135 9133 b08d41 9132->9133 9134 af8251 2 API calls 9133->9134 9134->9135 9135->9128 9138 ae3d0f Mailbox 9136->9138 9137 afa805 2 API calls 9139 ae3d74 9137->9139 9138->9137 9140 af8251 2 API calls 9139->9140 9141 ae3db8 9140->9141 9142 ae4d07 9141->9142 9143 ae4d1f 9142->9143 9144 b042b6 lstrlen 9143->9144 9145 ae4d4c 9144->9145 9145->9082 9147 aeee52 9146->9147 9148 af1da2 12 API calls 9147->9148 9149 aeee71 Mailbox 9148->9149 9150 b09883 8 API calls 9149->9150 9151 aeef9f 9149->9151 9150->9151 9151->9100 8264 aecedb FlushFileBuffers 8265 aecf0d GetLastError 8264->8265 8266 aecf39 8264->8266 8265->8266 7884 af20d8 lstrlen 7885 af210f CharLowerBuffA 7884->7885 9152 af6bd8 9153 af6c36 9152->9153 9154 afa805 2 API calls 9153->9154 9155 af6c9d RegOpenKeyA 9154->9155 9156 af8251 2 API calls 9155->9156 9157 af6ccb 9156->9157 9158 af6d31 RegCloseKey 9157->9158 9159 b042b6 lstrlen 9157->9159 9160 af6d0f RegSetValueExA 9159->9160 9160->9158 9237 aef553 9238 aef5b5 9237->9238 9240 aef567 9237->9240 9239 aef671 ReadFile 9238->9239 9238->9240 9239->9240 9241 aeb353 9242 b02f94 8 API calls 9241->9242 9243 aeb377 9242->9243

                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                            Function 00AE88A8 Relevance: 28.9, APIs: 12, Strings: 4, Instructions: 877fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 0 ae88a8-ae88de call ae57a9 3 ae88ea-ae898e GetVersionExA call aee769 call ae457c 0->3 4 ae88e0 0->4 9 ae899c-ae89c2 3->9 10 ae8990-ae899a 3->10 4->3 11 ae89d7-ae89dd 9->11 12 ae89c4-ae89d1 9->12 10->11 13 ae8b3f-ae8b5f 11->13 14 ae89e3-ae8add call afc0de call aef38b CreateDirectoryA call afa805 11->14 12->11 15 ae8b65-ae8b77 13->15 27 ae8ae2-ae8b3d call aef38b call af8251 14->27 17 ae8ba9-ae8bb0 15->17 18 ae8b79-ae8b93 15->18 20 ae8bb6-ae8c17 call afa805 call ae846d call af8251 17->20 18->20 21 ae8b95-ae8ba7 18->21 35 ae8c2d-ae8c3f 20->35 36 ae8c19-ae8c2b 20->36 21->20 27->15 38 ae8c4b-ae8c73 call aec9ba call b0d492 call aec622 35->38 39 ae8c41 35->39 36->38 46 ae8d6f-ae8e0c call afc0de call aef38b CreateDirectoryA call b05eaf 38->46 47 ae8c79-ae8ccc 38->47 39->38 59 ae8e0e-ae8e18 46->59 60 ae8e1a 46->60 49 ae8cfe-ae8d29 DeleteFileA 47->49 50 ae8cce-ae8cec 47->50 51 ae8d3d-ae8d65 RemoveDirectoryA 49->51 52 ae8d2b-ae8d37 49->52 50->49 54 ae8cee-ae8cf8 50->54 51->46 52->51 54->49 61 ae8e24-ae8e26 59->61 60->61 62 ae8e28-ae8e42 61->62 63 ae8e44 61->63 64 ae8e46-ae8e73 call aef793 62->64 63->64 67 ae8e89-ae8e8e 64->67 68 ae8e75-ae8e87 64->68 69 ae8e94-ae8f2f CreateDirectoryA call afa805 call aef38b call afa805 67->69 68->69 76 ae8f64-ae8fcf call af8251 call ae846d call af8251 call aec9ba call b0d492 call aec622 69->76 77 ae8f31-ae8f57 69->77 91 ae9769-ae97f8 call aef793 SetFileAttributesA call af06af 76->91 92 ae8fd5-ae8fe6 76->92 77->76 78 ae8f59-ae8f5e 77->78 78->76 106 ae97fa-ae9815 91->106 107 ae981b-ae9826 call ae5017 91->107 94 ae906c-ae90da call afa805 call af074e call af8251 92->94 95 ae8fec-ae906a call afa805 call af074e call af8251 92->95 115 ae90e0-ae910d 94->115 95->115 106->107 116 ae910f-ae9126 115->116 117 ae9132-ae9192 call aef38b CreateDirectoryA call b05eaf 115->117 116->117 118 ae9128 116->118 123 ae9194-ae91a0 117->123 124 ae91c1-ae9257 call aef793 CreateDirectoryA call afa805 call aef38b call afa805 117->124 118->117 123->124 125 ae91a2-ae91bb 123->125 134 ae9259-ae926c 124->134 135 ae9272-ae92a4 call af8251 call ae846d 124->135 125->124 134->135 140 ae92a6-ae92be 135->140 141 ae92c0-ae92e7 135->141 142 ae92ff-ae933b call af8251 call aec9ba call b0d492 call aec622 140->142 141->142 143 ae92e9-ae92f9 141->143 152 ae9756-ae9763 142->152 153 ae9341-ae93c2 GetTempPathA call b042b6 142->153 143->142 152->91 156 ae93ea-ae93ec 153->156 157 ae93ee 156->157 158 ae93c4-ae93dd 156->158 161 ae946e-ae94fb call b05eaf call aef793 CreateDirectoryA 157->161 159 ae93df-ae93e9 158->159 160 ae93f0-ae9412 158->160 159->156 162 ae9414-ae941c 160->162 163 ae9422-ae9453 160->163 169 ae950d-ae9557 call afa805 call aef38b 161->169 170 ae94fd-ae9507 161->170 162->163 163->161 165 ae9455-ae9469 163->165 165->161 175 ae956b-ae9610 call afa805 call af8251 call ae846d call af8251 call aec9ba call b0d492 call aec622 169->175 176 ae9559-ae9565 169->176 170->169 191 ae9736-ae9751 175->191 192 ae9616-ae9627 175->192 176->175 191->152 193 ae9629 192->193 194 ae9633-ae96ce GetTempPathA call b05eaf call afa805 192->194 193->194 199 ae96da-ae96fe call aef38b 194->199 200 ae96d0 194->200 203 ae970f-ae972a call af8251 199->203 204 ae9700-ae970a 199->204 200->199 203->191 207 ae972c 203->207 204->203 207->191
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetVersionExA.KERNEL32(00B1B028), ref: 00AE893E
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00AE8AB6
                                                                                                                                                                                                            • DeleteFileA.KERNELBASE(?,00000000), ref: 00AE8D05
                                                                                                                                                                                                            • RemoveDirectoryA.KERNELBASE(00000000), ref: 00AE8D5F
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00AE8DD9
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00AE8E9C
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00AE9158
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00AE91F4
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,?,?,?,?,00000000), ref: 00AE936E
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(0000005C,00000000,?,?,?,?,?,?,00000000), ref: 00AE94DA
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,0000005C,?,?,?,00000000), ref: 00AE963F
                                                                                                                                                                                                            • SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,00000000), ref: 00AE97B0
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
                                                                                                                                                                                                            • String ID: C:\Users\user$C:\hjflhukc\$\$gKV`
                                                                                                                                                                                                            • API String ID: 1691758827-3473430694
                                                                                                                                                                                                            • Opcode ID: 6b818874474e34db344dff643213ac6fafd0a58ca53b48f54fe57c8e4e997ca6
                                                                                                                                                                                                            • Instruction ID: b091e947be82a6bfbb18001accb1df8e30d7160340dd86870bea50a430373694
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6b818874474e34db344dff643213ac6fafd0a58ca53b48f54fe57c8e4e997ca6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FB82FEB2554244CFC718DF65ED969EA37B8FB54300BC0C06AE906DB2B1EF349A81CB55
                                                                                                                                                                                                            Function 00AFFF2A Relevance: 19.9, APIs: 6, Strings: 5, Instructions: 627COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 208 afff2a-b00108 call af8251 call afa805 call af8251 call afa805 call af8251 call afa805 call af8251 call afa805 call af8251 call afa805 236 b0010a-b00117 208->236 237 b0011e-b002ab call af8251 call afa805 call af8251 call afa805 call af8251 call afa805 208->237 236->237 257 b002b7-b002d4 call af8251 237->257 258 b002ad 237->258 261 b002f5-b003a1 call afa805 call af8251 call afa805 257->261 262 b002d6-b002ef 257->262 258->257 271 b003a3-b003af 261->271 272 b003b5-b00482 call af8251 call afa805 call af8251 call afa805 261->272 262->261 271->272 283 b00484-b0049e 272->283 284 b004aa-b004e9 call af8251 272->284 283->284 285 b004a0 283->285 289 b004fb-b005b0 call af8251 call af06af call aede5a call b0d256 call afa805 GetEnvironmentVariableA 284->289 290 b004eb-b004f5 284->290 285->284 301 b005b2-b005c2 289->301 302 b005c8-b006a1 call af8251 CreateMutexA * 3 call ae7ec1 call aefa1b 289->302 290->289 301->302 311 b006a3 302->311 312 b006ad-b006b4 302->312 311->312 313 b00809-b00853 call ae88a8 312->313 314 b006ba-b006c7 312->314 322 b00873-b00950 GetCommandLineA call b05eaf call afa805 call aefdd4 call af8251 313->322 323 b00855-b0085f 313->323 316 b006c9-b006d8 314->316 317 b006de-b0074a GetTickCount call ae10f7 call afa805 314->317 316->317 327 b0074c-b00758 317->327 328 b0075e-b0077b call aef38b 317->328 346 b00952 322->346 347 b0095c-b009a8 call afa805 322->347 323->322 327->328 334 b0077d-b0079e 328->334 335 b007af-b007e4 call af8251 328->335 334->335 335->313 343 b007e6-b00802 335->343 343->313 346->347 351 b009e2-b02289 call aefdd4 call af8251 call af15e5 347->351 352 b009aa-b009d0 347->352 362 b0228e-b022d9 call afa805 call aee2f8 call b0d1b0 351->362 352->351 353 b009d2-b009dd 352->353 353->351
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: 241$C:\Users\user$^d/$hM6$~z0
                                                                                                                                                                                                            • API String ID: 0-2828660445
                                                                                                                                                                                                            • Opcode ID: 479cb0ab703f1ccfe305bf80004536bc0629c86cf389fcc0f2ca324d21d40431
                                                                                                                                                                                                            • Instruction ID: a0466577c618f0c0c74cab8b47ef98a534bcfb24894ca11b558e53461b61fad7
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 479cb0ab703f1ccfe305bf80004536bc0629c86cf389fcc0f2ca324d21d40431
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7B420BB2550240EFE318AF65FC86AF63BB5FB84750B90C01AE6069B2B1EF709841CB55
                                                                                                                                                                                                            Function 00AF111E Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 289fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 370 af111e-af114b 371 af114d-af1161 370->371 372 af117c-af1186 370->372 373 af118b-af11a3 371->373 374 af1163-af117a 371->374 372->373 375 af11ce-af1217 call b0d787 CreateFileA 373->375 376 af11a5-af11b6 373->376 374->373 380 af1219-af123b 375->380 381 af1242-af1245 375->381 376->375 377 af11b8-af11c7 376->377 377->375 380->381 382 af124b-af129b ReadFile FindCloseChangeNotification 381->382 383 af15c3-af15e4 call afa689 381->383 385 af12af-af12f9 call b07d24 GetTickCount call ae51ca 382->385 386 af129d-af12a9 382->386 392 af12fb-af1305 385->392 393 af130a-af131f call b042b6 385->393 386->385 392->393 396 af1336-af13cf call aef38b call afa805 call aef38b 393->396 397 af1321-af1330 393->397 404 af140e-af142c call af8251 396->404 405 af13d1-af13e6 396->405 397->396 409 af150d-af1519 404->409 410 af1432-af1441 404->410 405->404 406 af13e8-af1408 405->406 406->404 411 af152d-af154d CreateFileA 409->411 412 af151b-af1527 409->412 413 af1443-af145e 410->413 414 af1460-af146c 410->414 415 af155f-af1562 411->415 416 af154f-af1559 411->416 412->411 417 af1472-af14bb call afa805 call b042b6 call af074e 413->417 414->417 418 af15a4-af15bc 415->418 419 af1564-af159f WriteFile CloseHandle 415->419 416->415 426 af14bd-af14cc 417->426 427 af14d8-af1507 call af8251 417->427 418->383 419->418 426->427 428 af14ce 426->428 427->409 428->427
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AF11F7
                                                                                                                                                                                                            • ReadFile.KERNELBASE(00000000,00000000,?,?,00000000), ref: 00AF1267
                                                                                                                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00AF128B
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00AF12D1
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00AF153B
                                                                                                                                                                                                            • WriteFile.KERNELBASE(00000000,00000000,?,?,00000000), ref: 00AF157E
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00AF158F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseCreate$ChangeCountFindHandleNotificationReadTickWrite
                                                                                                                                                                                                            • String ID: Ra);
                                                                                                                                                                                                            • API String ID: 688250028-4229484525
                                                                                                                                                                                                            • Opcode ID: fe21292815c86a253471cf2048e3bd1852c26217e86b2d73e0ab407f0091f930
                                                                                                                                                                                                            • Instruction ID: d218f08df6602f9347ca60d4a927dc57dd7852f7a3500240beb95203dbcf5ced
                                                                                                                                                                                                            • Opcode Fuzzy Hash: fe21292815c86a253471cf2048e3bd1852c26217e86b2d73e0ab407f0091f930
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F9B1DCB2515644EED7188FA8FD919FA37F8FB48751790C01AFA01CB2A0EF349942CB19
                                                                                                                                                                                                            Function 00AE5C39 Relevance: 7.7, APIs: 5, Instructions: 247filesleepCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 431 ae5c39-ae5c67 432 ae5c8e-ae5ca3 431->432 433 ae5c69-ae5c8c 431->433 434 ae5ca9-ae5cb2 432->434 433->434 435 ae60a8-ae60ac 434->435 436 ae5cb8-ae5ce0 434->436 437 ae5d09 436->437 438 ae5ce2-ae5cf1 436->438 439 ae5d13-ae5d4a 437->439 438->439 440 ae5cf3-ae5d07 438->440 441 ae5d4c-ae5d63 439->441 442 ae5d85 439->442 440->439 443 ae5d79-ae5d83 441->443 444 ae5d65-ae5d77 441->444 445 ae5d8f-ae5ec7 call b07d24 call b042b6 Sleep call aef38b call afa805 call aef38b call af8251 FindFirstFileA 442->445 443->445 444->445 458 ae5ecd 445->458 459 ae6052-ae6066 445->459 460 ae5ed7-ae5ef2 458->460 461 ae6068 459->461 462 ae6072-ae609c call af06af 459->462 463 ae5f2d 460->463 464 ae5ef4-ae5f2b 460->464 461->462 462->435 470 ae609e 462->470 466 ae5f37-ae5f5c 463->466 464->466 468 ae5f5e-ae5f6a 466->468 469 ae5f70-ae5f97 call aef38b 466->469 468->469 473 ae5fbe-ae5fd4 469->473 474 ae5f99-ae5fa3 469->474 470->435 477 ae5fdb-ae5ffd DeleteFileA 473->477 475 ae5fa5-ae5faf 474->475 476 ae5fb1-ae5fbc 474->476 475->477 476->477 478 ae5fff-ae6011 477->478 479 ae6018-ae6028 FindNextFileA 477->479 478->479 479->460 480 ae602e-ae6048 FindClose 479->480 480->459
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • Sleep.KERNELBASE(000003E8), ref: 00AE5DEC
                                                                                                                                                                                                            • FindFirstFileA.KERNELBASE(?,?), ref: 00AE5EB2
                                                                                                                                                                                                            • DeleteFileA.KERNELBASE(?), ref: 00AE5FE2
                                                                                                                                                                                                            • FindNextFileA.KERNELBASE(00000000,?), ref: 00AE6020
                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00AE6042
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FileFind$CloseDeleteFirstNextSleep
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1528862845-0
                                                                                                                                                                                                            • Opcode ID: 31f2c16ab366cdc0ab6de3137e7aee629baef201ffb4349a0f6564cd97d8f971
                                                                                                                                                                                                            • Instruction ID: 720691f905755582425e743559d20848d0153dab1973189af6a9a6b0792144c7
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 31f2c16ab366cdc0ab6de3137e7aee629baef201ffb4349a0f6564cd97d8f971
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 51A1CE75911A55CBC718CF65FC96AF937B8FB58301790C12AE806CB6B0EF349982CB85
                                                                                                                                                                                                            Function 00AEE769 Relevance: 4.6, APIs: 3, Instructions: 101memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 558 aee769-aee79c 559 aee79e-aee7b7 558->559 560 aee7b9-aee7ce 558->560 561 aee7d4-aee807 559->561 560->561 562 aee81a-aee82f 561->562 563 aee809-aee818 561->563 564 aee83b-aee881 AllocateAndInitializeSid 562->564 565 aee831 562->565 563->564 566 aee8ef-aee908 564->566 567 aee883-aee89d CheckTokenMembership 564->567 565->564 568 aee89f-aee8c2 567->568 569 aee8c9-aee8e9 FreeSid 567->569 568->569 569->566
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • AllocateAndInitializeSid.ADVAPI32(00AE8954,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00AE8954), ref: 00AEE865
                                                                                                                                                                                                            • CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 00AEE895
                                                                                                                                                                                                            • FreeSid.ADVAPI32(?), ref: 00AEE8DC
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3429775523-0
                                                                                                                                                                                                            • Opcode ID: d5d286eb8782e52a25460eff1d576535795f0a2f012468d747ea55cad723f0c1
                                                                                                                                                                                                            • Instruction ID: 525941d05075b79a6372121721dc7f0bb88c810711e4d1945d4dc0c9ba6ea2ce
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d5d286eb8782e52a25460eff1d576535795f0a2f012468d747ea55cad723f0c1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8E415775915244EFCB04CFA6FD85AE977B5FB08305BD0C46AE402D7260EF349981CB55
                                                                                                                                                                                                            Function 00AEDE5A Relevance: 3.0, APIs: 2, Instructions: 17memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 578 aede5a-aede88 GetProcessHeap RtlFreeHeap 579 aede9a-aede9b 578->579 580 aede8a-aede94 578->580 580->579
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00AF8109,?,00AF8109,00000000), ref: 00AEDE6C
                                                                                                                                                                                                            • RtlFreeHeap.NTDLL(00000000,?,00AF8109,00000000), ref: 00AEDE73
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$FreeProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3859560861-0
                                                                                                                                                                                                            • Opcode ID: dde2917b80831e3ce67f1f47d83daa8e71d9c327ee2ea7967ce01023c00640a6
                                                                                                                                                                                                            • Instruction ID: 5e65d03695b0a2e54cbe0fab5c621e85a3351473c18528a4304f12fc17998fba
                                                                                                                                                                                                            • Opcode Fuzzy Hash: dde2917b80831e3ce67f1f47d83daa8e71d9c327ee2ea7967ce01023c00640a6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3AE0C232640244EFEE00CFD6FC4BA853BE8FB22741F80C120F105DB530CF2199508A84
                                                                                                                                                                                                            Function 00AF54A1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 481 af54a1-af54b8 482 af550a-af550c 481->482 483 af54ba-af54d5 481->483 484 af550e-af5529 482->484 485 af552b 482->485 486 af5535-af55d8 call af06af * 2 484->486 485->486 491 af55fd-af5631 CreateProcessA 486->491 492 af55da-af55f6 486->492 494 af5677 491->494 495 af5633-af5643 491->495 492->491 493 af55f8 492->493 493->491 498 af5681-af568e 494->498 496 af564f-af5675 CloseHandle * 2 495->496 497 af5645 495->497 496->498 497->496
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,00AEDA33,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 00AF5628
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00AEDA33,?,?,?,?,00000000), ref: 00AF5652
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 00AF5665
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 2922976086-2746444292
                                                                                                                                                                                                            • Opcode ID: be9ac7867f739c3b47bdb832113312da8706fc7e3ca1b03804f015bd3ef954e1
                                                                                                                                                                                                            • Instruction ID: a5155a35e5a9c1ea7ce9652752831ee2c0a794b635bfad553a6f6fc7158f1428
                                                                                                                                                                                                            • Opcode Fuzzy Hash: be9ac7867f739c3b47bdb832113312da8706fc7e3ca1b03804f015bd3ef954e1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C441CD72900648DBC728DFA5FD599FA77B5FB84300B94C12AEA02CB161EF748811CB25
                                                                                                                                                                                                            Function 00AF54D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 499 af54d8-af54e8 500 af54ea-af550c 499->500 501 af5535-af55d8 call af06af * 2 499->501 503 af550e-af5529 500->503 504 af552b 500->504 508 af55fd-af5631 CreateProcessA 501->508 509 af55da-af55f6 501->509 503->501 504->501 511 af5677 508->511 512 af5633-af5643 508->512 509->508 510 af55f8 509->510 510->508 515 af5681-af568e 511->515 513 af564f-af5675 CloseHandle * 2 512->513 514 af5645 512->514 513->515 514->513
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,00AEDA33,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 00AF5628
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00AEDA33,?,?,?,?,00000000), ref: 00AF5652
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 00AF5665
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 2922976086-2746444292
                                                                                                                                                                                                            • Opcode ID: d254c2f174f9747095af1da124de738c8c72af8582723b9adbc9c41e5dc19e4c
                                                                                                                                                                                                            • Instruction ID: 872b344674b967570d5493b6de4bfaae2c4409c137b7bd4d4d99828fb269884e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d254c2f174f9747095af1da124de738c8c72af8582723b9adbc9c41e5dc19e4c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8041AA71501648DBCB28DFA5FD9A9FA37B9FB84700B80C01AEA129B170EF708941CB65
                                                                                                                                                                                                            Function 00AEC622 Relevance: 4.7, APIs: 3, Instructions: 206fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 516 aec622-aec69d call b0dfa1 call aeb7cd 521 aec69f 516->521 522 aec6a9-aec6b1 516->522 521->522 523 aec6ef-aec709 522->523 524 aec6b3-aec6ea call ae4eb1 522->524 526 aec70b-aec71a 523->526 527 aec737-aec75b CreateFileA 523->527 532 aec9b6-aec9b9 524->532 526->527 529 aec71c-aec731 526->529 530 aec79f-aec7b3 527->530 531 aec75d-aec784 call ae4eb1 527->531 529->527 534 aec7b8-aec7d2 530->534 538 aec798-aec79a 531->538 539 aec786-aec792 531->539 536 aec7f9-aec7fb 534->536 537 aec7d4-aec7f4 534->537 540 aec7fd-aec819 536->540 541 aec81b-aec82d 536->541 537->536 543 aec9b5 538->543 539->538 542 aec837-aec8a2 call af85e7 call b0970f 540->542 541->542 548 aec8d6-aec8ee 542->548 549 aec8a4-aec8d4 542->549 543->532 550 aec8fa-aec948 WriteFile 548->550 551 aec8f0 548->551 549->550 550->534 552 aec94e-aec962 550->552 551->550 553 aec964-aec96e 552->553 554 aec970-aec97c 552->554 555 aec982-aec9b4 CloseHandle call ae4eb1 553->555 554->555 555->543
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 00AEB7CD: WaitForSingleObject.KERNEL32(00AFAEAC,00004E20,00000001,?,00AEBFA2,00000001,-AF16B4FB,?,00AFAEAC,00AE66DE), ref: 00AEB81D
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(00000004,40000000,00000000,00000000,00000002,00000000,00000000,?,00AE67E3,?,00000004,?,00000000,?), ref: 00AEC746
                                                                                                                                                                                                            • WriteFile.KERNELBASE(00000000,?,00000001,00000001,00000000,?,?,?,?,?,00000001), ref: 00AEC90B
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000001), ref: 00AEC983
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseCreateHandleObjectSingleWaitWrite
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3361265286-0
                                                                                                                                                                                                            • Opcode ID: 08a88e8129bca0be5e4f43e4a0948973a812a70dbaf76b5a59acf4acc7c5651c
                                                                                                                                                                                                            • Instruction ID: 72a6095098b6e0ee098cb5ee9ee27ec052b9bf9689062dd1e55dc07e1e7aa380
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 08a88e8129bca0be5e4f43e4a0948973a812a70dbaf76b5a59acf4acc7c5651c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0C91A975511245DBC718CF29FE959EA7BF5FB98320B90C02AE406DB2B1EF349942CB44
                                                                                                                                                                                                            Function 00AF20D8 Relevance: 3.0, APIs: 2, Instructions: 27stringCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 570 af20d8-af210d lstrlen 571 af210f-af2119 570->571 572 af211b-af2127 570->572 573 af212d-af214f CharLowerBuffA 571->573 572->573
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • lstrlen.KERNEL32(?,?,00AF09C2,?,?,?), ref: 00AF20F0
                                                                                                                                                                                                            • CharLowerBuffA.USER32(?,00000000,?,00AF09C2,?,?,?), ref: 00AF2131
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: BuffCharLowerlstrlen
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 794975171-0
                                                                                                                                                                                                            • Opcode ID: 1a6479f596ac5f8ea33107638ad06a7a14f620ff19c44c6402e4a4f249f33105
                                                                                                                                                                                                            • Instruction ID: 07ca70e876180d78e7d17c483fd5cdfc193eacd82179094175cca954c17d4550
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1a6479f596ac5f8ea33107638ad06a7a14f620ff19c44c6402e4a4f249f33105
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0FF067315142089BCB098F46E8564B637F2FB54700790D029F8068B670EF34AD80ABAA
                                                                                                                                                                                                            Function 00B023A6 Relevance: 3.0, APIs: 2, Instructions: 23memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 574 b023a6-b023be 575 b023c0-b023d6 574->575 576 b023e2-b02404 GetProcessHeap RtlAllocateHeap 574->576 575->576 577 b023d8 575->577 577->576
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00B0A3A7,?,?,?,00B0D0BE), ref: 00B023F6
                                                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,00B0A3A7,?,?,?,00B0D0BE), ref: 00B023FD
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1357844191-0
                                                                                                                                                                                                            • Opcode ID: 625c3c809cbfd678d3f0bf16aa4eae6dbdd46c5fb80aa4977013e7ab69c942ef
                                                                                                                                                                                                            • Instruction ID: e28f510bee660ca928bdd4cb7f3e3aed3bd8803192140339ca460e50166e0402
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 625c3c809cbfd678d3f0bf16aa4eae6dbdd46c5fb80aa4977013e7ab69c942ef
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4DF03076500201AFCA108FA9FD4D99A3BA4F315754BA48412F445DB0A5DF78E8488B54
                                                                                                                                                                                                            Function 00AF15E5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 581 af15e5-af160d call afbf87 ExitProcess
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExitProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 621844428-0
                                                                                                                                                                                                            • Opcode ID: da6fa2b0c3ce6adb2378237efb38333f87051fc86bdb6b66efcb35ed03c8ceaf
                                                                                                                                                                                                            • Instruction ID: 2222837082c77fd83876bff37bae1be555893058d11ade8464a77d98890fdcc4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: da6fa2b0c3ce6adb2378237efb38333f87051fc86bdb6b66efcb35ed03c8ceaf
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4FD012240143489A87106FA4DD068A53BB9FF047007C19015F9409B130DF70E900C75B

                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                            Function 00B0D831 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 388pipeprocessfileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreatePipe.KERNEL32(00000000,?,?,00000000,?,00000001,?), ref: 00B0D98F
                                                                                                                                                                                                            • SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 00B0D9F9
                                                                                                                                                                                                            • CreatePipe.KERNEL32(?,?,?,00000000), ref: 00B0DA48
                                                                                                                                                                                                            • SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 00B0DA7E
                                                                                                                                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 00B0DBCC
                                                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000020,00000020,00000000), ref: 00B0DC1C
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00B0DC33
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00B0DC66
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00B0DC89
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,00002710), ref: 00B0DD4F
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00B0DD9F
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00B0DDB2
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00B0DE41
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00B0DE67
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00B0DE7E
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Handle$Close$Create$InformationPipe$FileObjectProcessSingleWaitWrite
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 1130065513-2746444292
                                                                                                                                                                                                            • Opcode ID: 30f52d4db2d134c62fac97dda1e408ba6ce187860a15b6d03793e9ddb57372b6
                                                                                                                                                                                                            • Instruction ID: 396673d2ca907e3f87c0eb8cd3a18fa2df92dcee7315d91f61d1fbc438d85aab
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 30f52d4db2d134c62fac97dda1e408ba6ce187860a15b6d03793e9ddb57372b6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 88026476A11604DFCB14CFA8ED969EA7BF5FB48300794C16AE802D72B0EF30A951CB55
                                                                                                                                                                                                            Function 00B084D7 Relevance: 23.4, APIs: 11, Strings: 2, Instructions: 688memorylibraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00AFB7C4,?,?,00000000,00000100), ref: 00B086E1
                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00AFB7C4,?,?,00000000,00000100), ref: 00B0876A
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00B08854
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00AFB7C4,?,?,00000000,00000100), ref: 00B08891
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(?,00000000,00000288,?,?,?,?,?,?,?,?,?,00AFB7C4,?,?,00000000), ref: 00B088DD
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00AFB7C4,?,?,00000000,00000100), ref: 00B08908
                                                                                                                                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,00AFB7C4,?,?,00000000), ref: 00B0897A
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(?,00000000,00000100,?,?,?,?,?,?,?,?,?,00AFB7C4,?,?,00000000), ref: 00B089C3
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00AFB7C4,?,?,00000000,00000100), ref: 00B08A10
                                                                                                                                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,00AFB7C4,?,?,00000000), ref: 00B090B2
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00AFB7C4,?,?,00000000,00000100), ref: 00B090D7
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Free$HeapLibrary$Alloc$AddressLoadProcProcess
                                                                                                                                                                                                            • String ID: Q:3q$SAcA
                                                                                                                                                                                                            • API String ID: 1560921867-494069912
                                                                                                                                                                                                            • Opcode ID: c26e89faf21cc4bdb9dc68b38069fc19a5c1efb4380413a83a36a343a118a8e2
                                                                                                                                                                                                            • Instruction ID: e73db311542a3ce0b8ec07bae890600a59f61238dccedf7be1349f5904d11ba4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c26e89faf21cc4bdb9dc68b38069fc19a5c1efb4380413a83a36a343a118a8e2
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 05529976614640CBC718CF68FD96AE93BF5FB58311B90C46AE842CB2B1EF309A41CB55
                                                                                                                                                                                                            Function 00AF8695 Relevance: 22.0, APIs: 10, Strings: 2, Instructions: 1045networkCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 00AF9154
                                                                                                                                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00001006,00000000,00000004), ref: 00AF91DB
                                                                                                                                                                                                            • gethostbyname.WS2_32(?), ref: 00AF9261
                                                                                                                                                                                                            • inet_ntoa.WS2_32(?), ref: 00AF92CF
                                                                                                                                                                                                            • inet_addr.WS2_32(00000000), ref: 00AF92D6
                                                                                                                                                                                                            • htons.WS2_32(00000050), ref: 00AF92FB
                                                                                                                                                                                                            • connect.WS2_32(00000000,?,00000010), ref: 00AF9316
                                                                                                                                                                                                            • send.WS2_32(00000000,00000000,00000000,00000000), ref: 00AF93A1
                                                                                                                                                                                                            • recv.WS2_32(00000000,?,00000400,00000000), ref: 00AF947C
                                                                                                                                                                                                            • closesocket.WS2_32(00000000), ref: 00AF97C6
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: closesocketconnectgethostbynamehtonsinet_addrinet_ntoarecvsendsetsockoptsocket
                                                                                                                                                                                                            • String ID: /$;$Rb
                                                                                                                                                                                                            • API String ID: 4203722200-1076244922
                                                                                                                                                                                                            • Opcode ID: 8c03276cca62be44fac13869246256d3102d47b77a78570ec06fbafd15d92d72
                                                                                                                                                                                                            • Instruction ID: 17d18cd69697a18ea6ec2e814850036078e08e6255dd2db00fd8136818c30c9a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8c03276cca62be44fac13869246256d3102d47b77a78570ec06fbafd15d92d72
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2E92DC72915248CFD718DFA4ED92AFA37B4FB54710B90C42AE906DB2B1EF34A941CB50
                                                                                                                                                                                                            Function 00B035AD Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00B03685
                                                                                                                                                                                                            • CreateServiceA.ADVAPI32(00000000,01244448,01244448,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00B036D6
                                                                                                                                                                                                            • ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00B03728
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00B0374C
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00B0375D
                                                                                                                                                                                                            • OpenServiceA.ADVAPI32(00000000,00000010), ref: 00B037D1
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00B03836
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00B03847
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00B038B1
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
                                                                                                                                                                                                            • String ID: 3ch$qh~B
                                                                                                                                                                                                            • API String ID: 3525021261-274300185
                                                                                                                                                                                                            • Opcode ID: 6c1f03273e700e19a896b61b25e0aecab67f945c318d127a098585869ffaefd0
                                                                                                                                                                                                            • Instruction ID: da631749396df371f50aa1de8bff62fd0d5c73c258204612badbd131aa194398
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6c1f03273e700e19a896b61b25e0aecab67f945c318d127a098585869ffaefd0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5C918BB6514200EBC3188F64ED999F97BF9FB49B017C0C15AE802D72B1EF75A941CB91
                                                                                                                                                                                                            Function 00AE11B7 Relevance: 13.6, Strings: 9, Instructions: 2310COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: "Ib$%$0$c< n$jQn$l$l$o$T8G
                                                                                                                                                                                                            • API String ID: 0-3181560568
                                                                                                                                                                                                            • Opcode ID: b42a9b982aa71b01fa2fe320b8e2079de9e8f2dff8ad59f00bead5681404bd5e
                                                                                                                                                                                                            • Instruction ID: c0a393018f88919f62b8dc33f9047b43ef5f128cc10d427b56023c0ab358219f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b42a9b982aa71b01fa2fe320b8e2079de9e8f2dff8ad59f00bead5681404bd5e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4023DB76910291CBCB18CF6AED956F97BF5FB58301B94C12AE802DB270EF349981CB45
                                                                                                                                                                                                            Function 00AF1636 Relevance: 10.8, APIs: 7, Instructions: 279processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AF16B2
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 00AF17BE
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00AF1932
                                                                                                                                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 00AF1991
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,0000000A), ref: 00AF1A6A
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 00AF1ACE
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00AF1AF5
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 930127669-0
                                                                                                                                                                                                            • Opcode ID: bdf432647d611a295e7128fd2a00f46f49575390a753fc1c514e62e26350023b
                                                                                                                                                                                                            • Instruction ID: 9abe24635c26d497524f318a66681ec2c0d90fbefb627543de983702f5d49070
                                                                                                                                                                                                            • Opcode Fuzzy Hash: bdf432647d611a295e7128fd2a00f46f49575390a753fc1c514e62e26350023b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 59C1DC76911604CBD718DFA4ED96AFA33B4FB58311B80C11AFA06C72A0EF749981CF85
                                                                                                                                                                                                            Function 00AF0806 Relevance: 10.7, APIs: 7, Instructions: 195processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AF08C2
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 00AF0966
                                                                                                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00AF0A15
                                                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,000000FF), ref: 00AF0A64
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00AF0A82
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 00AF0AD2
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00AF0B10
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2696918072-0
                                                                                                                                                                                                            • Opcode ID: d256b029402396f8f67d00b4665875e60dcfc8bf4bd507a445aecf87919c8046
                                                                                                                                                                                                            • Instruction ID: 7b42d4e135e5b282958e0643c3cb53b3abaed756b25c9ce74d31ab7f110a0e0c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d256b029402396f8f67d00b4665875e60dcfc8bf4bd507a445aecf87919c8046
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5181A576521615DBC314CF68FD91AFA37B8FB58702BC0C12AE906D76B1EF3499818B84
                                                                                                                                                                                                            Function 00AF9F24 Relevance: 7.8, APIs: 5, Instructions: 329serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 00AF9FF7
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,?), ref: 00AFA049
                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00AFA061
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,?), ref: 00AFA162
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00AFA3B6
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1579346331-0
                                                                                                                                                                                                            • Opcode ID: a09f169a2afd64a119e49af928808213439b85e38c3ca799fa1fa2ed762016d5
                                                                                                                                                                                                            • Instruction ID: 068fc256ee2f74352699c60f0a8d632f758ef5102c2c32be6cef7a01bfc4ae98
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a09f169a2afd64a119e49af928808213439b85e38c3ca799fa1fa2ed762016d5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D7D1CBB6901604DFC318CFA4FD95AF977F4FB54310B95C12AE9069B2A0EF34A981CB81
                                                                                                                                                                                                            Function 00AE60AD Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 513COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: $ $-4/
                                                                                                                                                                                                            • API String ID: 0-196967448
                                                                                                                                                                                                            • Opcode ID: 381312236562799a3070e8a32a5d940b61dc76fcad60fb578e6f1c8fda96664d
                                                                                                                                                                                                            • Instruction ID: 617e856b345f2b3e152ac01ce1f1a3b9133c7df30dac4809e5d4adb84eb1a364
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 381312236562799a3070e8a32a5d940b61dc76fcad60fb578e6f1c8fda96664d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EA223072A09244CFC718DFA5FD966FA37B4FB58710B90C42AE406CB2A1EF34A940CB55
                                                                                                                                                                                                            Function 00AE9903 Relevance: 7.3, Strings: 5, Instructions: 1018COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: $5Nv$8%A$L08s$vE{
                                                                                                                                                                                                            • API String ID: 0-1922508855
                                                                                                                                                                                                            • Opcode ID: fba840d0c2ac261f3b84ad5379522c4f17c1be86ce61b40d5b4fb87299ae7f88
                                                                                                                                                                                                            • Instruction ID: 248aa863c9aa62a880fbd12d424d16903fb7e48b0b99b9812a1233cbc09992fd
                                                                                                                                                                                                            • Opcode Fuzzy Hash: fba840d0c2ac261f3b84ad5379522c4f17c1be86ce61b40d5b4fb87299ae7f88
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EE92E076904295CFCB18CFA9ED919EA77F4FB58310B94C12AE806DB270EF34A941CB45
                                                                                                                                                                                                            Function 00AF571F Relevance: 6.2, APIs: 4, Instructions: 213processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AF5804
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 00AF58E2
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 00AF59E8
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00AF5A7E
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 420147892-0
                                                                                                                                                                                                            • Opcode ID: 9a5908fbe94e9d69ea7648ec560f97859b614f4d869723eb3127a90de3601b71
                                                                                                                                                                                                            • Instruction ID: ec3a60b34677ed3ac5cf2780b55370e071f39b0c97073e93c9a69bf12c1b4966
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9a5908fbe94e9d69ea7648ec560f97859b614f4d869723eb3127a90de3601b71
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 63919976A15644CBC718DBB9ECAA5F937F4FB48351B90C52AEA02C7260EF309952CF40
                                                                                                                                                                                                            Function 00AECFBB Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 675threadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00B06E81,00000000,00000000,00000000), ref: 00AED636
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00AED65B
                                                                                                                                                                                                              • Part of subcall function 00B04589: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000002,?,00AED583,Function_0000AD87,00000002,00000000), ref: 00B04637
                                                                                                                                                                                                              • Part of subcall function 00B04589: CreateThread.KERNEL32(00000000,00000000,00000002,?,00000000,00000000), ref: 00B04655
                                                                                                                                                                                                              • Part of subcall function 00B04589: CloseHandle.KERNEL32(00000000,?,00000002,?,00AED583,Function_0000AD87,00000002,00000000), ref: 00B0468D
                                                                                                                                                                                                              • Part of subcall function 00B04589: WaitForSingleObject.KERNEL32(?,000000FF,?,00000002,?,00AED583,Function_0000AD87,00000002,00000000), ref: 00B046A1
                                                                                                                                                                                                              • Part of subcall function 00B04589: CloseHandle.KERNEL32(?,00000002,?,00AED583,Function_0000AD87,00000002,00000000), ref: 00B04712
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateHandle$Thread$EventObjectSingleWait
                                                                                                                                                                                                            • String ID: $}\N
                                                                                                                                                                                                            • API String ID: 784754931-3579273913
                                                                                                                                                                                                            • Opcode ID: 780143fe9e7fcd8acc443d036c13bd7210e43e75e9efdd0ac5072ae7701b0a3e
                                                                                                                                                                                                            • Instruction ID: dd6f07a5b765fcd0a02c45245753a2820619379fdd37e2795a4c65a2fae5d270
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 780143fe9e7fcd8acc443d036c13bd7210e43e75e9efdd0ac5072ae7701b0a3e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F652DB76A14240DBC718DFA9ED926F937F5FB58301B90C02AE812DB2B1EF34A941CB55
                                                                                                                                                                                                            Function 00AE69A8 Relevance: 5.9, Strings: 4, Instructions: 901COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: :JDX$W/=D$cZ)$vE{
                                                                                                                                                                                                            • API String ID: 0-1531476030
                                                                                                                                                                                                            • Opcode ID: 2662bb3cb6a3088dbc700ac06cfd34e97ebb1be79338f7bae376dd7a05aeba81
                                                                                                                                                                                                            • Instruction ID: 1096cf0b8b4b4816da39279a401b181d92295be722b84e589a5908aae19b667c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2662bb3cb6a3088dbc700ac06cfd34e97ebb1be79338f7bae376dd7a05aeba81
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7672BC72904295DFDB18CF69ED819EE77F5FB58310B94852AE805E72A0EF30DA41CB90
                                                                                                                                                                                                            Function 00AFB3DB Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 588COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetComputerNameA.KERNEL32(?,?), ref: 00AFB528
                                                                                                                                                                                                              • Part of subcall function 00B042B6: lstrlen.KERNEL32(?,?,00AE2347,?), ref: 00B04320
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ComputerNamelstrlen
                                                                                                                                                                                                            • String ID: myiW
                                                                                                                                                                                                            • API String ID: 4141851928-4061706148
                                                                                                                                                                                                            • Opcode ID: 7dd5cdad2f02c8956391420f6ec835089780871c35b40ec4c121f3c28e1b06aa
                                                                                                                                                                                                            • Instruction ID: ae330696e992f8b43bb6ccfac5e57c850fcccbf4a0ff7df28a393cedc6748a84
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7dd5cdad2f02c8956391420f6ec835089780871c35b40ec4c121f3c28e1b06aa
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3B42A071910249DFCB14EFA5EE929FA73B8FB14704B80805AF506E71B2EF349A45CB61
                                                                                                                                                                                                            Function 00AE3E8C Relevance: 3.1, APIs: 2, Instructions: 112timeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00AE3EEA
                                                                                                                                                                                                            • __aulldiv.LIBCMT ref: 00AE3F36
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Time$FileSystem__aulldiv
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2838486344-0
                                                                                                                                                                                                            • Opcode ID: b539dca2e3fb56bc3cdbe04f30b10674743fc785c9e5e63b96ffe737308c0c5b
                                                                                                                                                                                                            • Instruction ID: 0cb42b0f94b95592c2a26d7ee9bb8b0c8a035f546dc41a7c6802f73222be2536
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b539dca2e3fb56bc3cdbe04f30b10674743fc785c9e5e63b96ffe737308c0c5b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F64122B6925290CBC714CF19FC856FA33F4FB54711790842AE806CB661EF75D981CB84
                                                                                                                                                                                                            Function 00AF5FBA Relevance: 1.9, Strings: 1, Instructions: 688COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: B&>
                                                                                                                                                                                                            • API String ID: 0-1526646359
                                                                                                                                                                                                            • Opcode ID: 7da333cb9203537ce1899ada62bea97d36f8f19bef4ce8cf57112b27326b83e4
                                                                                                                                                                                                            • Instruction ID: 0687741419968206cb3f5399526c5c9775a77193d4b1a3bc72a15defb3504d5a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7da333cb9203537ce1899ada62bea97d36f8f19bef4ce8cf57112b27326b83e4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6552CA75905244CBC708DFA8FD92AFA37B5F758701B90C02AEA41DB2A1EF34A981CB55
                                                                                                                                                                                                            Function 00B024D3 Relevance: 1.8, APIs: 1, Instructions: 520sleepCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Sleep
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3472027048-0
                                                                                                                                                                                                            • Opcode ID: 0a03a217733032e4a3c654b151e19ae4ccf51ae6320ed957415783e961b279c7
                                                                                                                                                                                                            • Instruction ID: 2288c8b4186df4aa188b001cdd7f3bd908b60d13093d1a5c2b409dea0775bf73
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0a03a217733032e4a3c654b151e19ae4ccf51ae6320ed957415783e961b279c7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F032BD71914244DFD718DF64ED96AEA7BF4FB18300F90C06AE406EB2A1EF34AA45CB54
                                                                                                                                                                                                            Function 00AE46CF Relevance: 1.6, Strings: 1, Instructions: 321COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: "d@
                                                                                                                                                                                                            • API String ID: 0-2935523628
                                                                                                                                                                                                            • Opcode ID: edfc591341aa23ed3ac435275d5773ec1803918b005c49758bef8e47ec369ccf
                                                                                                                                                                                                            • Instruction ID: c83c38ba47d184fdf2f2cbcecd18a6a8d5174b22f0d3b400fc9f711182dce628
                                                                                                                                                                                                            • Opcode Fuzzy Hash: edfc591341aa23ed3ac435275d5773ec1803918b005c49758bef8e47ec369ccf
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C3E17576515681CBC308CF29FC915AA77F5FB983013E0C22AE846CB275EF38A981CB45
                                                                                                                                                                                                            Function 00B074E8 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 00B07525
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CtrlDispatcherServiceStart
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3789849863-0
                                                                                                                                                                                                            • Opcode ID: f1bc6b1dffc5f2e5fb6668a1a35de195228f43b4e9cb26cf2c2cb17aa586d648
                                                                                                                                                                                                            • Instruction ID: 3b8a704a60c19c79a0cef7df7a3fdd8c88d2eca81f6e649a2ce2c64ac56c9925
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f1bc6b1dffc5f2e5fb6668a1a35de195228f43b4e9cb26cf2c2cb17aa586d648
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E4F0FEB29102049FD704DF58E9496E97BF8F714316F94866AD415D3250EF759614CF80
                                                                                                                                                                                                            Function 00AF0CE6 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: 'S
                                                                                                                                                                                                            • API String ID: 0-46969972
                                                                                                                                                                                                            • Opcode ID: 5a70fdda63b66160eb71b7f0d60f633e2281a870959913114c24d093a1f99c01
                                                                                                                                                                                                            • Instruction ID: 98691370efb5dd0d627a25b2740680c0d28fffad226271031e3f6a8bf7a08b76
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5a70fdda63b66160eb71b7f0d60f633e2281a870959913114c24d093a1f99c01
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4FA1DD75615249CBC728CFA9FE919FA77B5FB44300790C52AE906C7671EF34A980CB84
                                                                                                                                                                                                            Function 00B07DC0 Relevance: .4, Instructions: 352COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 0229e0f1d05a6f21c0a4e358d29948c3741dfa869a9b38c258144b38b395081c
                                                                                                                                                                                                            • Instruction ID: 4463b713b47811d4601273a10851e4c0d1ad53c7e40f928dd45e5eba094763be
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0229e0f1d05a6f21c0a4e358d29948c3741dfa869a9b38c258144b38b395081c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CAE1AA71A14240DFCB08DF68ED969B97BF5FB58300790C46AE846CB2A6EF34A941CB54
                                                                                                                                                                                                            Function 00AF0113 Relevance: .3, Instructions: 343COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: a0babb7e23a10fc589c5811a72ea7d4ba6bebbe4952935ec12c754b35bb2fde5
                                                                                                                                                                                                            • Instruction ID: af1d0e98beb7d4894179c3bbb86102b49c51e497e16ee66abd5f93a7be7f6569
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a0babb7e23a10fc589c5811a72ea7d4ba6bebbe4952935ec12c754b35bb2fde5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6DE19D76A11204CFDB18CF68ED969F977F1FB98311794C02AE806DB261EF38A941CB54
                                                                                                                                                                                                            Function 00B03025 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 660b5b627f70f608f318fbb334713fe71888ae491a4415122b58516940597265
                                                                                                                                                                                                            • Instruction ID: 05619dfabfb463657ce84575ccd0fa03d8913cffeb251b81236a336304e605d5
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 660b5b627f70f608f318fbb334713fe71888ae491a4415122b58516940597265
                                                                                                                                                                                                            • Instruction Fuzzy Hash: ADD1C976621601CBC718CF69EC955E97BF5FB897117A0C02AE856CB3B0EF34AA41CB44
                                                                                                                                                                                                            Function 00AF70E6 Relevance: .3, Instructions: 298COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 4bc809072156b297571fb97aea8e1d0cd18533e52c95abcd56b20dd85c65243a
                                                                                                                                                                                                            • Instruction ID: 60e10fcca2fb7e92fae7667eacf8849754810acb76fec57eee4869a6db0db21b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4bc809072156b297571fb97aea8e1d0cd18533e52c95abcd56b20dd85c65243a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EFC100B5518249CBD724CFA8EC85AF937B4FB18710B90C51AFA42C72B0EF749881CB85
                                                                                                                                                                                                            Function 00AFA805 Relevance: .3, Instructions: 260COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1357844191-0
                                                                                                                                                                                                            • Opcode ID: 47dd40dab6a0d7343bf0295394b5c0b254b7b66debd96cf0471b9edf1d32e0e1
                                                                                                                                                                                                            • Instruction ID: 65daff2c383d2b607d1e6cee0c251970233d8545fc005743fa49c82cfe6b423f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 47dd40dab6a0d7343bf0295394b5c0b254b7b66debd96cf0471b9edf1d32e0e1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BFB1A97A528240CBC308CF64FDA25F577B1FB68311395C01AE846CB2B1EF34A981CB95
                                                                                                                                                                                                            Function 00B05F1E Relevance: .2, Instructions: 244COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 8bd25bf06d6fd7ffe8850432327461c18f89e3c01ee551b88579809839b236de
                                                                                                                                                                                                            • Instruction ID: 1b669a6282cd3b3e54014dfa077a0acd1d6d3476840211654a8c71359c47e2e5
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8bd25bf06d6fd7ffe8850432327461c18f89e3c01ee551b88579809839b236de
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 15B18776915650CFD358CF29FD914A97BF5FB99301390C52AE812CB670EF30A981CB41
                                                                                                                                                                                                            Function 00AE774C Relevance: .2, Instructions: 244COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: c081e4acb5526f0916ff5281db488546c16c3ebd98b98569b5c664e77b5fa75e
                                                                                                                                                                                                            • Instruction ID: e630686f41821142f95d4db7e13250a81c6f9ce64f5acd7659b1c97f5661d6c3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c081e4acb5526f0916ff5281db488546c16c3ebd98b98569b5c664e77b5fa75e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5BB19972625284CFD318CF68ED925A87BF5FB653007C4C12AE885CB271EF34AA45CB95
                                                                                                                                                                                                            Function 00AEA928 Relevance: .2, Instructions: 188COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: e665c18e20e2fb76c3ae0e6462cb6d2861a5f3125e6358faf220c845fb0ca138
                                                                                                                                                                                                            • Instruction ID: 7ec0e774d78ddc9629552d412303e5dc84154ebf13c039fc51fb38832489a564
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e665c18e20e2fb76c3ae0e6462cb6d2861a5f3125e6358faf220c845fb0ca138
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4681A872551280CBC318CF69FD815E63BB4FB68311BD0C52AE815CB271EF34A941CB86
                                                                                                                                                                                                            Function 00B0DFCC Relevance: .2, Instructions: 162COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 252acb072f3ec41d7c03dd5d0142205f41ba9d1911c6706d0a2bceb44efab98a
                                                                                                                                                                                                            • Instruction ID: 2f1f66bd72e74adc4230019e16220b1a301c063f9a24f33e5caba6204ffb7111
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 252acb072f3ec41d7c03dd5d0142205f41ba9d1911c6706d0a2bceb44efab98a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BD71A731255641CBC318CF28FDA26E63BF5FB9A7017A4C52AD446CB6B0EF349981CB44
                                                                                                                                                                                                            Function 00AEC9ED Relevance: 12.2, APIs: 8, Instructions: 196registrysynchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegisterServiceCtrlHandlerA.ADVAPI32(Function_0000BA72), ref: 00AECAF2
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00B1B2DC), ref: 00AECB64
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00AECB78
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00B1B2DC), ref: 00AECBE5
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00001388), ref: 00AECC62
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00B1B2DC), ref: 00AECCAF
                                                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 00AECCC5
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00B1B2DC), ref: 00AECD8F
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3399922960-0
                                                                                                                                                                                                            • Opcode ID: e32fbaf8c9ab6d3f6e04c5176490a1418f8177633691374461aa20466c8317f3
                                                                                                                                                                                                            • Instruction ID: 0f8c42cf84e7aba94c2b937ca4b13bb1ea06848b1a83d35d409df3562fb3277b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e32fbaf8c9ab6d3f6e04c5176490a1418f8177633691374461aa20466c8317f3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 70911F75021241CBC718DF2AED999EA3BF5FB587153D0C52AE406CB270EF309986CB84
                                                                                                                                                                                                            Function 00AFB046 Relevance: 9.2, APIs: 6, Instructions: 184filetimeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00AFB104
                                                                                                                                                                                                            • GetFileTime.KERNEL32(00000000,?,?,?), ref: 00AFB16D
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00AFB1B2
                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AFB25F
                                                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00AFB2AB
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00AFB2D8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3236713533-0
                                                                                                                                                                                                            • Opcode ID: 0e8b05fd85d97416b8cf53fc74d30faff480aedf8767369e7b8f123ed7fad09b
                                                                                                                                                                                                            • Instruction ID: 61796f2cbea9151f61ca4b491b2264b4b9a72310efd44f1333b3387053dc1149
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0e8b05fd85d97416b8cf53fc74d30faff480aedf8767369e7b8f123ed7fad09b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7F71CC35525208DFC314CFA8ED919FA37B4FB49315790C62AE952C76B0EF349A81CB25
                                                                                                                                                                                                            Function 00B04589 Relevance: 7.6, APIs: 5, Instructions: 104synchronizationthreadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000002,?,00AED583,Function_0000AD87,00000002,00000000), ref: 00B04637
                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00000002,?,00000000,00000000), ref: 00B04655
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000002,?,00AED583,Function_0000AD87,00000002,00000000), ref: 00B0468D
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000002,?,00AED583,Function_0000AD87,00000002,00000000), ref: 00B046A1
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,00000002,?,00AED583,Function_0000AD87,00000002,00000000), ref: 00B04712
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateHandle$EventObjectSingleThreadWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1404307249-0
                                                                                                                                                                                                            • Opcode ID: a9213fc8d695cb811f268f3d7dbcea159b9bc9676159429d16501bed636e3dd6
                                                                                                                                                                                                            • Instruction ID: 3f4f61d4ea989734ac725a6cf2b6addf28eff149e60d9cb93fb20bbe7e8d0383
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a9213fc8d695cb811f268f3d7dbcea159b9bc9676159429d16501bed636e3dd6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A24158B6111240DFC324CF68ED859A63BF6FB9A7117A0C42AE506C76B0EF309841CB11
                                                                                                                                                                                                            Function 00B04927 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 323sleepfileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00B04CBC
                                                                                                                                                                                                              • Part of subcall function 00AF074E: wvsprintfA.USER32(?,?,?), ref: 00AF07C3
                                                                                                                                                                                                            • Sleep.KERNEL32(00015F90), ref: 00B04E60
                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 00B04E7F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$DeleteModuleNameSleepwvsprintf
                                                                                                                                                                                                            • String ID: KU
                                                                                                                                                                                                            • API String ID: 4183770253-1793860563
                                                                                                                                                                                                            • Opcode ID: ef25b11faa9af5daa9ccef3d74349bbc65cecb6f58d46eee7699ce1b4524cb57
                                                                                                                                                                                                            • Instruction ID: a0370fd0a7501173dcc2f73722e280c2224de78512c978f300208ef0711384d8
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ef25b11faa9af5daa9ccef3d74349bbc65cecb6f58d46eee7699ce1b4524cb57
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BAD1F275550208DEC718DF64ED929F67BF8FB58710B80C45AEA06CB2B1EF349A81CB51
                                                                                                                                                                                                            Function 00AF9B78 Relevance: 6.2, APIs: 4, Instructions: 201fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AF9C43
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00AF9CA8
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00AF9DC7
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00AF9E86
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseFileHandle$CreateRead
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2564258376-0
                                                                                                                                                                                                            • Opcode ID: 4663bdf7108ac5010a276723f883749668dee3b3ac1e813f41dcf9798ebc0674
                                                                                                                                                                                                            • Instruction ID: 87bd01f756b9b4cd1bff1b03d0fbd795931ade51028bb2c84c1184ecd45ac6a2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4663bdf7108ac5010a276723f883749668dee3b3ac1e813f41dcf9798ebc0674
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7181CA75611204DBC714DFA0FD96AFA37B8FB48711F90842AF902DB2A1EF34A981CB55
                                                                                                                                                                                                            Function 00B090F1 Relevance: 6.0, APIs: 4, Instructions: 38memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00AF8146,00000000,?,?,?,?,?,00AEF85A,?,?,?,00B09573), ref: 00B09143
                                                                                                                                                                                                            • RtlReAllocateHeap.NTDLL(00000000,?,00AF8146,00000000), ref: 00B0914A
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,?,00AF8146,00000000,?,?,?,?,?,00AEF85A,?,?,?,00B09573,?), ref: 00B09174
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,00AF8146,00000000,?,?,?,?,?,00AEF85A,?,?,?,00B09573,?,00000001), ref: 00B0917B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1483108287.0000000000AE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483087605.0000000000AE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483134725.0000000000B0F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483150487.0000000000B10000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483169889.0000000000B13000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1483189744.0000000000B1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ae0000_7qBBKk0P4l.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$Process$AllocAllocate
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1154092256-0
                                                                                                                                                                                                            • Opcode ID: 5eb4c3dfd55f378c50213a319101110f4efba90c7f28cf713b1e096bf12d85b9
                                                                                                                                                                                                            • Instruction ID: 1e94700a47c2b82a5ea58225a80b6f53a7b060460ca3fe564c9e496e59eda545
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5eb4c3dfd55f378c50213a319101110f4efba90c7f28cf713b1e096bf12d85b9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A9011676690604DFCB149FA0FC99AE93BA4FB49301BC48115F90AC7662EF7994448B80

                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                            Execution Coverage:15.1%
                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                            Signature Coverage:3.7%
                                                                                                                                                                                                            Total number of Nodes:1499
                                                                                                                                                                                                            Total number of Limit Nodes:10
                                                                                                                                                                                                            execution_graph 8935 614ee1 8936 614efa 8935->8936 8939 61d527 8936->8939 8938 614f99 8940 61d544 8939->8940 8943 5fdbdf 8940->8943 8942 61d559 Mailbox 8942->8938 8944 5fdbf5 Mailbox 8943->8944 8945 5ff821 Mailbox 8 API calls 8944->8945 8946 5fdc18 8945->8946 8946->8942 9138 60b360 9139 60b378 9138->9139 9140 6142b6 lstrlen 9139->9140 9141 60b3a5 9140->9141 9144 5ffc31 9141->9144 9147 6198df 9144->9147 9146 5ffc47 9148 619923 9147->9148 9149 619982 9148->9149 9150 61998f 9148->9150 9151 5fbdcb 8 API calls 9149->9151 9152 5fdbdf 8 API calls 9150->9152 9153 61998d Mailbox 9150->9153 9151->9153 9152->9153 9153->9146 8947 5fbcdc 8948 5fbcfa 8947->8948 8949 619707 Mailbox 8 API calls 8948->8949 8950 5fbd13 8949->8950 8955 5f563a 8950->8955 8952 5fbd3a Mailbox 8953 619707 Mailbox 8 API calls 8952->8953 8954 5fbdb8 8953->8954 8956 5f5648 8955->8956 8959 5fdd8f 8956->8959 8960 5fdda0 8959->8960 8961 612f94 8 API calls 8960->8961 8962 5f5659 8961->8962 8962->8952 8967 5fcedb FlushFileBuffers 8968 5fcf0d GetLastError 8967->8968 8969 5fcf39 8967->8969 8968->8969 9154 5ff553 9155 5ff5b5 9154->9155 9157 5ff567 9154->9157 9156 5ff671 ReadFile 9155->9156 9155->9157 9156->9157 9158 5fb353 9159 612f94 8 API calls 9158->9159 9160 5fb377 9159->9160 8830 5f444e 8831 5f446b 8830->8831 8834 5fe4e4 8831->8834 8835 5fe513 8834->8835 8836 5fe69a 8835->8836 8837 5fe553 8835->8837 8852 5fb38e 8836->8852 8839 5fe576 8837->8839 8840 5fe621 8837->8840 8844 6158f9 8839->8844 8842 6158f9 4 API calls 8840->8842 8843 5f4575 8842->8843 8845 615931 8844->8845 8847 6159a1 8845->8847 8851 615937 8845->8851 8860 5f85a4 8845->8860 8848 5f85a4 4 API calls 8847->8848 8850 6159f4 8847->8850 8848->8850 8864 61572d 8850->8864 8851->8843 8853 5fb3c3 8852->8853 8854 5f85a4 4 API calls 8853->8854 8857 5fb456 8853->8857 8854->8857 8855 5f4088 4 API calls 8858 5fb4c3 8855->8858 8856 5fb7b4 8856->8843 8857->8855 8857->8856 8858->8856 8859 5f4088 4 API calls 8858->8859 8859->8858 8861 5f85be 8860->8861 8863 5f860a Mailbox 8861->8863 8868 5f4088 8861->8868 8863->8847 8866 615761 Mailbox 8864->8866 8865 6158d3 8865->8851 8866->8865 8867 5fde5a Mailbox 2 API calls 8866->8867 8867->8866 8869 5f40bc 8868->8869 8870 5f40d8 8868->8870 8871 6123a6 Mailbox 2 API calls 8869->8871 8870->8863 8872 5f40d1 Mailbox 8871->8872 8872->8870 8873 5fde5a Mailbox 2 API calls 8872->8873 8873->8870 8970 5f50c3 8971 5f50e0 8970->8971 8972 6142b6 lstrlen 8971->8972 8973 5f510f Mailbox 8972->8973 8974 607f29 Mailbox 8 API calls 8973->8974 8975 5f5123 8974->8975 8976 5f5071 9 API calls 8975->8976 8977 5f5145 8976->8977 8980 60bf07 8977->8980 8981 60bf15 Mailbox 8980->8981 8982 619883 8 API calls 8981->8982 8983 5f5183 8982->8983 9190 61cffe 9191 61d050 9190->9191 9192 615d58 2 API calls 9191->9192 9193 61d055 9192->9193 9194 605d50 3 API calls 9193->9194 9195 61d067 9194->9195 9196 61d108 ExitProcess 9195->9196 8984 6184c2 8987 5f8020 8984->8987 8990 61236a 8987->8990 8989 5f802b 8991 6142b6 lstrlen 8990->8991 8992 612378 8991->8992 8992->8989 8874 5f507a 8875 6142b6 lstrlen 8874->8875 8876 5f50a9 8875->8876 8993 5fe2f9 8994 5fe30a 8993->8994 8995 5fb7cd WaitForSingleObject 8994->8995 8996 5fe324 8995->8996 8997 6015e5 ExitProcess 8996->8997 8998 5fe35a 8997->8998 9197 5fcdf7 9198 5fce11 Mailbox 9197->9198 9201 601c14 9198->9201 9200 5fce3a 9202 601c36 Mailbox 9201->9202 9203 5fbdcb 8 API calls 9202->9203 9204 601ce6 Mailbox 9203->9204 9204->9200 8999 6098cc 9000 601da2 13 API calls 8999->9000 9001 609900 9000->9001 9002 619883 8 API calls 9001->9002 9003 609994 9002->9003 8877 5fba72 8879 5fbb03 SetServiceStatus 8877->8879 8880 5fba89 8877->8880 8882 5fbb88 SetEvent 8879->8882 8880->8879 8885 5fbaa1 SetServiceStatus 8880->8885 8883 5fbcd8 8882->8883 8885->8883 9008 6124d3 9009 61250c 9008->9009 9010 61d256 3 API calls 9009->9010 9011 61261c 9010->9011 9012 5f5c39 10 API calls 9011->9012 9013 612645 9012->9013 9014 5ff793 lstrlen 9013->9014 9015 612697 9014->9015 9016 60a805 2 API calls 9015->9016 9017 6126ad 9016->9017 9018 608251 2 API calls 9017->9018 9036 612706 Mailbox 9018->9036 9019 5f3e8c GetSystemTimeAsFileTime 9019->9036 9020 61473b 13 API calls 9020->9036 9021 619707 Mailbox 8 API calls 9022 612cf0 Sleep 9021->9022 9053 602192 9022->9053 9024 60571f 6 API calls 9024->9036 9025 6054d8 3 API calls 9025->9036 9027 608695 21 API calls 9027->9036 9028 608251 GetProcessHeap RtlFreeHeap 9028->9036 9029 617dc0 51 API calls 9029->9036 9030 614927 33 API calls 9030->9036 9031 5f846d 9 API calls 9031->9036 9032 5f695e 8 API calls 9032->9036 9034 5f5724 8 API calls 9034->9036 9035 60a805 GetProcessHeap RtlAllocateHeap 9035->9036 9036->9019 9036->9020 9036->9021 9036->9024 9036->9025 9036->9027 9036->9028 9036->9029 9036->9030 9036->9031 9036->9032 9036->9034 9036->9035 9037 61443e 9036->9037 9049 5ffe4b 9036->9049 9038 614470 9037->9038 9039 60a805 2 API calls 9038->9039 9040 6144cd 9039->9040 9041 60a805 2 API calls 9040->9041 9042 6144fc 9041->9042 9062 5fa928 9042->9062 9045 608251 2 API calls 9046 614546 9045->9046 9047 608251 2 API calls 9046->9047 9048 61456f 9047->9048 9048->9036 9050 5ffe66 Mailbox 9049->9050 9051 619883 8 API calls 9050->9051 9052 5fff60 Mailbox 9050->9052 9051->9052 9052->9036 9056 6021ab 9053->9056 9054 6023d9 9054->9036 9055 6022b7 DeleteFileA 9055->9056 9056->9054 9056->9055 9058 60233c 9056->9058 9068 609ef6 9056->9068 9059 6023c2 9058->9059 9073 5fb920 9058->9073 9077 5f5430 9059->9077 9063 5fa95f Mailbox 9062->9063 9064 60a805 2 API calls 9063->9064 9065 5fac5d 9064->9065 9066 608251 2 API calls 9065->9066 9067 5fac90 9066->9067 9067->9045 9081 605b3e 9068->9081 9070 609f0d 9085 5f82bf 9070->9085 9074 5fb93a 9073->9074 9075 5fb97f 9074->9075 9100 5fde9c 9074->9100 9075->9058 9078 5f5438 9077->9078 9111 6194b4 9078->9111 9082 605b5a Mailbox 9081->9082 9083 607f29 Mailbox 8 API calls 9082->9083 9084 605b64 Mailbox 9083->9084 9084->9070 9086 5f82cc 9085->9086 9087 5f82dc 9086->9087 9089 609a0f 9086->9089 9087->9056 9092 617848 9089->9092 9091 609a1d 9091->9087 9093 61785a Mailbox 9092->9093 9096 614333 9093->9096 9095 617870 Mailbox 9095->9091 9097 61433e 9096->9097 9098 5ff821 Mailbox 8 API calls 9097->9098 9099 6143a8 9098->9099 9099->9095 9103 5f84ea 9100->9103 9104 5f8529 9103->9104 9107 5fbdcb 9104->9107 9106 5f854b 9106->9075 9108 5fbde1 Mailbox 9107->9108 9109 607f29 Mailbox 8 API calls 9108->9109 9110 5fbe04 Mailbox 9109->9110 9110->9106 9112 6194bd Mailbox 9111->9112 9114 6194e3 9111->9114 9113 5fde5a Mailbox 2 API calls 9112->9113 9113->9114 9215 5fc9ed 9216 5fca6f RegisterServiceCtrlHandlerA 9215->9216 9218 5fcb13 SetServiceStatus CreateEventA 9216->9218 9229 5fcda7 9216->9229 9220 5fcbde SetServiceStatus 9218->9220 9221 5fcbcd 9218->9221 9222 5fcc00 9220->9222 9221->9220 9223 5fcc42 WaitForSingleObject 9222->9223 9223->9223 9224 5fcc6f 9223->9224 9225 5fb7cd WaitForSingleObject 9224->9225 9226 5fcc84 SetServiceStatus CloseHandle 9225->9226 9228 5fcd01 SetServiceStatus 9226->9228 9228->9229 9161 612f5d ExitProcess 9230 5f519e 9231 6123a6 Mailbox 2 API calls 9230->9231 9232 5f51b3 9231->9232 9237 5fad87 9238 5fada3 9237->9238 9293 5f501c 9238->9293 9240 5fae0e 9241 61443e 4 API calls 9240->9241 9246 5fb26c Mailbox 9240->9246 9242 5faeff 9241->9242 9243 60a805 2 API calls 9242->9243 9244 5faf15 9243->9244 9245 5f846d 9 API calls 9244->9245 9247 5faf2d 9245->9247 9248 608251 2 API calls 9247->9248 9249 5faf56 9248->9249 9296 612306 9249->9296 9254 5f5724 8 API calls 9255 5faf88 Mailbox 9254->9255 9256 60a805 2 API calls 9255->9256 9257 5fafc5 9256->9257 9258 600b92 9 API calls 9257->9258 9259 5fafe2 9258->9259 9260 5f5724 8 API calls 9259->9260 9261 5fafee Mailbox 9260->9261 9262 608251 2 API calls 9261->9262 9263 5fb00f 9262->9263 9264 5ffe4b 8 API calls 9263->9264 9265 5fb02d 9264->9265 9266 5f5724 8 API calls 9265->9266 9267 5fb036 Mailbox 9266->9267 9268 601c14 8 API calls 9267->9268 9269 5fb066 9268->9269 9302 5f60ad 9269->9302 9271 5fb085 Mailbox 9272 605fba 9 API calls 9271->9272 9273 5fb0c9 9272->9273 9356 5f7ef1 9273->9356 9276 60a805 2 API calls 9277 5fb0f8 9276->9277 9278 600b92 9 API calls 9277->9278 9279 5fb149 9278->9279 9280 5f5724 8 API calls 9279->9280 9281 5fb155 Mailbox 9280->9281 9282 608251 2 API calls 9281->9282 9283 5fb174 Mailbox 9282->9283 9284 619883 8 API calls 9283->9284 9285 5fb19a 9284->9285 9286 619707 Mailbox 8 API calls 9285->9286 9287 5fb1ea 9286->9287 9288 60a805 2 API calls 9287->9288 9289 5fb217 9288->9289 9360 608695 9289->9360 9291 5fb235 9292 608251 2 API calls 9291->9292 9292->9246 9294 619883 8 API calls 9293->9294 9295 5f5042 SetEvent 9294->9295 9295->9240 9460 5f4f0b 9296->9460 9299 601bc3 9300 617848 8 API calls 9299->9300 9301 5faf7c 9300->9301 9301->9254 9303 5f6101 9302->9303 9304 60a805 2 API calls 9303->9304 9309 5f623b Mailbox 9303->9309 9305 5f61a7 9304->9305 9306 5f846d 9 API calls 9305->9306 9307 5f61d6 9306->9307 9308 608251 2 API calls 9307->9308 9308->9309 9310 5f6321 9309->9310 9314 5f63fd 9309->9314 9311 60a805 2 API calls 9310->9311 9312 5f635d 9311->9312 9313 5f846d 9 API calls 9312->9313 9315 5f6381 9313->9315 9316 60a805 2 API calls 9314->9316 9317 608251 2 API calls 9315->9317 9318 5f6487 Mailbox 9316->9318 9319 5f639c Mailbox 9317->9319 9468 607ab8 9318->9468 9319->9271 9322 608251 2 API calls 9323 5f64eb 9322->9323 9324 5f651c 9323->9324 9325 5f6598 9323->9325 9327 60a805 2 API calls 9324->9327 9480 5f8036 9325->9480 9329 5f6532 9327->9329 9332 5f846d 9 API calls 9329->9332 9330 5f65cb 9337 60a805 2 API calls 9330->9337 9331 5f6668 9334 5fddd3 lstrlen 9331->9334 9333 5f6548 9332->9333 9335 608251 2 API calls 9333->9335 9336 5f66a4 9334->9336 9335->9319 9484 60ae3b 9336->9484 9338 5f65f2 9337->9338 9340 5f846d 9 API calls 9338->9340 9342 5f6612 9340->9342 9343 608251 2 API calls 9342->9343 9343->9319 9346 60a805 2 API calls 9347 5f6718 9346->9347 9348 608251 2 API calls 9347->9348 9349 5f6775 9348->9349 9350 6142b6 lstrlen 9349->9350 9351 5f67c4 9350->9351 9352 5fc622 5 API calls 9351->9352 9353 5f67e3 9352->9353 9492 61d831 9353->9492 9357 5f7f14 9356->9357 9358 5fdd8f 8 API calls 9357->9358 9359 5f7f37 9358->9359 9359->9276 9361 6086b6 9360->9361 9362 5f3e8c GetSystemTimeAsFileTime 9361->9362 9363 608873 9362->9363 9364 6142b6 lstrlen 9363->9364 9369 6088d0 9364->9369 9365 6142b6 lstrlen 9366 608a48 9365->9366 9367 6142b6 lstrlen 9366->9367 9368 608a56 9367->9368 9370 60a805 2 API calls 9368->9370 9453 609185 Mailbox 9368->9453 9369->9365 9369->9453 9371 608ad5 9370->9371 9372 5f846d 9 API calls 9371->9372 9373 608b0f 9372->9373 9374 608251 2 API calls 9373->9374 9375 608b3d Mailbox 9374->9375 9376 60a805 2 API calls 9375->9376 9389 608d19 9375->9389 9378 608b9e 9376->9378 9377 600b92 9 API calls 9379 608dbe 9377->9379 9380 6023e9 9 API calls 9378->9380 9381 5f5724 8 API calls 9379->9381 9383 608bc8 Mailbox 9380->9383 9382 608dca Mailbox 9381->9382 9384 60a805 2 API calls 9382->9384 9386 608251 2 API calls 9383->9386 9385 608ded 9384->9385 9387 600b92 9 API calls 9385->9387 9392 608bf7 9386->9392 9388 608e04 9387->9388 9390 5f5724 8 API calls 9388->9390 9389->9377 9391 608e10 Mailbox 9390->9391 9393 608251 2 API calls 9391->9393 9392->9389 9394 601c14 8 API calls 9392->9394 9395 608e3b 9393->9395 9396 608c77 9394->9396 9398 600b92 9 API calls 9395->9398 9397 60a805 2 API calls 9396->9397 9399 608cbd 9397->9399 9400 608e8b 9398->9400 9402 5f846d 9 API calls 9399->9402 9401 5f5724 8 API calls 9400->9401 9405 608e9a Mailbox 9401->9405 9403 608cff 9402->9403 9404 608251 2 API calls 9403->9404 9404->9389 9408 60a805 2 API calls 9405->9408 9442 609051 Mailbox 9405->9442 9406 60a805 2 API calls 9407 609087 9406->9407 9411 600b92 9 API calls 9407->9411 9409 608f09 9408->9409 9410 600b92 9 API calls 9409->9410 9412 608f23 9410->9412 9413 6090d7 9411->9413 9414 5f5724 8 API calls 9412->9414 9415 5f5724 8 API calls 9413->9415 9416 608f32 Mailbox 9414->9416 9417 6090e3 Mailbox 9415->9417 9418 60a805 2 API calls 9416->9418 9419 608251 2 API calls 9417->9419 9420 608f5b 9418->9420 9421 6090fd 9419->9421 9423 608251 2 API calls 9420->9423 9422 609142 socket 9421->9422 9426 5f5724 8 API calls 9421->9426 9425 609197 9422->9425 9422->9453 9424 608fbc Mailbox 9423->9424 9429 60074e wvsprintfA 9424->9429 9427 6091f3 gethostbyname 9425->9427 9428 6091bb setsockopt 9425->9428 9426->9422 9432 609289 inet_ntoa inet_addr 9427->9432 9427->9453 9428->9427 9431 608fdd 9429->9431 9433 608251 2 API calls 9431->9433 9436 6092f9 htons connect 9432->9436 9437 6092ef 9432->9437 9435 608ff4 9433->9435 9438 600b92 9 API calls 9435->9438 9440 60932f Mailbox 9436->9440 9436->9453 9437->9436 9439 609042 9438->9439 9441 5f5724 8 API calls 9439->9441 9443 60939f send 9440->9443 9441->9442 9442->9406 9444 6093bb Mailbox 9443->9444 9445 619707 Mailbox 8 API calls 9444->9445 9444->9453 9452 6093df Mailbox 9445->9452 9446 60946b recv 9446->9452 9449 609784 closesocket 9450 6097e1 9449->9450 9449->9453 9451 601c14 8 API calls 9450->9451 9451->9453 9452->9446 9452->9449 9454 607f29 Mailbox 8 API calls 9452->9454 9455 619883 8 API calls 9452->9455 9456 608251 GetProcessHeap RtlFreeHeap 9452->9456 9458 60a805 GetProcessHeap RtlAllocateHeap 9452->9458 9459 6023e9 9 API calls 9452->9459 9690 61d5e8 9452->9690 9694 5ff1bd 9452->9694 9453->9291 9454->9452 9455->9452 9456->9452 9458->9452 9459->9452 9461 5f4f16 9460->9461 9464 5fe739 9461->9464 9465 5fe751 9464->9465 9466 5fdd8f 8 API calls 9465->9466 9467 5f4f36 9466->9467 9467->9299 9470 607ae2 9468->9470 9469 5f64bc 9469->9322 9470->9469 9521 616c12 9470->9521 9475 607d11 9479 607c94 Mailbox 9475->9479 9531 60bff6 9475->9531 9477 607dab 9538 6070e6 9477->9538 9548 60761b 9479->9548 9482 5f804b GetModuleFileNameA 9480->9482 9483 5f65c2 9482->9483 9483->9330 9483->9331 9486 60ae5e 9484->9486 9485 5f66de 9488 613ca3 9485->9488 9486->9485 9487 5fbece 9 API calls 9486->9487 9487->9485 9490 613cd9 9488->9490 9491 5f6702 9488->9491 9489 60ae3b 9 API calls 9489->9490 9490->9489 9490->9491 9491->9346 9493 61d84e Mailbox 9492->9493 9494 61d94f CreatePipe 9493->9494 9495 61d999 9494->9495 9496 61d9ad SetHandleInformation 9494->9496 9497 619707 Mailbox 8 API calls 9495->9497 9499 5f6894 DeleteFileA 9495->9499 9500 61da12 9496->9500 9501 61da3b CreatePipe 9496->9501 9497->9499 9499->9319 9500->9501 9502 61da52 9501->9502 9503 61da66 SetHandleInformation 9501->9503 9504 61de64 CloseHandle 9502->9504 9506 61da9a Mailbox 9503->9506 9504->9495 9505 61de7b CloseHandle 9504->9505 9505->9495 9507 61db76 CreateProcessA 9506->9507 9508 61dbe0 CloseHandle 9507->9508 9509 61dc04 WriteFile 9507->9509 9513 61ddd2 CloseHandle 9508->9513 9509->9508 9511 61dc3e CloseHandle CloseHandle 9509->9511 9515 61dca1 9511->9515 9513->9504 9683 614101 9515->9683 9519 61dd6c CloseHandle CloseHandle 9519->9513 9522 616c2d 9521->9522 9523 5f4088 4 API calls 9522->9523 9524 616cb8 9523->9524 9525 5f86e2 4 API calls 9524->9525 9526 607c5d 9524->9526 9525->9526 9526->9479 9527 5f86e2 9526->9527 9528 5f86f8 9527->9528 9529 5f4088 4 API calls 9528->9529 9530 5f873e Mailbox 9529->9530 9530->9475 9551 5f7bf8 9531->9551 9535 60c05c 9563 5f774c 9535->9563 9537 60c089 Mailbox 9537->9477 9539 6070f3 9538->9539 9546 6071ef 9539->9546 9575 60a4b9 9539->9575 9542 60a805 2 API calls 9544 60740b 9542->9544 9543 60a805 2 API calls 9543->9546 9545 608251 2 API calls 9544->9545 9544->9546 9547 60745e 9545->9547 9546->9479 9547->9543 9547->9546 9549 61572d 2 API calls 9548->9549 9550 607661 9549->9550 9550->9469 9552 5f7c25 9551->9552 9553 60a805 2 API calls 9552->9553 9554 5f7c4e Mailbox 9553->9554 9555 608251 2 API calls 9554->9555 9556 5f7c82 9555->9556 9557 600ce6 9556->9557 9558 600d32 Mailbox 9557->9558 9560 601054 Mailbox 9558->9560 9561 600ecd 9558->9561 9569 600113 9558->9569 9560->9535 9561->9560 9562 600113 4 API calls 9561->9562 9562->9561 9564 5f77a8 Mailbox 9563->9564 9565 600ce6 4 API calls 9564->9565 9566 5f7a60 9565->9566 9567 600ce6 4 API calls 9566->9567 9568 5f7ab2 9567->9568 9568->9537 9570 600132 Mailbox 9569->9570 9571 60a805 2 API calls 9570->9571 9572 600318 9571->9572 9573 608251 2 API calls 9572->9573 9574 6005f9 9573->9574 9574->9561 9576 60a506 9575->9576 9577 616c12 4 API calls 9576->9577 9579 60a539 9577->9579 9578 61572d 2 API calls 9583 60719b 9578->9583 9580 60a563 9579->9580 9581 60a58e 9579->9581 9585 60a5e4 9579->9585 9582 61572d 2 API calls 9580->9582 9586 5f69a8 9581->9586 9582->9583 9583->9542 9583->9546 9583->9547 9585->9578 9587 5f69c7 Mailbox 9586->9587 9588 5f4088 4 API calls 9587->9588 9598 5f76f7 9587->9598 9589 5f6c45 9588->9589 9590 5f4088 4 API calls 9589->9590 9617 5f70f3 9589->9617 9594 5f6c6a 9590->9594 9591 5f76cf 9592 5f76fc 9591->9592 9593 5f76e7 9591->9593 9597 61572d 2 API calls 9592->9597 9596 61572d 2 API calls 9593->9596 9599 5f4088 4 API calls 9594->9599 9594->9617 9595 61572d 2 API calls 9595->9617 9596->9598 9597->9598 9598->9585 9600 5f6c97 9599->9600 9601 5f86e2 4 API calls 9600->9601 9611 5f6cb9 Mailbox 9600->9611 9600->9617 9602 5f6d18 9601->9602 9602->9617 9621 5fdec6 9602->9621 9604 5f6e3d 9608 612405 4 API calls 9604->9608 9605 5f6e4c 9607 5f85a4 4 API calls 9605->9607 9610 5f6e47 9607->9610 9608->9610 9612 5f85a4 4 API calls 9610->9612 9611->9604 9611->9605 9611->9617 9613 5f6ec5 9612->9613 9614 5f4088 4 API calls 9613->9614 9613->9617 9615 5f6f71 9614->9615 9616 5f85a4 4 API calls 9615->9616 9615->9617 9620 5f6f9e 9616->9620 9617->9591 9617->9595 9618 5f4088 4 API calls 9618->9620 9619 5f85a4 4 API calls 9619->9620 9620->9617 9620->9618 9620->9619 9622 5fdf1f 9621->9622 9623 5f4088 4 API calls 9622->9623 9624 5f6d62 9622->9624 9623->9624 9624->9617 9625 612405 9624->9625 9626 612431 9625->9626 9633 5f9903 9626->9633 9628 6124b6 9628->9611 9629 612450 9629->9628 9630 5fe4e4 4 API calls 9629->9630 9631 61248c 9629->9631 9630->9629 9631->9628 9673 606d72 9631->9673 9634 5f9924 9633->9634 9635 5f99a4 9634->9635 9636 5f9a10 9634->9636 9639 5f9952 9634->9639 9637 5f99c4 9635->9637 9638 5f86e2 4 API calls 9635->9638 9641 5f85a4 4 API calls 9636->9641 9637->9639 9640 5f85a4 4 API calls 9637->9640 9642 5f99ea 9637->9642 9638->9637 9639->9629 9640->9642 9645 5f9a45 9641->9645 9642->9639 9643 61572d 2 API calls 9642->9643 9643->9639 9644 5f85a4 4 API calls 9646 5f9aaa 9644->9646 9645->9642 9645->9644 9646->9642 9647 5f4088 4 API calls 9646->9647 9648 5f9aed 9647->9648 9648->9642 9649 5f86e2 4 API calls 9648->9649 9650 5f9b25 9649->9650 9650->9642 9651 5f4088 4 API calls 9650->9651 9652 5f9b46 9651->9652 9652->9642 9653 5f4088 4 API calls 9652->9653 9654 5f9b73 9653->9654 9654->9642 9655 5fdec6 4 API calls 9654->9655 9656 5f9c7b 9654->9656 9657 5f9c56 9655->9657 9656->9642 9658 5fdec6 4 API calls 9656->9658 9657->9642 9659 5fdec6 4 API calls 9657->9659 9660 5f9d47 9658->9660 9659->9656 9661 606d72 4 API calls 9660->9661 9665 5f9e51 9660->9665 9661->9660 9662 5fa66b 9663 5f85a4 4 API calls 9662->9663 9664 5fa6fa 9662->9664 9663->9664 9664->9642 9666 5f85a4 4 API calls 9664->9666 9665->9642 9665->9662 9667 5f534c GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9665->9667 9668 5f86e2 GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9665->9668 9669 5fdec6 GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9665->9669 9670 606d72 4 API calls 9665->9670 9671 5f85a4 4 API calls 9665->9671 9672 5fe4e4 4 API calls 9665->9672 9666->9642 9667->9665 9668->9665 9669->9665 9670->9665 9671->9665 9672->9665 9674 606d97 9673->9674 9675 606f07 9674->9675 9677 606dd4 9674->9677 9676 5fb38e 4 API calls 9675->9676 9682 606e24 9676->9682 9678 606df4 9677->9678 9679 606e66 9677->9679 9680 6158f9 4 API calls 9678->9680 9681 6158f9 4 API calls 9679->9681 9680->9682 9681->9682 9682->9631 9684 61410e 9683->9684 9685 619707 Mailbox 8 API calls 9684->9685 9688 61419c 9685->9688 9686 6141f1 ReadFile 9687 614256 WaitForSingleObject 9686->9687 9686->9688 9687->9519 9688->9686 9688->9687 9689 619883 8 API calls 9688->9689 9689->9688 9691 61d5ff 9690->9691 9692 5f3e8c GetSystemTimeAsFileTime 9691->9692 9693 61d628 9691->9693 9692->9693 9693->9452 9695 5ff206 9694->9695 9696 60a805 2 API calls 9695->9696 9697 5ff22f 9696->9697 9698 6023e9 9 API calls 9697->9698 9699 5ff250 Mailbox 9698->9699 9700 608251 2 API calls 9699->9700 9701 5ff28d 9700->9701 9702 60a805 2 API calls 9701->9702 9707 5ff2a5 9701->9707 9703 5ff2cb 9702->9703 9704 6023e9 9 API calls 9703->9704 9705 5ff2e2 Mailbox 9704->9705 9706 608251 2 API calls 9705->9706 9706->9707 9707->9452 9714 6195bd 9715 6195c3 Mailbox 9714->9715 9716 6190f1 Mailbox 4 API calls 9715->9716 9717 619605 Mailbox 9716->9717 7938 61cdbf 7939 61ce1b 7938->7939 7942 60ff2a 7939->7942 7940 61cf4c 8169 608251 7942->8169 7946 60ff74 7947 608251 2 API calls 7946->7947 7948 60ff88 7947->7948 7949 60a805 2 API calls 7948->7949 7950 60ffc7 7949->7950 7951 608251 2 API calls 7950->7951 7952 60ffdb 7951->7952 7953 60a805 2 API calls 7952->7953 7954 61001a 7953->7954 7955 608251 2 API calls 7954->7955 7956 61002e 7955->7956 7957 60a805 2 API calls 7956->7957 7958 610063 7957->7958 7959 608251 2 API calls 7958->7959 7960 610077 7959->7960 7961 60a805 2 API calls 7960->7961 7962 6100f0 7961->7962 7963 608251 2 API calls 7962->7963 7964 610126 7963->7964 7965 60a805 2 API calls 7964->7965 7966 6101a6 7965->7966 7967 608251 2 API calls 7966->7967 7968 6101c4 7967->7968 7969 60a805 2 API calls 7968->7969 7970 610238 7969->7970 7971 608251 2 API calls 7970->7971 7972 610252 7971->7972 7973 60a805 2 API calls 7972->7973 7974 610283 7973->7974 7975 608251 2 API calls 7974->7975 7976 6102bf 7975->7976 7977 60a805 2 API calls 7976->7977 7978 610325 7977->7978 7979 608251 2 API calls 7978->7979 7980 610339 7979->7980 7981 60a805 2 API calls 7980->7981 7982 61036a 7981->7982 7983 608251 2 API calls 7982->7983 7984 6103bd 7983->7984 7985 60a805 2 API calls 7984->7985 7986 610402 7985->7986 7987 608251 2 API calls 7986->7987 7988 610422 7987->7988 7989 60a805 2 API calls 7988->7989 7990 610469 7989->7990 7991 608251 2 API calls 7990->7991 7992 6104b2 7991->7992 7993 608251 2 API calls 7992->7993 7994 610503 Mailbox 7993->7994 8176 5fde5a GetProcessHeap RtlFreeHeap 7994->8176 7998 61054a 7999 60a805 2 API calls 7998->7999 8000 610560 GetEnvironmentVariableA 7999->8000 8001 6105b2 8000->8001 8002 608251 2 API calls 8001->8002 8003 6105d0 CreateMutexA CreateMutexA CreateMutexA 8002->8003 8004 610665 8003->8004 8005 610809 8004->8005 8006 6106c9 8004->8006 8007 6106de GetTickCount 8004->8007 8183 5f88a8 8005->8183 8006->8007 8009 6106f2 8007->8009 8012 60a805 2 API calls 8009->8012 8010 610818 GetCommandLineA 8013 6108a8 8010->8013 8015 610710 8012->8015 8014 60a805 2 API calls 8013->8014 8017 6108c5 8014->8017 8016 608251 2 API calls 8015->8016 8018 6107b7 8016->8018 8019 608251 2 API calls 8017->8019 8018->8005 8020 61092f 8019->8020 8021 611311 GetCommandLineA 8020->8021 8022 610964 8020->8022 8286 613e09 8021->8286 8023 60a805 2 API calls 8022->8023 8027 610996 8023->8027 8026 6113a1 8289 6142b6 8026->8289 8028 608251 2 API calls 8027->8028 8030 610a10 8028->8030 8033 60a805 2 API calls 8030->8033 8035 610a21 8030->8035 8031 6113dc GetModuleFileNameA 8292 6020d8 lstrlen 8031->8292 8037 610ac3 8033->8037 8437 6015e5 8035->8437 8039 608251 2 API calls 8037->8039 8038 61145c 8044 6020d8 2 API calls 8038->8044 8040 610b1f 8039->8040 8040->8035 8440 5ff793 8040->8440 8041 60a805 2 API calls 8042 6122a4 8041->8042 8547 5fe2f8 8042->8547 8045 611510 8044->8045 8047 6020d8 2 API calls 8045->8047 8060 611523 8047->8060 8048 610b80 8049 60a805 2 API calls 8048->8049 8054 610ba4 8049->8054 8050 6122c9 8050->7940 8051 611785 8295 5f3b2c 8051->8295 8053 6117c8 8053->8035 8303 60b3db 8053->8303 8055 608251 2 API calls 8054->8055 8058 610be7 8055->8058 8057 6117ed 8397 5f3e8c 8057->8397 8073 610c44 8058->8073 8060->8051 8063 6115b0 8060->8063 8061 611806 8401 5fddd3 8061->8401 8478 60af1f 8063->8478 8066 6115e1 8484 5f5c39 8066->8484 8069 5f3e8c GetSystemTimeAsFileTime 8069->8073 8070 610d00 Sleep 8071 60b046 5 API calls 8070->8071 8071->8073 8072 6112d7 8072->8035 8073->8069 8073->8070 8076 610dd2 Sleep 8073->8076 8099 610dfe 8073->8099 8445 60571f 8073->8445 8456 60b046 8073->8456 8074 6115fa 8074->8072 8075 60a805 2 API calls 8074->8075 8078 611680 8075->8078 8076->8073 8077 60571f 6 API calls 8077->8099 8080 6142b6 lstrlen 8078->8080 8079 61186d 8081 6118fb WSAStartup 8079->8081 8083 611695 MessageBoxA 8080->8083 8085 611928 8081->8085 8093 61197d 8081->8093 8082 610ee5 8084 60b046 5 API calls 8082->8084 8089 611738 8083->8089 8087 610ef9 8084->8087 8085->8041 8090 610f60 GetModuleFileNameA SetFileAttributesA 8087->8090 8136 61126d 8087->8136 8091 608251 2 API calls 8089->8091 8094 610fcc CopyFileA 8090->8094 8091->8072 8092 611a53 8100 611a8c CloseHandle SetFileAttributesA 8092->8100 8129 611d7e 8092->8129 8093->8092 8405 61395f 8093->8405 8101 60a805 2 API calls 8094->8101 8095 610ea2 Sleep 8095->8099 8096 6054d8 3 API calls 8096->8072 8099->8077 8099->8082 8099->8095 8465 600806 8099->8465 8103 611b05 CopyFileA 8100->8103 8104 611ae9 8100->8104 8105 611044 8101->8105 8102 6119d7 8102->8035 8109 611a29 8102->8109 8107 611c76 8103->8107 8108 611b22 SetFileAttributesA 8103->8108 8104->8103 8116 608251 2 API calls 8105->8116 8106 60571f 6 API calls 8106->8129 8516 5fb7cd WaitForSingleObject 8107->8516 8114 611b79 8108->8114 8115 611b5b 8108->8115 8498 5ff02c 8109->8498 8113 611e3f SetFileAttributesA CopyFileA SetFileAttributesA 8126 5ff793 lstrlen 8113->8126 8117 611bc5 8114->8117 8123 611c27 Sleep 8114->8123 8415 6135ad 8115->8415 8121 611077 8116->8121 8507 606bd8 8117->8507 8119 600806 9 API calls 8125 611dcb Sleep 8119->8125 8131 60a805 2 API calls 8121->8131 8143 61111d 8121->8143 8430 6054d8 8123->8430 8125->8129 8130 611ed0 8126->8130 8127 611bef 8127->8123 8129->8106 8129->8113 8129->8119 8134 60a805 2 API calls 8130->8134 8139 6110ce 8131->8139 8132 611195 SetFileAttributesA 8132->8136 8133 611206 SetFileAttributesA 8133->8136 8138 611ee6 8134->8138 8136->8096 8140 60a805 2 API calls 8138->8140 8141 608251 2 API calls 8139->8141 8142 611f29 8140->8142 8141->8143 8144 608251 2 API calls 8142->8144 8143->8132 8143->8133 8145 611f4e 8144->8145 8518 6175ce 8145->8518 8147 611f65 8148 608251 2 API calls 8147->8148 8149 611fc0 8148->8149 8522 61473b 8149->8522 8152 60a805 2 API calls 8153 612012 8152->8153 8154 60a805 2 API calls 8153->8154 8155 612031 8154->8155 8543 60074e 8155->8543 8157 612063 8158 608251 2 API calls 8157->8158 8159 612079 8158->8159 8160 608251 2 API calls 8159->8160 8161 612092 8160->8161 8162 6054d8 3 API calls 8161->8162 8163 6120d2 Mailbox 8162->8163 8164 612140 CreateThread 8163->8164 8166 612179 8164->8166 8165 6121c3 Sleep 8166->8165 8546 6174e8 StartServiceCtrlDispatcherA 8166->8546 8170 608268 Mailbox 8169->8170 8171 5fde5a Mailbox 2 API calls 8170->8171 8172 6082cb 8171->8172 8173 60a805 8172->8173 8553 6123a6 8173->8553 8175 60a878 Mailbox 8175->7946 8177 5fde8a 8176->8177 8178 61d256 GetSystemTime 8177->8178 8179 61d2ec 8178->8179 8180 5f3e8c GetSystemTimeAsFileTime 8179->8180 8181 61d368 GetTickCount 8180->8181 8182 61d39b 8181->8182 8182->7998 8184 5f88cc 8183->8184 8185 5f88ea GetVersionExA 8184->8185 8556 5fe769 8185->8556 8191 5f89fc 8193 5f8a89 CreateDirectoryA 8191->8193 8192 5f8b28 8194 60a805 2 API calls 8192->8194 8195 60a805 2 API calls 8193->8195 8196 5f8bc2 8194->8196 8197 5f8ae2 8195->8197 8579 5f846d 8196->8579 8201 608251 2 API calls 8197->8201 8200 608251 2 API calls 8202 5f8c06 Mailbox 8200->8202 8201->8192 8583 5fc622 8202->8583 8204 5f8d6f 8205 60c0de 6 API calls 8204->8205 8209 5f8d85 8205->8209 8206 5f8cfe DeleteFileA 8207 5f8d3d RemoveDirectoryA 8206->8207 8208 5f8d2b 8206->8208 8207->8204 8208->8207 8211 5f8dc3 CreateDirectoryA 8209->8211 8212 5f8e00 8211->8212 8213 5ff793 lstrlen 8212->8213 8214 5f8e64 CreateDirectoryA 8213->8214 8216 60a805 2 API calls 8214->8216 8217 5f8eb8 8216->8217 8218 60a805 2 API calls 8217->8218 8219 5f8f10 8218->8219 8220 608251 2 API calls 8219->8220 8221 5f8f6c 8220->8221 8222 5f846d 9 API calls 8221->8222 8223 5f8f89 8222->8223 8224 608251 2 API calls 8223->8224 8225 5f8f9b Mailbox 8224->8225 8226 5fc622 5 API calls 8225->8226 8227 5f8fca 8226->8227 8228 5f9769 8227->8228 8230 5f906c 8227->8230 8231 5f8fec 8227->8231 8229 5ff793 lstrlen 8228->8229 8233 5f977f SetFileAttributesA 8229->8233 8232 60a805 2 API calls 8230->8232 8234 60a805 2 API calls 8231->8234 8235 5f9082 8232->8235 8243 5f97e1 Mailbox 8233->8243 8236 5f900e 8234->8236 8237 60074e wvsprintfA 8235->8237 8238 60074e wvsprintfA 8236->8238 8239 5f90a0 8237->8239 8240 5f9034 8238->8240 8242 608251 2 API calls 8239->8242 8241 608251 2 API calls 8240->8241 8244 5f905d 8241->8244 8242->8244 8243->8010 8245 5f9128 8244->8245 8246 5f9144 CreateDirectoryA 8245->8246 8247 5f917e 8246->8247 8248 5ff793 lstrlen 8247->8248 8249 5f91cd CreateDirectoryA 8248->8249 8250 60a805 2 API calls 8249->8250 8251 5f9210 8250->8251 8252 60a805 2 API calls 8251->8252 8253 5f923f 8252->8253 8254 608251 2 API calls 8253->8254 8255 5f927a 8254->8255 8256 5f846d 9 API calls 8255->8256 8257 5f928f 8256->8257 8258 608251 2 API calls 8257->8258 8259 5f9307 Mailbox 8258->8259 8260 5fc622 5 API calls 8259->8260 8261 5f9336 8260->8261 8262 5f9716 8261->8262 8263 5f9341 GetTempPathA 8261->8263 8262->8228 8264 6142b6 lstrlen 8263->8264 8265 5f938b 8264->8265 8266 5ff793 lstrlen 8265->8266 8267 5f94ae CreateDirectoryA 8266->8267 8268 5f94fd 8267->8268 8269 60a805 2 API calls 8268->8269 8270 5f9519 8269->8270 8271 60a805 2 API calls 8270->8271 8272 5f9577 8271->8272 8273 608251 2 API calls 8272->8273 8274 5f95a4 8273->8274 8275 5f846d 9 API calls 8274->8275 8276 5f95ba 8275->8276 8277 608251 2 API calls 8276->8277 8278 5f95dc Mailbox 8277->8278 8279 5fc622 5 API calls 8278->8279 8280 5f960b 8279->8280 8280->8262 8281 5f9633 GetTempPathA 8280->8281 8282 5f9670 8281->8282 8283 60a805 2 API calls 8282->8283 8284 5f96a4 8283->8284 8285 608251 2 API calls 8284->8285 8285->8262 8287 6142b6 lstrlen 8286->8287 8288 613e48 8287->8288 8288->8026 8291 6142cf lstrlen 8289->8291 8291->8031 8293 60210f CharLowerBuffA 8292->8293 8293->8038 8296 5ff793 lstrlen 8295->8296 8297 5f3b68 8296->8297 8298 60a805 2 API calls 8297->8298 8299 5f3b88 8298->8299 8300 608251 2 API calls 8299->8300 8301 5f3bc6 CreateFileA 8300->8301 8302 5f3c14 Mailbox 8301->8302 8302->8053 8304 60b41c 8303->8304 8305 60b4ff GetComputerNameA 8304->8305 8306 60b59e 8305->8306 8307 60b536 8305->8307 8309 60a805 2 API calls 8306->8309 8308 60a805 2 API calls 8307->8308 8310 60b552 8308->8310 8311 60b5fa 8309->8311 8312 608251 2 API calls 8310->8312 8313 608251 2 API calls 8311->8313 8312->8306 8314 60b63d 8313->8314 8315 5f846d 9 API calls 8314->8315 8316 60b661 8315->8316 8630 5f695e 8316->8630 8318 60b6db Mailbox 8633 6184d7 8318->8633 8321 6142b6 lstrlen 8322 60b7d9 8321->8322 8672 600b92 8322->8672 8326 60b834 Mailbox 8327 5f695e 8 API calls 8326->8327 8328 60b891 8327->8328 8329 600b92 9 API calls 8328->8329 8330 60b92e 8329->8330 8331 5f5724 8 API calls 8330->8331 8332 60b93d Mailbox 8331->8332 8333 5f695e 8 API calls 8332->8333 8334 60b964 8333->8334 8335 600b92 9 API calls 8334->8335 8336 60b988 8335->8336 8337 5f5724 8 API calls 8336->8337 8338 60b997 Mailbox 8337->8338 8339 5f695e 8 API calls 8338->8339 8340 60b9cf 8339->8340 8341 600b92 9 API calls 8340->8341 8342 60b9fe 8341->8342 8343 5f5724 8 API calls 8342->8343 8344 60ba0a Mailbox 8343->8344 8345 5f695e 8 API calls 8344->8345 8346 60ba25 8345->8346 8347 600b92 9 API calls 8346->8347 8348 60ba48 8347->8348 8349 5f5724 8 API calls 8348->8349 8350 60ba57 Mailbox 8349->8350 8351 5f695e 8 API calls 8350->8351 8352 60ba79 8351->8352 8353 60a805 2 API calls 8352->8353 8354 60ba95 8353->8354 8355 600b92 9 API calls 8354->8355 8356 60bab9 8355->8356 8357 5f5724 8 API calls 8356->8357 8358 60bac8 Mailbox 8357->8358 8359 608251 2 API calls 8358->8359 8360 60baf7 8359->8360 8361 5f695e 8 API calls 8360->8361 8362 60bb1f 8361->8362 8363 600b92 9 API calls 8362->8363 8364 60bb3d 8363->8364 8365 5f5724 8 API calls 8364->8365 8366 60bb49 Mailbox 8365->8366 8367 5f695e 8 API calls 8366->8367 8368 60bb75 8367->8368 8369 600b92 9 API calls 8368->8369 8370 60bb96 8369->8370 8371 5f5724 8 API calls 8370->8371 8372 60bba5 Mailbox 8371->8372 8373 5f695e 8 API calls 8372->8373 8374 60bbcb 8373->8374 8679 5f3cdc 8374->8679 8378 60bc06 8379 600b92 9 API calls 8378->8379 8380 60bc12 8379->8380 8381 5f5724 8 API calls 8380->8381 8382 60bc21 Mailbox 8381->8382 8383 5f695e 8 API calls 8382->8383 8384 60bc3f 8383->8384 8385 600b92 9 API calls 8384->8385 8386 60bc85 8385->8386 8387 5f5724 8 API calls 8386->8387 8388 60bc94 Mailbox 8387->8388 8689 605fba 8388->8689 8390 60bccc 8716 619707 8390->8716 8392 60bd04 Mailbox 8719 619883 8392->8719 8394 60bd30 8723 5fee34 8394->8723 8396 60bd6e Mailbox 8396->8057 8398 5f3ebf GetSystemTimeAsFileTime 8397->8398 8400 5f3f11 __aulldiv 8398->8400 8400->8061 8402 5fde20 8401->8402 8403 6142b6 lstrlen 8402->8403 8404 5fde3f 8403->8404 8404->8079 8406 613980 8405->8406 8407 5ff793 lstrlen 8406->8407 8408 6139f3 8407->8408 8409 60a805 2 API calls 8408->8409 8414 613a11 Mailbox 8408->8414 8410 613ace 8409->8410 8411 608251 2 API calls 8410->8411 8412 613b0d 8411->8412 8773 609b78 8412->8773 8414->8102 8417 6135f3 OpenSCManagerA 8415->8417 8418 6136a9 CreateServiceA 8417->8418 8419 6138db 8417->8419 8420 6136f0 8418->8420 8421 613777 8418->8421 8419->8114 8423 613709 8420->8423 8424 61371b ChangeServiceConfig2A StartServiceA CloseServiceHandle 8420->8424 8422 6137a1 8421->8422 8426 6137c8 OpenServiceA 8421->8426 8422->8426 8423->8424 8425 61388e CloseServiceHandle 8424->8425 8425->8419 8427 6137eb 8426->8427 8428 613811 StartServiceA CloseServiceHandle 8427->8428 8429 613866 8427->8429 8428->8429 8429->8425 8432 6054ea Mailbox 8430->8432 8431 6055fd CreateProcessA 8433 605633 8431->8433 8434 605677 8431->8434 8432->8431 8435 605645 8433->8435 8436 60564f CloseHandle CloseHandle 8433->8436 8434->8107 8435->8436 8436->8434 8791 60bf87 8437->8791 8439 601600 ExitProcess 8441 5fddd3 lstrlen 8440->8441 8443 5ff7bd 8441->8443 8442 5ff80a 8442->8048 8443->8442 8444 6142b6 lstrlen 8443->8444 8444->8442 8446 605751 CreateToolhelp32Snapshot 8445->8446 8449 605828 8446->8449 8448 605a95 Mailbox 8448->8073 8449->8448 8450 6058da Process32First 8449->8450 8451 605a6c CloseHandle 8450->8451 8453 60590e 8450->8453 8451->8448 8452 6020d8 2 API calls 8452->8453 8453->8452 8454 6059c2 Process32Next 8453->8454 8455 605a29 8453->8455 8454->8453 8455->8451 8458 60b068 CreateFileA 8456->8458 8459 60b142 GetFileTime 8458->8459 8464 60b11b 8458->8464 8461 60b177 CloseHandle 8459->8461 8462 60b1c7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 8459->8462 8461->8464 8463 60b264 GetFileSize CloseHandle 8462->8463 8463->8464 8464->8073 8466 60084d CreateToolhelp32Snapshot 8465->8466 8468 600b20 Mailbox 8466->8468 8469 6008ee Process32First 8466->8469 8468->8099 8472 600988 8469->8472 8476 600aea CloseHandle 8469->8476 8473 6020d8 2 API calls 8472->8473 8474 600aa4 Process32Next 8472->8474 8475 6009f5 OpenProcess 8472->8475 8477 600a61 TerminateProcess CloseHandle 8472->8477 8473->8472 8474->8472 8474->8476 8475->8472 8476->8468 8477->8472 8479 60af3f 8478->8479 8793 60111e 8479->8793 8481 60af7b 8482 6054d8 3 API calls 8481->8482 8483 60afe0 Mailbox 8482->8483 8483->8066 8485 5f5c69 8484->8485 8486 6142b6 lstrlen 8485->8486 8494 5f6052 Mailbox 8485->8494 8487 5f5dce Sleep 8486->8487 8488 5f5e25 8487->8488 8489 60a805 2 API calls 8488->8489 8490 5f5e52 8489->8490 8491 608251 2 API calls 8490->8491 8492 5f5e87 FindFirstFileA 8491->8492 8493 5f5ecd 8492->8493 8492->8494 8495 5f5fdb DeleteFileA 8493->8495 8496 5f6018 FindNextFileA 8493->8496 8494->8074 8495->8493 8495->8496 8496->8493 8497 5f602e FindClose 8496->8497 8497->8494 8499 5ff065 8498->8499 8500 5f3e8c GetSystemTimeAsFileTime 8499->8500 8502 5ff079 8500->8502 8501 5ff15a 8501->8092 8502->8501 8503 5f3e8c GetSystemTimeAsFileTime 8502->8503 8506 5ff104 8503->8506 8504 5ff10f Sleep 8505 5f3e8c GetSystemTimeAsFileTime 8504->8505 8505->8506 8506->8501 8506->8504 8510 606c36 8507->8510 8508 60a805 2 API calls 8509 606c9d RegOpenKeyA 8508->8509 8511 608251 2 API calls 8509->8511 8510->8508 8512 606ccb 8511->8512 8513 606d31 RegCloseKey 8512->8513 8514 6142b6 lstrlen 8512->8514 8513->8127 8515 606d0f RegSetValueExA 8514->8515 8515->8513 8517 5fb846 8516->8517 8517->8035 8519 6175f4 8518->8519 8520 6176ef CreateFileA 8519->8520 8521 617732 Mailbox 8520->8521 8521->8147 8523 614771 8522->8523 8524 614797 8522->8524 8526 5fbece 9 API calls 8523->8526 8525 60a805 2 API calls 8524->8525 8527 6147be 8525->8527 8526->8524 8528 6175ce CreateFileA 8527->8528 8529 6147e5 8528->8529 8530 608251 2 API calls 8529->8530 8531 614803 8530->8531 8532 614835 Sleep 8531->8532 8542 6148af 8531->8542 8533 60a805 2 API calls 8532->8533 8534 614886 8533->8534 8536 6175ce CreateFileA 8534->8536 8538 61489b 8536->8538 8540 608251 2 API calls 8538->8540 8540->8542 8541 611fe7 8541->8152 8542->8541 8824 6191aa 8542->8824 8544 600764 wvsprintfA 8543->8544 8544->8157 8546->8165 8548 5fe30a 8547->8548 8549 5fb7cd WaitForSingleObject 8548->8549 8550 5fe324 8549->8550 8551 6015e5 ExitProcess 8550->8551 8552 5fe35a 8551->8552 8552->8050 8554 6123c0 8553->8554 8555 6123e2 GetProcessHeap RtlAllocateHeap 8553->8555 8554->8555 8555->8175 8558 5fe79e AllocateAndInitializeSid 8556->8558 8559 5f8954 8558->8559 8560 5fe883 CheckTokenMembership 8558->8560 8563 5f457c 8559->8563 8561 5fe89f 8560->8561 8562 5fe8c9 FreeSid 8560->8562 8561->8562 8562->8559 8564 5f4595 8563->8564 8565 60a805 2 API calls 8564->8565 8566 5f45da GetProcAddress 8565->8566 8567 608251 2 API calls 8566->8567 8568 5f4613 8567->8568 8569 5f4623 GetCurrentProcess 8568->8569 8570 5f463a 8568->8570 8569->8570 8570->8192 8571 60c0de GetWindowsDirectoryA 8570->8571 8572 60c125 8571->8572 8573 60a805 2 API calls 8572->8573 8578 60c1b6 8572->8578 8574 60c164 8573->8574 8575 608251 2 API calls 8574->8575 8576 60c1a4 8575->8576 8577 6142b6 lstrlen 8576->8577 8577->8578 8578->8191 8580 5f848a 8579->8580 8599 5f4f47 8580->8599 8584 5fc62f 8583->8584 8585 5fb7cd WaitForSingleObject 8584->8585 8586 5fc686 8585->8586 8587 5fc6ef CreateFileA 8586->8587 8588 5fc6b3 8586->8588 8591 5fc75d 8587->8591 8593 5fc79f Mailbox 8587->8593 8589 5f4eb1 ReleaseMutex 8588->8589 8598 5f8c6e 8589->8598 8592 5f4eb1 ReleaseMutex 8591->8592 8592->8598 8594 5fc8fa WriteFile 8593->8594 8594->8593 8595 5fc94e FindCloseChangeNotification 8594->8595 8628 5f4eb1 ReleaseMutex 8595->8628 8598->8204 8598->8206 8600 5f4f6e 8599->8600 8601 6142b6 lstrlen 8600->8601 8602 5f4f99 8601->8602 8605 612f94 8602->8605 8604 5f4fa3 8604->8200 8608 6194ec 8605->8608 8607 612fac Mailbox 8607->8604 8609 619509 Mailbox 8608->8609 8611 61950e Mailbox 8609->8611 8612 5ff821 8609->8612 8611->8607 8613 5ff845 8612->8613 8615 5ff85a Mailbox 8613->8615 8616 607f29 8613->8616 8615->8611 8617 607f48 Mailbox 8616->8617 8618 608135 8617->8618 8619 60802a 8617->8619 8624 608109 Mailbox 8617->8624 8625 6190f1 8618->8625 8621 6123a6 Mailbox 2 API calls 8619->8621 8622 608057 Mailbox 8621->8622 8623 5fde5a Mailbox 2 API calls 8622->8623 8623->8624 8624->8615 8626 619152 GetProcessHeap HeapAlloc 8625->8626 8627 61912b GetProcessHeap RtlReAllocateHeap 8625->8627 8626->8624 8627->8624 8629 5f4ecb 8628->8629 8629->8598 8631 619883 8 API calls 8630->8631 8632 5f6983 8631->8632 8632->8318 8634 618577 8633->8634 8635 60a805 2 API calls 8634->8635 8636 618652 8635->8636 8637 608251 2 API calls 8636->8637 8638 6186d5 GetProcessHeap 8637->8638 8639 618711 8638->8639 8651 60b7c4 8638->8651 8640 60a805 2 API calls 8639->8640 8641 618739 LoadLibraryA 8640->8641 8643 608251 2 API calls 8641->8643 8644 61878f 8643->8644 8645 60a805 2 API calls 8644->8645 8644->8651 8646 618837 GetProcAddress 8645->8646 8647 608251 2 API calls 8646->8647 8648 61886e 8647->8648 8649 618886 FreeLibrary 8648->8649 8650 6188ac RtlAllocateHeap 8648->8650 8649->8651 8652 618926 GetAdaptersInfo 8650->8652 8653 6188fb FreeLibrary 8650->8653 8651->8321 8654 618950 8652->8654 8653->8651 8655 618a39 GetAdaptersInfo 8654->8655 8656 61896c HeapFree 8654->8656 8660 618a94 8655->8660 8671 618d26 Mailbox 8655->8671 8657 61898e HeapAlloc 8656->8657 8661 618a27 8657->8661 8662 6189fb FreeLibrary 8657->8662 8663 60a805 2 API calls 8660->8663 8661->8655 8662->8651 8665 618ac3 8663->8665 8664 619094 HeapFree FreeLibrary 8664->8651 8666 608251 2 API calls 8665->8666 8667 618b17 8666->8667 8668 60a805 2 API calls 8667->8668 8667->8671 8669 618d41 8668->8669 8670 608251 2 API calls 8669->8670 8670->8671 8671->8664 8729 6023e9 8672->8729 8675 5f5724 8676 5f573e Mailbox 8675->8676 8677 619883 8 API calls 8676->8677 8678 5f5789 8677->8678 8678->8326 8680 5f3d0f Mailbox 8679->8680 8681 60a805 2 API calls 8680->8681 8682 5f3d74 8681->8682 8683 608251 2 API calls 8682->8683 8684 5f3db8 8683->8684 8685 5f4d07 8684->8685 8686 5f4d1f 8685->8686 8687 6142b6 lstrlen 8686->8687 8688 5f4d4c 8687->8688 8688->8378 8690 606020 8689->8690 8691 60a805 2 API calls 8690->8691 8692 60604e 8691->8692 8693 60a805 2 API calls 8692->8693 8694 606067 8693->8694 8695 60a805 2 API calls 8694->8695 8696 6060be 8695->8696 8697 608251 2 API calls 8696->8697 8698 6060d2 8697->8698 8699 60a805 2 API calls 8698->8699 8700 606144 8699->8700 8701 608251 2 API calls 8700->8701 8702 6061a1 8701->8702 8703 608251 2 API calls 8702->8703 8714 60621c 8703->8714 8704 606a70 8705 608251 2 API calls 8704->8705 8709 606b1c Mailbox 8705->8709 8706 606983 8706->8704 8712 6007f5 8 API calls 8706->8712 8738 5f5071 8706->8738 8707 6007f5 8 API calls 8713 60664d Mailbox 8707->8713 8709->8390 8710 5f5071 9 API calls 8710->8713 8711 5f5071 9 API calls 8711->8714 8712->8706 8713->8704 8713->8706 8713->8707 8713->8710 8714->8711 8714->8713 8735 6007f5 8714->8735 8717 6194ec Mailbox 8 API calls 8716->8717 8718 61970e 8717->8718 8718->8392 8720 619898 Mailbox 8719->8720 8721 6194ec Mailbox 8 API calls 8720->8721 8722 6198a3 Mailbox 8721->8722 8722->8394 8724 5fee52 8723->8724 8748 601da2 8724->8748 8726 5fee71 Mailbox 8727 619883 8 API calls 8726->8727 8728 5fef9f 8726->8728 8727->8728 8728->8396 8730 6023f5 8729->8730 8731 6142b6 lstrlen 8730->8731 8732 602488 8731->8732 8733 612f94 8 API calls 8732->8733 8734 600ba0 8733->8734 8734->8675 8744 5fba10 8735->8744 8737 600802 8737->8714 8739 5facbe 8738->8739 8740 6142b6 lstrlen 8739->8740 8741 5fad02 8740->8741 8742 619883 8 API calls 8741->8742 8743 5fad0c 8742->8743 8743->8706 8745 5fba25 Mailbox 8744->8745 8746 6194ec Mailbox 8 API calls 8745->8746 8747 5fba30 Mailbox 8746->8747 8747->8737 8753 5fdb48 8748->8753 8750 601db4 8751 601e43 8750->8751 8757 5fbece 8750->8757 8751->8726 8754 5fdb5b Mailbox 8753->8754 8755 5fdb9f 8753->8755 8756 619707 Mailbox 8 API calls 8754->8756 8755->8750 8756->8755 8758 5fbf08 8757->8758 8759 5fb7cd WaitForSingleObject 8758->8759 8760 5fbfa2 8759->8760 8762 60a805 2 API calls 8760->8762 8772 5fc09d 8760->8772 8761 5fc1c7 CryptGenRandom 8770 5fc1dd 8761->8770 8763 5fbfe5 GetProcAddress 8762->8763 8765 60a805 2 API calls 8763->8765 8764 5f4eb1 ReleaseMutex 8766 5fc2bd 8764->8766 8767 5fc033 8765->8767 8766->8750 8768 608251 2 API calls 8767->8768 8769 5fc06d GetProcAddress 8768->8769 8771 608251 2 API calls 8769->8771 8770->8764 8771->8772 8772->8761 8772->8770 8774 609b85 8773->8774 8775 619707 Mailbox 8 API calls 8774->8775 8776 609c02 8775->8776 8777 5fb7cd WaitForSingleObject 8776->8777 8778 609c24 CreateFileA 8777->8778 8779 609c5a 8778->8779 8784 609c78 Mailbox 8778->8784 8781 5f4eb1 ReleaseMutex 8779->8781 8780 609c8b ReadFile 8780->8784 8782 609ea1 Mailbox 8781->8782 8782->8414 8783 607f29 Mailbox 8 API calls 8783->8784 8784->8780 8784->8783 8785 609e6a CloseHandle 8784->8785 8786 619883 8 API calls 8784->8786 8787 609dbc CloseHandle 8784->8787 8785->8779 8786->8784 8788 609dd9 8787->8788 8789 5f4eb1 ReleaseMutex 8788->8789 8790 609e2f Mailbox 8789->8790 8790->8782 8792 60bfa3 8791->8792 8792->8439 8794 60114d 8793->8794 8795 6011d9 CreateFileA 8794->8795 8796 601219 8795->8796 8797 60124b ReadFile CloseHandle 8796->8797 8799 6015a4 8796->8799 8798 60129d 8797->8798 8800 6012bd GetTickCount 8798->8800 8799->8481 8820 5f51ca 8800->8820 8802 6012de 8803 6142b6 lstrlen 8802->8803 8804 601310 8803->8804 8805 60a805 2 API calls 8804->8805 8806 601378 8805->8806 8807 608251 2 API calls 8806->8807 8811 601416 8807->8811 8808 6014e0 CreateFileA 8810 60154f 8808->8810 8810->8799 8812 601564 WriteFile CloseHandle 8810->8812 8811->8808 8813 60a805 2 API calls 8811->8813 8812->8799 8814 60147e 8813->8814 8815 6142b6 lstrlen 8814->8815 8816 6014a0 8815->8816 8817 60074e wvsprintfA 8816->8817 8818 6014a9 8817->8818 8819 608251 2 API calls 8818->8819 8819->8808 8821 5f51ea 8820->8821 8822 6142b6 lstrlen 8821->8822 8823 5f5235 8822->8823 8823->8802 8826 6191e0 8824->8826 8825 6148e6 8828 5fea59 CloseHandle 8825->8828 8826->8825 8827 6192ba WriteFile 8826->8827 8827->8825 8829 5fea8e 8828->8829 8829->8541 8900 5f4e3c 8901 5f4e47 8900->8901 8902 6056c6 8 API calls 8901->8902 8903 5f4e9b 8902->8903 9123 605485 9124 605488 Mailbox 9123->9124 9125 6055fd CreateProcessA 9124->9125 9126 605633 CloseHandle CloseHandle 9125->9126 9127 605677 9125->9127 9126->9127 9129 607686 9132 5ffc1b 9129->9132 9133 6194b4 Mailbox 2 API calls 9132->9133 9134 5ffc29 9133->9134 9722 5f11b7 9723 5f1214 9722->9723 9726 5f122a Mailbox 9722->9726 9724 6142b6 lstrlen 9724->9726 9725 60074e wvsprintfA 9725->9726 9726->9723 9726->9724 9726->9725 9727 5f81b5 9728 5f81dc 9727->9728 9729 5f3b08 8 API calls 9728->9729 9730 5f823c 9729->9730 9731 60bf07 8 API calls 9730->9731 9732 5f8276 9731->9732 8904 5ffa34 8907 5f7fce 8904->8907 8906 5ffa42 8908 6142b6 lstrlen 8907->8908 8909 5f7fe9 Mailbox 8908->8909 8909->8906 9733 5fe9b3 9734 609a0f 8 API calls 9733->9734 9735 5fe9e3 9734->9735 9736 5f5724 8 API calls 9735->9736 9737 5fea10 9736->9737 9170 61df16 9175 606bb9 9170->9175 9182 6192e8 9175->9182 9183 6192fe 9182->9183 9184 5fdb48 Mailbox 8 API calls 9183->9184 9185 619338 9184->9185 8914 61d01d 8915 61d03a 8914->8915 8921 615d58 8915->8921 8919 61d067 8920 61d108 ExitProcess 8919->8920 8922 615d93 8921->8922 8932 5f565e 8922->8932 8924 615dbb 8925 605d50 8924->8925 8926 605d74 8925->8926 8927 605d87 GetStdHandle 8925->8927 8926->8927 8928 605db3 8927->8928 8929 605dc5 GetStdHandle 8927->8929 8928->8929 8931 605dfa GetStdHandle 8929->8931 8931->8919 8933 5f56c5 GetProcessHeap HeapAlloc 8932->8933 8934 5f5695 8932->8934 8933->8924 8934->8933 9744 5f59a1 9747 61cf7e 9744->9747 9748 61236a lstrlen 9747->9748 9749 5f59af 9748->9749

                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                            Function 0060FF2A Relevance: 66.8, APIs: 29, Strings: 8, Instructions: 2026synchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 00610590
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 006105E4
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00610629
                                                                                                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00610649
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 006106E6
                                                                                                                                                                                                            • GetCommandLineA.KERNEL32 ref: 00610873
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateMutex$CommandCountEnvironmentLineTickVariable
                                                                                                                                                                                                            • String ID: $}\N$241$C:\Users\user$C:\hjflhukc\xxxniijvj.exe$HO$^d/$wb_m$~z0
                                                                                                                                                                                                            • API String ID: 3327569919-3478614120
                                                                                                                                                                                                            • Opcode ID: b40213a01dea7c42d6de4f1d795496064a5a0a8d272db4633dfaef4cf155fed9
                                                                                                                                                                                                            • Instruction ID: 4fa9b2472780790776c4e47e706597c68fd573b7afe21f240df8c33385a556f7
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b40213a01dea7c42d6de4f1d795496064a5a0a8d272db4633dfaef4cf155fed9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4503A671905E01CFD778DF68EC86ABA37B7FB44311B14601AE902CA2B1EB749983CB55
                                                                                                                                                                                                            Function 005F88A8 Relevance: 30.6, APIs: 12, Strings: 5, Instructions: 877fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 490 5f88a8-5f88de call 5f57a9 493 5f88ea-5f898e GetVersionExA call 5fe769 call 5f457c 490->493 494 5f88e0 490->494 499 5f899c-5f89c2 493->499 500 5f8990-5f899a 493->500 494->493 501 5f89d7-5f89dd 499->501 502 5f89c4-5f89d1 499->502 500->501 503 5f8b3f-5f8b5f 501->503 504 5f89e3-5f8add call 60c0de call 5ff38b CreateDirectoryA call 60a805 501->504 502->501 505 5f8b65-5f8b77 503->505 517 5f8ae2-5f8b3d call 5ff38b call 608251 504->517 507 5f8ba9-5f8bb0 505->507 508 5f8b79-5f8b93 505->508 510 5f8bb6-5f8c17 call 60a805 call 5f846d call 608251 507->510 508->510 511 5f8b95-5f8ba7 508->511 525 5f8c2d-5f8c3f 510->525 526 5f8c19-5f8c2b 510->526 511->510 517->505 528 5f8c4b-5f8c73 call 5fc9ba call 61d492 call 5fc622 525->528 529 5f8c41 525->529 526->528 536 5f8d6f-5f8e0c call 60c0de call 5ff38b CreateDirectoryA call 615eaf 528->536 537 5f8c79-5f8ccc 528->537 529->528 549 5f8e0e-5f8e18 536->549 550 5f8e1a 536->550 539 5f8cfe-5f8d29 DeleteFileA 537->539 540 5f8cce-5f8cec 537->540 541 5f8d3d-5f8d65 RemoveDirectoryA 539->541 542 5f8d2b-5f8d37 539->542 540->539 544 5f8cee-5f8cf8 540->544 541->536 542->541 544->539 551 5f8e24-5f8e26 549->551 550->551 552 5f8e28-5f8e42 551->552 553 5f8e44 551->553 554 5f8e46-5f8e73 call 5ff793 552->554 553->554 557 5f8e89-5f8e8e 554->557 558 5f8e75-5f8e87 554->558 559 5f8e94-5f8f2f CreateDirectoryA call 60a805 call 5ff38b call 60a805 557->559 558->559 566 5f8f64-5f8fcf call 608251 call 5f846d call 608251 call 5fc9ba call 61d492 call 5fc622 559->566 567 5f8f31-5f8f57 559->567 581 5f9769-5f97f8 call 5ff793 SetFileAttributesA call 6006af 566->581 582 5f8fd5-5f8fe6 566->582 567->566 568 5f8f59-5f8f5e 567->568 568->566 596 5f981b-5f9826 call 5f5017 581->596 597 5f97fa-5f9815 581->597 584 5f906c-5f90da call 60a805 call 60074e call 608251 582->584 585 5f8fec-5f906a call 60a805 call 60074e call 608251 582->585 605 5f90e0-5f910d 584->605 585->605 597->596 606 5f910f-5f9126 605->606 607 5f9132-5f9192 call 5ff38b CreateDirectoryA call 615eaf 605->607 606->607 608 5f9128 606->608 613 5f9194-5f91a0 607->613 614 5f91c1-5f9257 call 5ff793 CreateDirectoryA call 60a805 call 5ff38b call 60a805 607->614 608->607 613->614 615 5f91a2-5f91bb 613->615 624 5f9259-5f926c 614->624 625 5f9272-5f92a4 call 608251 call 5f846d 614->625 615->614 624->625 630 5f92a6-5f92be 625->630 631 5f92c0-5f92e7 625->631 632 5f92ff-5f933b call 608251 call 5fc9ba call 61d492 call 5fc622 630->632 631->632 633 5f92e9-5f92f9 631->633 642 5f9756-5f9763 632->642 643 5f9341-5f93c2 GetTempPathA call 6142b6 632->643 633->632 642->581 646 5f93ea-5f93ec 643->646 647 5f93ee 646->647 648 5f93c4-5f93dd 646->648 651 5f946e-5f94fb call 615eaf call 5ff793 CreateDirectoryA 647->651 649 5f93df-5f93e9 648->649 650 5f93f0-5f9412 648->650 649->646 652 5f9414-5f941c 650->652 653 5f9422-5f9453 650->653 659 5f950d-5f9557 call 60a805 call 5ff38b 651->659 660 5f94fd-5f9507 651->660 652->653 653->651 655 5f9455-5f9469 653->655 655->651 665 5f956b-5f9610 call 60a805 call 608251 call 5f846d call 608251 call 5fc9ba call 61d492 call 5fc622 659->665 666 5f9559-5f9565 659->666 660->659 681 5f9736-5f9751 665->681 682 5f9616-5f9627 665->682 666->665 681->642 683 5f9629 682->683 684 5f9633-5f96ce GetTempPathA call 615eaf call 60a805 682->684 683->684 689 5f96da-5f96fe call 5ff38b 684->689 690 5f96d0 684->690 693 5f970f-5f972a call 608251 689->693 694 5f9700-5f970a 689->694 690->689 693->681 697 5f972c 693->697 694->693 697->681
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetVersionExA.KERNEL32(0062B028), ref: 005F893E
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 005F8AB6
                                                                                                                                                                                                            • DeleteFileA.KERNELBASE(?,00000000), ref: 005F8D05
                                                                                                                                                                                                            • RemoveDirectoryA.KERNELBASE(00000000), ref: 005F8D5F
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 005F8DD9
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 005F8E9C
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 005F9158
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 005F91F4
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,?,?,?,?,00000000), ref: 005F936E
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(0000005C,00000000,?,?,?,?,?,?,00000000), ref: 005F94DA
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,0000005C,?,?,?,00000000), ref: 005F963F
                                                                                                                                                                                                            • SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,00000000), ref: 005F97B0
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
                                                                                                                                                                                                            • String ID: C:\Users\user$C:\hjflhukc\$\$gKV`$h)N^
                                                                                                                                                                                                            • API String ID: 1691758827-1793791328
                                                                                                                                                                                                            • Opcode ID: 0885bad4790cd400fe19c4db1e1d23dad3eec455825dc3c12f67666ce41e35f0
                                                                                                                                                                                                            • Instruction ID: 7f227bf4feece33dd77afbcd7e3fc01dde1bd1de2cb92c51ef7a1a2c84a747df
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0885bad4790cd400fe19c4db1e1d23dad3eec455825dc3c12f67666ce41e35f0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CE82E371501E05CFC738DB64EC86ABA37B7FB54311B00A42AE602D72A1EB789987CF55
                                                                                                                                                                                                            Function 006184D7 Relevance: 26.9, APIs: 13, Strings: 2, Instructions: 688memorylibraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 698 6184d7-618575 699 618577-618595 698->699 700 61859b-6185a7 698->700 699->700 701 6185b3-6185e0 700->701 702 6185a9 700->702 703 6185e2-6185ec 701->703 704 618608-618619 701->704 702->701 705 618601-618606 703->705 706 6185ee-6185ff 703->706 707 618628-618670 call 60a805 704->707 708 61861b-618622 704->708 705->707 706->707 711 618672 707->711 712 61867c-618697 call 615eaf 707->712 708->707 711->712 715 618699-6186b2 712->715 716 6186cd-6186f6 call 608251 GetProcessHeap 712->716 715->716 717 6186b4-6186c6 715->717 720 618711-61871d 716->720 721 6186f8-61870c 716->721 717->716 723 61872d-61875c call 60a805 720->723 724 61871f-618727 720->724 722 6190ec-6190f0 721->722 727 618768-6187aa LoadLibraryA call 608251 723->727 728 61875e 723->728 724->723 731 6187ac-6187cc 727->731 732 6187ce 727->732 728->727 733 6187d8-6187da 731->733 732->733 734 6187f5-618805 733->734 735 6187dc-6187f0 733->735 737 618807-618824 734->737 738 61882a-618884 call 60a805 GetProcAddress call 608251 734->738 736 6190eb 735->736 736->722 737->738 743 618886-6188a7 FreeLibrary 738->743 744 6188ac-6188f9 RtlAllocateHeap 738->744 745 618a20-618a22 743->745 746 618926-61894e GetAdaptersInfo 744->746 747 6188fb-618921 FreeLibrary 744->747 750 6190ea 745->750 748 618950-61895d 746->748 749 618963-618966 746->749 747->745 748->749 751 618a39-618a4b 749->751 752 61896c-61898c HeapFree 749->752 750->736 755 618a4d-618a5c 751->755 756 618a5e-618a6e 751->756 753 6189ab-6189b7 752->753 754 61898e-6189a9 752->754 758 6189bd-6189f9 HeapAlloc 753->758 754->758 757 618a73-618a8e GetAdaptersInfo 755->757 756->757 759 618a94-618afb call 60a805 call 615eaf 757->759 760 61906d-61908e 757->760 761 618a27-618a33 758->761 762 6189fb-618a16 FreeLibrary 758->762 768 618afd-618b09 759->768 769 618b0f-618b2d call 608251 759->769 764 619094-6190e7 HeapFree FreeLibrary 760->764 761->751 762->745 764->750 768->769 772 618b39-618b59 769->772 773 618b2f 769->773 774 618b5b-618b65 772->774 775 618b7f 772->775 773->772 777 618b73-618b7d 774->777 778 618b67-618b71 774->778 776 618b89-618bb1 call 617406 775->776 781 618ca7-618cbc 776->781 782 618bb7-618bf4 call 617406 776->782 777->776 778->776 784 618cf4-618d18 781->784 785 618cbe-618cd7 781->785 790 618c22-618c24 782->790 791 618bf6-618c13 782->791 786 618d1e-618d20 784->786 785->784 788 618cd9-618cef 785->788 786->776 789 618d26 786->789 788->784 792 619043-61906b call 6006af 789->792 794 618c26-618c80 790->794 795 618c9d 790->795 791->790 793 618c15-618c1b 791->793 792->764 793->790 797 618c86-618c98 794->797 798 618d2b-618d66 call 60a805 794->798 795->781 797->786 802 618d75-618d86 798->802 803 618d68-618d73 798->803 805 618d94-618da0 802->805 806 618d88-618d92 802->806 804 618da6-618df5 call 615eaf call 608251 803->804 811 618fe2-61903d call 6006af 804->811 812 618dfb-618e22 804->812 805->804 806->804 811->792 814 618e24-618e36 812->814 815 618e38-618e42 812->815 816 618e54-618eab 814->816 815->816 817 618e44-618e4e 815->817 819 618ed2-618ede 816->819 820 618ead-618ed0 816->820 817->816 821 618ee4-618f32 819->821 820->821 822 618f55-618f5b 821->822 823 618f34-618f50 821->823 824 618f62-618f72 822->824 825 618f5d-618f61 822->825 823->822 826 618f74-618f94 824->826 827 618f9a-618fd9 824->827 825->824 826->827 827->812 828 618fdf 827->828 828->811
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0060B7C4,?,?,00000000,00000100), ref: 006186E1
                                                                                                                                                                                                            • LoadLibraryA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,?,0060B7C4,?,?,00000000,00000100), ref: 0061876A
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00618854
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0060B7C4,?,?,00000000,00000100), ref: 00618891
                                                                                                                                                                                                            • RtlAllocateHeap.NTDLL(?,00000000,00000288,?,?,?,?,?,?,?,?,?,0060B7C4,?,?,00000000), ref: 006188DD
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0060B7C4,?,?,00000000,00000100), ref: 00618908
                                                                                                                                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,00000100,?,?,?,?,?,?,?,?,?,0060B7C4,?,?,00000000,00000100), ref: 00618935
                                                                                                                                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,0060B7C4,?,?,00000000), ref: 0061897A
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(?,00000000,00000100,?,?,?,?,?,?,?,?,?,0060B7C4,?,?,00000000), ref: 006189C3
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0060B7C4,?,?,00000000,00000100), ref: 00618A10
                                                                                                                                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,00000100,?,?,?,?,?,?,?,?,?,0060B7C4,?,?,00000000,00000100), ref: 00618A78
                                                                                                                                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,0060B7C4,?,?,00000000), ref: 006190B2
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0060B7C4,?,?,00000000,00000100), ref: 006190D7
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Free$HeapLibrary$AdaptersInfo$AddressAllocAllocateLoadProcProcess
                                                                                                                                                                                                            • String ID: Q:3q$SAcA
                                                                                                                                                                                                            • API String ID: 3577610392-494069912
                                                                                                                                                                                                            • Opcode ID: e732b8629920ef7a1f16c6633c7f76f8cfd6e994cdecf487eb65c0ef7fcd002e
                                                                                                                                                                                                            • Instruction ID: 08128cbf936eaa1d77cd919fbc1f60627044c1bb025f6d90bf95c050f38d5f4a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e732b8629920ef7a1f16c6633c7f76f8cfd6e994cdecf487eb65c0ef7fcd002e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CC529A75915E01CFC338DF68ED91AA937B7FB58311B14641AE802DB2B0EB349983CB55
                                                                                                                                                                                                            Function 006135AD Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 829 6135ad-6135f1 830 6135f3-6135fd 829->830 831 613602-613642 829->831 830->831 832 613681-6136a3 OpenSCManagerA 831->832 833 613644-613654 831->833 836 6136a9-6136ea CreateServiceA 832->836 837 61393f-613959 832->837 834 613677 833->834 835 613656-613675 833->835 834->832 835->832 838 6136f0-613707 836->838 839 613777-613786 836->839 842 613709-613715 838->842 843 61371b-613772 ChangeServiceConfig2A StartServiceA CloseServiceHandle 838->843 840 6137b6-6137c2 839->840 841 613788-61379f 839->841 846 6137c8-6137e9 OpenServiceA 840->846 845 6137a1-6137b4 841->845 841->846 842->843 844 61388e-6138d9 CloseServiceHandle 843->844 849 613901-61390d 844->849 850 6138db-6138eb 844->850 845->846 847 6137eb-613806 846->847 848 61380d-61380f 846->848 847->848 851 613811-613861 StartServiceA CloseServiceHandle 848->851 852 613866-613873 848->852 854 613935 849->854 855 61390f-613933 849->855 850->837 853 6138ed-6138ff 850->853 851->852 852->844 856 613875-613889 852->856 853->837 854->837 855->837 856->844
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.SECHOST(00000000,00000000,00000002), ref: 00613685
                                                                                                                                                                                                            • CreateServiceA.ADVAPI32(00000000,009B07F0,009B07F0,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 006136D6
                                                                                                                                                                                                            • ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00613728
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0061374C
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0061375D
                                                                                                                                                                                                            • OpenServiceA.ADVAPI32(00000000,00000010), ref: 006137D1
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00613836
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00613847
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 006138B1
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
                                                                                                                                                                                                            • String ID: 3ch$qh~B
                                                                                                                                                                                                            • API String ID: 3525021261-274300185
                                                                                                                                                                                                            • Opcode ID: 77a22542c8234396f8e9f60358750651d1cc1371e143e0f608592797e58f9519
                                                                                                                                                                                                            • Instruction ID: a033bc267e600585234c0685b444f12322cd0391144fa4dc3f13f37a56f33880
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 77a22542c8234396f8e9f60358750651d1cc1371e143e0f608592797e58f9519
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8B919975615E21DBC3388F64ED859B937B7FB48701704741AE802DA3B0EBB49A83CB65
                                                                                                                                                                                                            Function 0060B3DB Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 588COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 941 60b3db-60b41a 942 60b441-60b4a1 call 5ffe2b 941->942 943 60b41c-60b434 941->943 947 60b4b2-60b4e9 call 5f57a9 call 5f7ec1 942->947 948 60b4a3-60b4ad 942->948 943->942 944 60b436-60b43c 943->944 944->942 953 60b4f9 947->953 954 60b4eb-60b4f7 call 6076a5 947->954 948->947 956 60b4ff-60b530 GetComputerNameA 953->956 954->956 957 60b5c2-60b66b call 60a805 call 615eaf call 608251 call 5f846d 956->957 958 60b536-60b5bc call 60a805 call 615eaf call 608251 956->958 974 60b66d-60b688 957->974 975 60b6cf-60b715 call 5f695e call 615eaf 957->975 958->957 976 60b68a-60b6ad 974->976 977 60b6af-60b6ca 974->977 982 60b717-60b736 975->982 983 60b73c-60b776 call 5ff38b 975->983 976->975 977->975 982->983 986 60b787-60b854 call 6006af call 6184d7 call 6142b6 call 600b92 call 5f5724 call 5f5017 983->986 987 60b778-60b782 983->987 1000 60b856-60b869 986->1000 1001 60b888-60b8a0 call 5f695e 986->1001 987->986 1000->1001 1002 60b86b-60b882 1000->1002 1005 60b8a2 1001->1005 1006 60b8ac-60b8d0 1001->1006 1002->1001 1005->1006 1007 60b8d2-60b8fc 1006->1007 1008 60b913 1006->1008 1009 60b90a-60b911 1007->1009 1010 60b8fe-60b908 1007->1010 1011 60b91d-60b9ae call 600b92 call 5f5724 call 5f5017 call 5f695e call 600b92 call 5f5724 call 5f5017 1008->1011 1009->1011 1010->1011 1026 60b9b0-60b9ba 1011->1026 1027 60b9bc 1011->1027 1028 60b9c6-60b9e4 call 5f695e 1026->1028 1027->1028 1031 60b9f0-60bae3 call 600b92 call 5f5724 call 5f5017 call 5f695e call 600b92 call 5f5724 call 5f5017 call 5f695e call 60a805 call 600b92 call 5f5724 call 5f5017 1028->1031 1032 60b9e6 1028->1032 1057 60bae5 1031->1057 1058 60baef-60bb0a call 608251 1031->1058 1032->1031 1057->1058 1061 60bb16-60bc67 call 5f695e call 600b92 call 5f5724 call 5f5017 call 5f695e call 600b92 call 5f5724 call 5f5017 call 5f695e call 5f3cdc call 5f4d07 call 600b92 call 5f5724 call 5f5017 call 5f695e call 5f52d0 1058->1061 1062 60bb0c 1058->1062 1095 60bc74-60bcdb call 600b92 call 5f5724 call 5f5017 call 5fc9ba call 61d492 call 605fba 1061->1095 1096 60bc69-60bc6e 1061->1096 1062->1061 1109 60bcfc-60bdb7 call 619707 call 5fc9ba call 61d492 call 619883 call 609ab1 call 5fee34 call 6006af * 2 1095->1109 1110 60bcdd-60bcef 1095->1110 1096->1095 1128 60bdd0-60be13 call 6006af call 5f5017 call 609a04 1109->1128 1129 60bdb9-60bdca 1109->1129 1110->1109 1111 60bcf1-60bcf6 1110->1111 1111->1109 1129->1128
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetComputerNameA.KERNEL32(?,?), ref: 0060B528
                                                                                                                                                                                                              • Part of subcall function 006142B6: lstrlen.KERNEL32(?,?,005F2347,?), ref: 00614320
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ComputerNamelstrlen
                                                                                                                                                                                                            • String ID: K]g[$myiW
                                                                                                                                                                                                            • API String ID: 4141851928-3148350528
                                                                                                                                                                                                            • Opcode ID: 4c1622df156a64d173aaf8208884d1812f40457b8f2d2c542f137b00c198e333
                                                                                                                                                                                                            • Instruction ID: 9e765d8e50ccea923b5eca58ae917749d17cc525dbed8fccf9e29fb6969ca6ee
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4c1622df156a64d173aaf8208884d1812f40457b8f2d2c542f137b00c198e333
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CA42C371901A0ACFC728EF64ED969BA77BAFB54300F00601AE506E71B1EF349A46CF55
                                                                                                                                                                                                            Function 005FBECE Relevance: 4.7, APIs: 3, Instructions: 222libraryloaderencryptionCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1136 5fbece-5fbf06 1137 5fbf08-5fbf12 1136->1137 1138 5fbf17-5fbf60 1136->1138 1137->1138 1139 5fbf84-5fbfb4 call 5fb7cd 1138->1139 1140 5fbf62-5fbf73 1138->1140 1144 5fc1ae-5fc1c5 1139->1144 1145 5fbfba-5fc04d call 60a805 GetProcAddress call 60a805 1139->1145 1140->1139 1141 5fbf75-5fbf7f 1140->1141 1141->1139 1146 5fc1c7-5fc1db CryptGenRandom 1144->1146 1147 5fc236-5fc24c 1144->1147 1162 5fc04f-5fc059 1145->1162 1163 5fc065-5fc0b1 call 608251 GetProcAddress call 608251 1145->1163 1146->1147 1149 5fc1dd-5fc1fd 1146->1149 1150 5fc29e-5fc2d7 call 5f4eb1 1147->1150 1151 5fc24e-5fc299 call 5fce70 * 4 1147->1151 1154 5fc1ff-5fc213 1149->1154 1155 5fc21a-5fc230 1149->1155 1151->1150 1154->1155 1155->1147 1162->1163 1164 5fc05b 1162->1164 1173 5fc0b3-5fc0ba 1163->1173 1174 5fc0f1-5fc132 1163->1174 1164->1163 1173->1174 1176 5fc0bc-5fc0c3 1173->1176 1177 5fc134-5fc166 1174->1177 1178 5fc172-5fc195 1174->1178 1181 5fc0ca-5fc0cc 1176->1181 1177->1178 1179 5fc168 1177->1179 1178->1144 1180 5fc197-5fc1a8 1178->1180 1179->1178 1180->1144 1181->1174 1182 5fc0ce-5fc0ec 1181->1182 1182->1178
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 005FC004
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 005FC080
                                                                                                                                                                                                            • CryptGenRandom.ADVAPI32(00000004,005F66DE,-AF16B4FB,?,0060AEAC,005F66DE), ref: 005FC1D3
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc$CryptRandom
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 646182245-0
                                                                                                                                                                                                            • Opcode ID: b5ed670cb8b7c9aa5496730f0b4e4a87d6ad786b6fcd17c149730b5d544b8ab0
                                                                                                                                                                                                            • Instruction ID: 150df739450c2feaf2be0714a2c08cec6c41e5a4b038512e88b81dc621302e3d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b5ed670cb8b7c9aa5496730f0b4e4a87d6ad786b6fcd17c149730b5d544b8ab0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5091A931601E06CFD7389F64ED569393BE7FB54321710B12AE902C66B0EB798983CB15
                                                                                                                                                                                                            Function 00605485 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 857 605485-605486 858 605488-6054d5 857->858 859 6054ea-60550c 857->859 858->859 860 60552b 859->860 861 60550e-605529 859->861 862 605535-6055d8 call 6006af * 2 860->862 861->862 867 6055da-6055f6 862->867 868 6055fd-605631 CreateProcessA 862->868 867->868 869 6055f8 867->869 870 605633-605643 868->870 871 605677 868->871 869->868 872 605645 870->872 873 60564f-605675 CloseHandle * 2 870->873 874 605681-60568e 871->874 872->873 873->874
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,005FDA33,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 00605628
                                                                                                                                                                                                            • CloseHandle.KERNEL32(005FDA33,?,?,?,?,00000000), ref: 00605652
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 00605665
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 2922976086-2746444292
                                                                                                                                                                                                            • Opcode ID: 3857f39b238653ad21f8cf58dce664dbd88ec75464f53fd740c1f16dc0284b05
                                                                                                                                                                                                            • Instruction ID: cfd0eec36d7fad11f1b616ee86c438025ebc3e4afe185b68b32bfab6baaee0c4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3857f39b238653ad21f8cf58dce664dbd88ec75464f53fd740c1f16dc0284b05
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F641E132501E449BCB38DFA5FD969BB77B7FB85310B00601AE802866B0EB758853CF25
                                                                                                                                                                                                            Function 006054D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 875 6054d8-6054e8 876 605535-6055d8 call 6006af * 2 875->876 877 6054ea-60550c 875->877 884 6055da-6055f6 876->884 885 6055fd-605631 CreateProcessA 876->885 879 60552b 877->879 880 60550e-605529 877->880 879->876 880->876 884->885 886 6055f8 884->886 887 605633-605643 885->887 888 605677 885->888 886->885 889 605645 887->889 890 60564f-605675 CloseHandle * 2 887->890 891 605681-60568e 888->891 889->890 890->891
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,005FDA33,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 00605628
                                                                                                                                                                                                            • CloseHandle.KERNEL32(005FDA33,?,?,?,?,00000000), ref: 00605652
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 00605665
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 2922976086-2746444292
                                                                                                                                                                                                            • Opcode ID: 367f4a795fbbe0e9756bf43843ad5e6f400ee90a5b8b014c43af46b0325a2720
                                                                                                                                                                                                            • Instruction ID: 31d6730533a7dfb0e11dfc9b29ffe5db41e53dc368ea7184cff347cc0660cc54
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 367f4a795fbbe0e9756bf43843ad5e6f400ee90a5b8b014c43af46b0325a2720
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2041BD31501E04DBCB38DFA5ED9A9BB77B7FB84310B00601AE802966B0EB748843CF25
                                                                                                                                                                                                            Function 00609B78 Relevance: 6.2, APIs: 4, Instructions: 201fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 892 609b78-609ba4 call 61dfa1 895 609ba6-609bb2 892->895 896 609bb8-609bc7 892->896 895->896 897 609be3-609c58 call 619707 call 5fb7cd CreateFileA 896->897 898 609bc9-609bde 896->898 903 609c78-609c86 897->903 904 609c5a-609c73 897->904 898->897 906 609c8b-609cfa ReadFile call 61970f 903->906 905 609e96-609eda call 5f4eb1 call 6006af 904->905 916 609edc-609ee2 905->916 912 609d06-609d28 call 5fc9ba call 607f29 906->912 913 609cfc 906->913 920 609d34-609d3d call 608341 912->920 921 609d2a 912->921 913->912 924 609d43-609d54 920->924 925 609e6a-609e8c CloseHandle 920->925 921->920 926 609d60-609d8a call 619883 924->926 927 609d56 924->927 925->905 930 609db2-609db6 926->930 931 609d8c-609da1 926->931 927->926 930->906 933 609dbc-609dd7 CloseHandle 930->933 931->930 932 609da3-609dad 931->932 932->930 934 609e24-609e68 call 5f4eb1 call 6006af 933->934 935 609dd9-609e0a 933->935 934->916 935->934 936 609e0c-609e1e 935->936 936->934
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00609C43
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00609CA8
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00609DC7
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00609E86
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseFileHandle$CreateRead
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2564258376-0
                                                                                                                                                                                                            • Opcode ID: 793edd93b3282eee80957b0132ef33e0afad9bd66eb38cad09ffc086dcfe8333
                                                                                                                                                                                                            • Instruction ID: 067ba0913de941f77a4421990823f5296d1ef9b0dac6735b7c37c3f8f9137284
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 793edd93b3282eee80957b0132ef33e0afad9bd66eb38cad09ffc086dcfe8333
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9E81AD75611A01DBD738EF60ED86A7A37BBFB44311F00341AE902C62E1EB749983CB25
                                                                                                                                                                                                            Function 005FC622 Relevance: 4.7, APIs: 3, Instructions: 206fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1183 5fc622-5fc69d call 61dfa1 call 5fb7cd 1188 5fc69f 1183->1188 1189 5fc6a9-5fc6b1 1183->1189 1188->1189 1190 5fc6ef-5fc709 1189->1190 1191 5fc6b3-5fc6ea call 5f4eb1 1189->1191 1193 5fc70b-5fc71a 1190->1193 1194 5fc737-5fc75b CreateFileA 1190->1194 1201 5fc9b6-5fc9b9 1191->1201 1193->1194 1195 5fc71c-5fc731 1193->1195 1196 5fc79f-5fc7b3 1194->1196 1197 5fc75d-5fc784 call 5f4eb1 1194->1197 1195->1194 1200 5fc7b8-5fc7d2 1196->1200 1205 5fc798-5fc79a 1197->1205 1206 5fc786-5fc792 1197->1206 1203 5fc7f9-5fc7fb 1200->1203 1204 5fc7d4-5fc7f4 1200->1204 1207 5fc7fd-5fc819 1203->1207 1208 5fc81b-5fc82d 1203->1208 1204->1203 1209 5fc9b5 1205->1209 1206->1205 1210 5fc837-5fc8a2 call 6085e7 call 61970f 1207->1210 1208->1210 1209->1201 1215 5fc8d6-5fc8ee 1210->1215 1216 5fc8a4-5fc8d4 1210->1216 1217 5fc8fa-5fc948 WriteFile 1215->1217 1218 5fc8f0 1215->1218 1216->1217 1217->1200 1219 5fc94e-5fc962 1217->1219 1218->1217 1220 5fc964-5fc96e 1219->1220 1221 5fc970-5fc97c 1219->1221 1222 5fc982-5fc9a2 FindCloseChangeNotification call 5f4eb1 1220->1222 1221->1222 1224 5fc9a7-5fc9b4 1222->1224 1224->1209
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 005FB7CD: WaitForSingleObject.KERNEL32(0060AEAC,00004E20,00000001,?,005FBFA2,00000001,-AF16B4FB,?,0060AEAC,005F66DE), ref: 005FB81D
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(00000004,40000000,00000000,00000000,00000002,00000000,00000000,?,005F67E3,?,00000004,?,00000000,?), ref: 005FC746
                                                                                                                                                                                                            • WriteFile.KERNELBASE(00000000,?,00000001,00000001,00000000,?,?,?,?,?,00000001), ref: 005FC90B
                                                                                                                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,00000001), ref: 005FC983
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$ChangeCloseCreateFindNotificationObjectSingleWaitWrite
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2552625159-0
                                                                                                                                                                                                            • Opcode ID: 6c9cceb19ecd5e1ddd9b09d18da98fb0a6887d5371b43b868931d3220c737852
                                                                                                                                                                                                            • Instruction ID: e758a9892ee4fbcdbf255680cfdbf92632465e5bd5a79c7b8c68fe98973b2d97
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6c9cceb19ecd5e1ddd9b09d18da98fb0a6887d5371b43b868931d3220c737852
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2491BC71911A09DFC724DF68EE859657BB7FB88310710742AE606CA2B0EB389943CF15
                                                                                                                                                                                                            Function 005FE769 Relevance: 4.6, APIs: 3, Instructions: 101memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1225 5fe769-5fe79c 1226 5fe79e-5fe7b7 1225->1226 1227 5fe7b9-5fe7ce 1225->1227 1228 5fe7d4-5fe807 1226->1228 1227->1228 1229 5fe81a-5fe82f 1228->1229 1230 5fe809-5fe818 1228->1230 1231 5fe83b-5fe881 AllocateAndInitializeSid 1229->1231 1232 5fe831 1229->1232 1230->1231 1233 5fe8ef-5fe908 1231->1233 1234 5fe883-5fe89d CheckTokenMembership 1231->1234 1232->1231 1235 5fe89f-5fe8c2 1234->1235 1236 5fe8c9-5fe8e9 FreeSid 1234->1236 1235->1236 1236->1233
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • AllocateAndInitializeSid.ADVAPI32(005F8954,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,005F8954), ref: 005FE865
                                                                                                                                                                                                            • CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 005FE895
                                                                                                                                                                                                            • FreeSid.ADVAPI32(?), ref: 005FE8DC
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3429775523-0
                                                                                                                                                                                                            • Opcode ID: 05460035b282456fb4b6cc542214a18397161efd1396d5f360c685064bcd89ba
                                                                                                                                                                                                            • Instruction ID: 2466d60e028f1cc8e687655016ffe0b7f57b682f40cb4e435d06806dfaa910e9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 05460035b282456fb4b6cc542214a18397161efd1396d5f360c685064bcd89ba
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5A41CE74906A05DFC730DFA5ED8597977F7FB08301B40241AE502D7270E7388982CB56
                                                                                                                                                                                                            Function 006020D8 Relevance: 3.0, APIs: 2, Instructions: 27stringCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1237 6020d8-60210d lstrlen 1238 60211b-602127 1237->1238 1239 60210f-602119 1237->1239 1240 60212d-60214f CharLowerBuffA 1238->1240 1239->1240
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • lstrlen.KERNEL32(?,?,006009C2,?,?,?), ref: 006020F0
                                                                                                                                                                                                            • CharLowerBuffA.USER32(?,00000000,?,006009C2,?,?,?), ref: 00602131
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: BuffCharLowerlstrlen
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 794975171-0
                                                                                                                                                                                                            • Opcode ID: ee73c951c350497530d8362034d6b1a106d64e5f105f61c4c41cad366aaf643b
                                                                                                                                                                                                            • Instruction ID: 33b93180d572dc232c694493d8776cc4f12dc0e66c67611be2b6e2279504c099
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ee73c951c350497530d8362034d6b1a106d64e5f105f61c4c41cad366aaf643b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5FF09A31224A049FCB29DF45EC5A47A37F3FB547407107019F9068A671EB79ED82EB52
                                                                                                                                                                                                            Function 006123A6 Relevance: 3.0, APIs: 2, Instructions: 23memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1241 6123a6-6123be 1242 6123c0-6123d6 1241->1242 1243 6123e2-612404 GetProcessHeap RtlAllocateHeap 1241->1243 1242->1243 1244 6123d8 1242->1244 1244->1243
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,0061A3A7,?,?,?,0061D0BE), ref: 006123F6
                                                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,0061A3A7,?,?,?,0061D0BE), ref: 006123FD
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1357844191-0
                                                                                                                                                                                                            • Opcode ID: 565732f94d207a669bbd21fdaf4c8c67c3f82b753302500aedf6ed3950205067
                                                                                                                                                                                                            • Instruction ID: 297faad1c247bc26eea75e4a3c5bd4d05c67f7ce4c9afbe5602d14815cc7ae86
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 565732f94d207a669bbd21fdaf4c8c67c3f82b753302500aedf6ed3950205067
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 71F02B369017019FCB209FA9FC49A893766F304305B286003F015DA1B1C738E891CF54
                                                                                                                                                                                                            Function 005FDE5A Relevance: 3.0, APIs: 2, Instructions: 17memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1245 5fde5a-5fde88 GetProcessHeap RtlFreeHeap 1246 5fde9a-5fde9b 1245->1246 1247 5fde8a-5fde94 1245->1247 1247->1246
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00608109,?,00608109,00000000), ref: 005FDE6C
                                                                                                                                                                                                            • RtlFreeHeap.NTDLL(00000000,?,00608109,00000000), ref: 005FDE73
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$FreeProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3859560861-0
                                                                                                                                                                                                            • Opcode ID: 70434dd4944bbdf22301d12b4601505661962473775acec2e69c2677e08839f4
                                                                                                                                                                                                            • Instruction ID: a22f19853aa9f10ca7a4553db50eebdb5aeb8c09184377d23b6a3cad66c9f515
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 70434dd4944bbdf22301d12b4601505661962473775acec2e69c2677e08839f4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D3E0C232A40A48DBEF208BD5FC4B7143BEEFB20341F00A511F219CA130CB2595528B84
                                                                                                                                                                                                            Function 005F3B2C Relevance: 1.6, APIs: 1, Instructions: 104fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1248 5f3b2c-5f3c12 call 5ff793 call 60a805 call 5ff38b call 608251 CreateFileA 1257 5f3c4f-5f3c67 1248->1257 1258 5f3c14-5f3c2f 1248->1258 1261 5f3c79-5f3c83 1257->1261 1262 5f3c69-5f3c73 1257->1262 1259 5f3c3b-5f3c4d 1258->1259 1260 5f3c31 1258->1260 1263 5f3c85-5f3c91 1259->1263 1260->1259 1261->1263 1262->1261 1264 5f3cb5-5f3cdb call 6006af 1263->1264 1265 5f3c93-5f3caf 1263->1265 1265->1264
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 005F3BF6
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                                                            • Opcode ID: 3848fd7d0af5992af4c318bccde0aa84230070625423d8bcb178bac6f6abd4d3
                                                                                                                                                                                                            • Instruction ID: 88e57e698fe270b7ed3edb0a604b9963deed0859105e93dc2f249b2c079d595d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3848fd7d0af5992af4c318bccde0aa84230070625423d8bcb178bac6f6abd4d3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B741F772951A09DBC334DF69EC4ADA237BAF744324F04A42AF605D7660DA349983CF90
                                                                                                                                                                                                            Function 006015E5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1268 6015e5-60160d call 60bf87 ExitProcess
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExitProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 621844428-0
                                                                                                                                                                                                            • Opcode ID: 2be8dd2b0af8feaf0d327f20386d6aa84ed83eb077b4da13c7492953ecfba74e
                                                                                                                                                                                                            • Instruction ID: 7bd343f3eec5eccc650f9bc6fa3fe8d5cf83bb19c0530d04d9bf19568f949d48
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2be8dd2b0af8feaf0d327f20386d6aa84ed83eb077b4da13c7492953ecfba74e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9BD0C9340047559A8B247FA59C064267BA6EB046007413015A8409A070DBB4D901C75B

                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                            Function 0061D831 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 388pipeprocessfileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreatePipe.KERNEL32(00000000,?,?,00000000,?,00000001,?), ref: 0061D98F
                                                                                                                                                                                                            • SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 0061D9F9
                                                                                                                                                                                                            • CreatePipe.KERNEL32(?,?,?,00000000), ref: 0061DA48
                                                                                                                                                                                                            • SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 0061DA7E
                                                                                                                                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 0061DBCC
                                                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000020,00000020,00000000), ref: 0061DC1C
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0061DC33
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0061DC66
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0061DC89
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,00002710), ref: 0061DD4F
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0061DD9F
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0061DDB2
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0061DE41
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0061DE67
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0061DE7E
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Handle$Close$Create$InformationPipe$FileObjectProcessSingleWaitWrite
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 1130065513-2746444292
                                                                                                                                                                                                            • Opcode ID: f275c3bef1310fede200eb27d6ff37e7247e4549f5b5a90258cd72afa2548e9d
                                                                                                                                                                                                            • Instruction ID: a3e17ae5fa63f66a5eb05c2a2a08e801f1f7e8ce5bb4c17eb830df27c2d6d628
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f275c3bef1310fede200eb27d6ff37e7247e4549f5b5a90258cd72afa2548e9d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FE027676911A05DFCB34CF68ED829AA7BB7FB08301714651AE802D7270EB349993CF55
                                                                                                                                                                                                            Function 0060111E Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 289fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006011F7
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00601267
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0060128B
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 006012D1
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0060153B
                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0060157E
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0060158F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseCreateHandle$CountReadTickWrite
                                                                                                                                                                                                            • String ID: Ra);
                                                                                                                                                                                                            • API String ID: 3478262135-4229484525
                                                                                                                                                                                                            • Opcode ID: 0cea652f6d2de7e75502d301bcd363d2514f90b3ff34b4521bd96b7011772511
                                                                                                                                                                                                            • Instruction ID: ea4913d3252a291d631475fcc0fb2e5836860cb4b48e164600ca18be7e856a75
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0cea652f6d2de7e75502d301bcd363d2514f90b3ff34b4521bd96b7011772511
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 57B1ABB1515E019FD7388F68ED8697A37B7FB49351710601AF902CA2B0EB748983CB29
                                                                                                                                                                                                            Function 00601636 Relevance: 10.8, APIs: 7, Instructions: 279processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006016B2
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 006017BE
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00601932
                                                                                                                                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 00601991
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,0000000A), ref: 00601A6A
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 00601ACE
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00601AF5
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 930127669-0
                                                                                                                                                                                                            • Opcode ID: 633269ae5a571381c8559d7b337dafceda0ef76acf507d419f004d1dc98aaa57
                                                                                                                                                                                                            • Instruction ID: c28e4c163065f0285ff6b872f2fec6d1c1425e2596a592f658f1eaabca1eb5bc
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 633269ae5a571381c8559d7b337dafceda0ef76acf507d419f004d1dc98aaa57
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 94C1F075901E00CFD738DF64EC96ABA33B7FB55311B00601AE906CA2A0EB789983CF55
                                                                                                                                                                                                            Function 00609F24 Relevance: 7.8, APIs: 5, Instructions: 329serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 00609FF7
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,?), ref: 0060A049
                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0060A061
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,?), ref: 0060A162
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0060A3B6
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1579346331-0
                                                                                                                                                                                                            • Opcode ID: 34b9d9712ff23c4d04c8614b836b6a660ba2b7021e1c698ee88d18d32c54c110
                                                                                                                                                                                                            • Instruction ID: 3bd1636e41696569662696c8833c4e3ccfd359b85e871b97aee838dc21a651e7
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 34b9d9712ff23c4d04c8614b836b6a660ba2b7021e1c698ee88d18d32c54c110
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 56D1EB76901E00DFC338CFA4ED85A7A77B7FB44351B14641AE802DB2A0EB749A83CB51
                                                                                                                                                                                                            Function 005F5C39 Relevance: 7.7, APIs: 5, Instructions: 247filesleepCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 005F5DEC
                                                                                                                                                                                                            • FindFirstFileA.KERNEL32(?,?), ref: 005F5EB2
                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 005F5FE2
                                                                                                                                                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 005F6020
                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 005F6042
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FileFind$CloseDeleteFirstNextSleep
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1528862845-0
                                                                                                                                                                                                            • Opcode ID: 8ffc83ab1a0cb4620c71a1f8b151efe7faf0afb33d0a8ce7c5661ccc09169505
                                                                                                                                                                                                            • Instruction ID: 3f632cb44b6832bada044c4b3d6926fa40c2ca1452c35c58f4ae915df1956e40
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8ffc83ab1a0cb4620c71a1f8b151efe7faf0afb33d0a8ce7c5661ccc09169505
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C4A1CE75512E19CFC338DB64EC869B937BAFB48301710741AEA06CB670EB789983CB55
                                                                                                                                                                                                            Function 0060571F Relevance: 6.2, APIs: 4, Instructions: 213processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00605804
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 006058E2
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 006059E8
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00605A7E
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 420147892-0
                                                                                                                                                                                                            • Opcode ID: ba3b7ef4476c4896ea28d82c027a252a8036bad05325a1d7f1306e7000d86ce3
                                                                                                                                                                                                            • Instruction ID: 1f25a0c704af366b7f0e984fdcb3b146d7a3000b2ba874f54e4a8258f1dd6d0c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ba3b7ef4476c4896ea28d82c027a252a8036bad05325a1d7f1306e7000d86ce3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FE91BD75605E10CBC738DB69ED9A9AA37F7FB48311B10651AE803DA6A0EB349943CF11
                                                                                                                                                                                                            Function 0060AE3B Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: f20aff88d1ca88ae825f46216a95df1e84c8d30feb3d51e8297848ff3d80d9fd
                                                                                                                                                                                                            • Instruction ID: 3c9b249f7fab82b726208598949ddb38e315394bb385129829beb5e683662ec2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f20aff88d1ca88ae825f46216a95df1e84c8d30feb3d51e8297848ff3d80d9fd
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 241119B1615A41CBD379CF68ED815653BB3F794342750B81AE102DB6B1EB348583DF11
                                                                                                                                                                                                            Function 005FC9ED Relevance: 12.2, APIs: 8, Instructions: 196registrysynchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegisterServiceCtrlHandlerA.ADVAPI32(Function_0000BA72), ref: 005FCAF2
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0062B2DC), ref: 005FCB64
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 005FCB78
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0062B2DC), ref: 005FCBE5
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00001388), ref: 005FCC62
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0062B2DC), ref: 005FCCAF
                                                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 005FCCC5
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0062B2DC), ref: 005FCD8F
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3399922960-0
                                                                                                                                                                                                            • Opcode ID: 1435bbfad42b65cf5bc9607903b72feff3deed1ae5cb932645f872d0cf4d17c9
                                                                                                                                                                                                            • Instruction ID: 7fe5e36369723705648624b3b2afab3e0aa190cbd90d57ff593f47c27262b52a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1435bbfad42b65cf5bc9607903b72feff3deed1ae5cb932645f872d0cf4d17c9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D6913374112E56CBC334DF69EE898693BFBFB58315300752AE906CA270DB78A943CB54
                                                                                                                                                                                                            Function 00600806 Relevance: 10.7, APIs: 7, Instructions: 195processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006008C2
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 00600966
                                                                                                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00600A15
                                                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,000000FF), ref: 00600A64
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00600A82
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 00600AD2
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00600B10
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2696918072-0
                                                                                                                                                                                                            • Opcode ID: 64212bb2e90b2f53dd13b401846f3080bf3ae7de9a5a02c97607a67d5a53d84c
                                                                                                                                                                                                            • Instruction ID: 8ae6a2c343f416fd9e839ac9e0b61209ef052e70c3097e9c75895368c886e707
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 64212bb2e90b2f53dd13b401846f3080bf3ae7de9a5a02c97607a67d5a53d84c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6681BB72911E11DFD334CF68ED85ABA33B7FB58312B00611AE842C66B1EB748983CB45
                                                                                                                                                                                                            Function 0060B046 Relevance: 9.2, APIs: 6, Instructions: 184filetimeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 0060B104
                                                                                                                                                                                                            • GetFileTime.KERNEL32(00000000,?,?,?), ref: 0060B16D
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0060B1B2
                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0060B25F
                                                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 0060B2AB
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0060B2D8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3236713533-0
                                                                                                                                                                                                            • Opcode ID: 9f0d07ec58764fef2417a9a6a64130347fa3fbd34bab84a726e5b90fcd983391
                                                                                                                                                                                                            • Instruction ID: 10b5fae86033a7a08ab5565b55248efaa9eabb07ab7926269ce8cb1ee1f71a1c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9f0d07ec58764fef2417a9a6a64130347fa3fbd34bab84a726e5b90fcd983391
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3B71AB31511A05DFC738DF68ED818BA37B7FB44316710751AE852C76A0E7349A83CB25
                                                                                                                                                                                                            Function 00614589 Relevance: 7.6, APIs: 5, Instructions: 104synchronizationthreadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000002,?,005FD583,Function_0000AD87,00000002,00000000), ref: 00614637
                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00000002,?,00000000,00000000), ref: 00614655
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000002,?,005FD583,Function_0000AD87,00000002,00000000), ref: 0061468D
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000002,?,005FD583,Function_0000AD87,00000002,00000000), ref: 006146A1
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,00000002,?,005FD583,Function_0000AD87,00000002,00000000), ref: 00614712
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateHandle$EventObjectSingleThreadWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1404307249-0
                                                                                                                                                                                                            • Opcode ID: 2b2d6b315d2ca45f8ca93439e52deccf45d7eb258fddcdbf23d9627052046a48
                                                                                                                                                                                                            • Instruction ID: 48e32eb143ec0485cc5c5ed187819c460e77c94bb702900c6111910739421c31
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2b2d6b315d2ca45f8ca93439e52deccf45d7eb258fddcdbf23d9627052046a48
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F8416575501A80DFC334DF68ED869663BB7FB99715724A42AE846C7670EB309883CB11
                                                                                                                                                                                                            Function 00614927 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 323sleepfileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00614CBC
                                                                                                                                                                                                              • Part of subcall function 0060074E: wvsprintfA.USER32(?,?,?), ref: 006007C3
                                                                                                                                                                                                            • Sleep.KERNEL32(00015F90), ref: 00614E60
                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 00614E7F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$DeleteModuleNameSleepwvsprintf
                                                                                                                                                                                                            • String ID: KU
                                                                                                                                                                                                            • API String ID: 4183770253-1793860563
                                                                                                                                                                                                            • Opcode ID: a2ed34554701cbe7cf686a9f33d7c62946dab27086a1d077f81f1b922084094f
                                                                                                                                                                                                            • Instruction ID: 4438079f5aa67d77def8adacb33930340e17ae361a83cc19dd02cfe09d8e6555
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a2ed34554701cbe7cf686a9f33d7c62946dab27086a1d077f81f1b922084094f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C6D1E035511E058FC738DF64ED96AA637FBFB44310B04640AE906CB2B1EB789983CB65
                                                                                                                                                                                                            Function 006190F1 Relevance: 6.0, APIs: 4, Instructions: 38memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00608146,00000000,?,?,?,?,?,005FF85A,?,?,?,00619573), ref: 00619143
                                                                                                                                                                                                            • RtlReAllocateHeap.NTDLL(00000000,?,00608146,00000000), ref: 0061914A
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,?,00608146,00000000,?,?,?,?,?,005FF85A,?,?,?,00619573,?), ref: 00619174
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,00608146,00000000,?,?,?,?,?,005FF85A,?,?,?,00619573,?,00000001), ref: 0061917B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1468893570.00000000005F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 005F0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468882233.00000000005F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468914847.000000000061F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468926349.0000000000620000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468938349.0000000000623000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1468951231.000000000062C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_5f0000_psjpq2s5tgtsjq0yguk.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$Process$AllocAllocate
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1154092256-0
                                                                                                                                                                                                            • Opcode ID: 0b63fb82352c31843dafa032c885d1fbef7c7baba0643a81f37ea8a4f1dbe100
                                                                                                                                                                                                            • Instruction ID: 0ee31b10d65ffe309e68701ac9d7065528c637dfb9b1a65fc577ac3fb32264e0
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0b63fb82352c31843dafa032c885d1fbef7c7baba0643a81f37ea8a4f1dbe100
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 70011676540E04DFDB309FA0FC9AA6937B7FB08301F886515F90A87272EB7995428B94

                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                            Execution Coverage:19.1%
                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                                                            Total number of Nodes:1503
                                                                                                                                                                                                            Total number of Limit Nodes:22
                                                                                                                                                                                                            execution_graph 9106 74ba72 9111 74ba89 9106->9111 9113 74bb03 SetServiceStatus 9106->9113 9109 74bb88 SetEvent 9112 74bcd8 9109->9112 9111->9113 9114 74baa1 SetServiceStatus 9111->9114 9113->9109 9114->9112 9369 76cffe 9370 76d050 9369->9370 9371 765d58 2 API calls 9370->9371 9372 76d055 9371->9372 9373 755d50 3 API calls 9372->9373 9374 76d067 9373->9374 9375 76d108 ExitProcess 9374->9375 9211 74e2f9 9212 74e30a 9211->9212 9213 74b7cd WaitForSingleObject 9212->9213 9214 74e324 9213->9214 9215 7515e5 ExitProcess 9214->9215 9216 74e35a 9215->9216 9115 74507a 9116 7642b6 lstrlen 9115->9116 9117 7450a9 9116->9117 9118 74e266 9121 7556c6 9118->9121 9122 7556e3 Mailbox 9121->9122 9125 75a7bc 9122->9125 9124 74e28f 9126 74f821 Mailbox 8 API calls 9125->9126 9127 75a7d6 Mailbox 9126->9127 9127->9124 9307 75b360 9308 75b378 9307->9308 9309 7642b6 lstrlen 9308->9309 9310 75b3a5 9309->9310 9313 74fc31 9310->9313 9316 7698df 9313->9316 9315 74fc47 9317 769923 9316->9317 9318 769982 9317->9318 9319 76998f 9317->9319 9320 74bdcb 8 API calls 9318->9320 9321 74dbdf 8 API calls 9319->9321 9322 76998d Mailbox 9319->9322 9320->9322 9321->9322 9322->9315 9217 764ee1 9218 764efa 9217->9218 9221 76d527 9218->9221 9220 764f99 9222 76d544 9221->9222 9225 74dbdf 9222->9225 9224 76d559 Mailbox 9224->9220 9226 74dbf5 Mailbox 9225->9226 9227 74f821 Mailbox 8 API calls 9226->9227 9228 74dc18 Mailbox 9227->9228 9228->9224 7964 74c9ed 7965 74ca6f RegisterServiceCtrlHandlerA 7964->7965 7967 74cb13 SetServiceStatus CreateEventA 7965->7967 7968 74cdba 7965->7968 7970 74cbcd 7967->7970 7971 74cbde SetServiceStatus 7967->7971 7970->7971 7972 74cc00 7971->7972 7973 74cc42 WaitForSingleObject 7972->7973 7973->7973 7974 74cc6f 7973->7974 7980 74b7cd WaitForSingleObject 7974->7980 7978 74cd01 SetServiceStatus 7978->7968 7979 74cda7 7978->7979 7979->7968 7981 74b846 SetServiceStatus CloseHandle 7980->7981 7981->7978 9323 74f553 9324 74f5b5 9323->9324 9326 74f567 9323->9326 9325 74f671 ReadFile 9324->9325 9324->9326 9325->9326 9327 74b353 9328 762f94 8 API calls 9327->9328 9329 74b377 9328->9329 9229 74bcdc 9230 74bcfa 9229->9230 9231 769707 Mailbox 8 API calls 9230->9231 9232 74bd13 9231->9232 9237 74563a 9232->9237 9234 74bd3a Mailbox 9235 769707 Mailbox 8 API calls 9234->9235 9236 74bdb8 9235->9236 9238 745648 9237->9238 9241 74dd8f 9238->9241 9242 74dda0 9241->9242 9243 762f94 8 API calls 9242->9243 9244 745659 9243->9244 9244->9234 9330 762f5d ExitProcess 9253 74cedb FlushFileBuffers 9254 74cf0d GetLastError 9253->9254 9255 74cf39 9253->9255 9254->9255 9256 7684c2 9259 748020 9256->9259 9262 76236a 9259->9262 9261 74802b 9263 7642b6 lstrlen 9262->9263 9264 762378 9263->9264 9264->9261 9265 7450c3 9266 7450e0 9265->9266 9267 7642b6 lstrlen 9266->9267 9268 74510f Mailbox 9267->9268 9269 757f29 Mailbox 8 API calls 9268->9269 9270 745123 9269->9270 9271 745071 9 API calls 9270->9271 9272 745145 9271->9272 9275 75bf07 9272->9275 9276 75bf15 Mailbox 9275->9276 9277 769883 8 API calls 9276->9277 9278 745183 9277->9278 9279 7598cc 9280 751da2 13 API calls 9279->9280 9281 759900 9280->9281 9282 769883 8 API calls 9281->9282 9283 759994 9282->9283 9128 74444e 9129 74446b 9128->9129 9132 74e4e4 9129->9132 9133 74e513 9132->9133 9134 74e553 9133->9134 9135 74e69a 9133->9135 9137 74e576 9134->9137 9138 74e621 9134->9138 9150 74b38e 9135->9150 9142 7658f9 9137->9142 9139 7658f9 4 API calls 9138->9139 9141 744575 9139->9141 9143 765931 9142->9143 9144 765937 9143->9144 9146 7659a1 9143->9146 9158 7485a4 9143->9158 9144->9141 9147 7485a4 4 API calls 9146->9147 9148 7659f4 9146->9148 9147->9148 9162 76572d 9148->9162 9151 74b3c3 9150->9151 9152 7485a4 4 API calls 9151->9152 9154 74b456 9151->9154 9152->9154 9153 74b7b4 9153->9141 9154->9153 9155 744088 4 API calls 9154->9155 9157 74b4c3 9155->9157 9156 744088 4 API calls 9156->9157 9157->9153 9157->9156 9159 7485be 9158->9159 9161 74860a Mailbox 9159->9161 9166 744088 9159->9166 9161->9146 9164 765761 Mailbox 9162->9164 9163 7658d3 9163->9144 9164->9163 9165 74de5a Mailbox 2 API calls 9164->9165 9165->9164 9167 7440bc 9166->9167 9169 7440d8 9166->9169 9168 7623a6 Mailbox 2 API calls 9167->9168 9170 7440d1 Mailbox 9168->9170 9169->9161 9170->9169 9171 74de5a Mailbox 2 API calls 9170->9171 9171->9169 9172 74fa34 9175 747fce 9172->9175 9174 74fa42 9176 7642b6 lstrlen 9175->9176 9177 747fe9 Mailbox 9176->9177 9177->9174 9380 7481b5 9381 7481dc 9380->9381 9382 743b08 8 API calls 9381->9382 9383 74823c 9382->9383 9384 75bf07 8 API calls 9383->9384 9385 748276 9384->9385 9386 7411b7 9387 741214 9386->9387 9389 74122a Mailbox 9386->9389 9388 7642b6 lstrlen 9388->9389 9389->9387 9389->9388 9390 75074e wvsprintfA 9389->9390 9390->9389 9391 74e9b3 9392 759a0f 8 API calls 9391->9392 9393 74e9e3 9392->9393 9394 745724 8 API calls 9393->9394 9395 74ea10 9394->9395 9182 744e3c 9183 744e47 9182->9183 9184 7556c6 8 API calls 9183->9184 9185 744e9b 9184->9185 7982 76cdbf 7983 76ce1b 7982->7983 7986 75ff2a 7983->7986 7984 76cf4c 8215 758251 7986->8215 7990 75ff74 7991 758251 2 API calls 7990->7991 7992 75ff88 7991->7992 7993 75a805 2 API calls 7992->7993 7994 75ffc7 7993->7994 7995 758251 2 API calls 7994->7995 7996 75ffdb 7995->7996 7997 75a805 2 API calls 7996->7997 7998 76001a 7997->7998 7999 758251 2 API calls 7998->7999 8000 76002e 7999->8000 8001 75a805 2 API calls 8000->8001 8002 760063 8001->8002 8003 758251 2 API calls 8002->8003 8004 760077 8003->8004 8005 75a805 2 API calls 8004->8005 8006 7600f0 8005->8006 8007 758251 2 API calls 8006->8007 8008 760126 8007->8008 8009 75a805 2 API calls 8008->8009 8010 7601a6 8009->8010 8011 758251 2 API calls 8010->8011 8012 7601c4 8011->8012 8013 75a805 2 API calls 8012->8013 8014 760238 8013->8014 8015 758251 2 API calls 8014->8015 8016 760252 8015->8016 8017 75a805 2 API calls 8016->8017 8018 760283 8017->8018 8019 758251 2 API calls 8018->8019 8020 7602bf 8019->8020 8021 75a805 2 API calls 8020->8021 8022 760325 8021->8022 8023 758251 2 API calls 8022->8023 8024 760339 8023->8024 8025 75a805 2 API calls 8024->8025 8026 76036a 8025->8026 8027 758251 2 API calls 8026->8027 8028 7603bd 8027->8028 8029 75a805 2 API calls 8028->8029 8030 760402 8029->8030 8031 758251 2 API calls 8030->8031 8032 760422 8031->8032 8033 75a805 2 API calls 8032->8033 8034 760469 8033->8034 8035 758251 2 API calls 8034->8035 8036 7604b2 8035->8036 8037 758251 2 API calls 8036->8037 8038 760503 Mailbox 8037->8038 8222 74de5a GetProcessHeap RtlFreeHeap 8038->8222 8042 76054a 8043 75a805 2 API calls 8042->8043 8044 760560 GetEnvironmentVariableA 8043->8044 8045 7605b2 8044->8045 8046 758251 2 API calls 8045->8046 8047 7605d0 CreateMutexA CreateMutexA CreateMutexA 8046->8047 8048 760665 8047->8048 8049 760809 8048->8049 8050 7606de GetTickCount 8048->8050 8051 7606c9 8048->8051 8229 7488a8 8049->8229 8054 7606f2 8050->8054 8051->8050 8053 760818 GetCommandLineA 8057 7608a8 8053->8057 8055 75a805 2 API calls 8054->8055 8059 760710 8055->8059 8058 75a805 2 API calls 8057->8058 8061 7608c5 8058->8061 8060 758251 2 API calls 8059->8060 8062 7607b7 8060->8062 8063 758251 2 API calls 8061->8063 8062->8049 8064 76092f 8063->8064 8065 760964 8064->8065 8066 761311 GetCommandLineA 8064->8066 8067 75a805 2 API calls 8065->8067 8332 763e09 8066->8332 8071 760996 8067->8071 8070 7613a1 8335 7642b6 8070->8335 8072 758251 2 API calls 8071->8072 8074 760a10 8072->8074 8076 760a21 8074->8076 8077 75a805 2 API calls 8074->8077 8075 7613dc GetModuleFileNameA 8338 7520d8 lstrlen 8075->8338 8089 760a37 8076->8089 8081 760ac3 8077->8081 8083 758251 2 API calls 8081->8083 8082 76145c 8088 7520d8 2 API calls 8082->8088 8085 760b1f 8083->8085 8084 75a805 2 API calls 8086 7622a4 8084->8086 8085->8089 8091 74f793 lstrlen 8085->8091 8591 74e2f8 8086->8591 8090 761510 8088->8090 8588 7515e5 8089->8588 8092 7520d8 2 API calls 8090->8092 8093 760b80 8091->8093 8103 761523 8092->8103 8094 75a805 2 API calls 8093->8094 8099 760ba4 8094->8099 8095 7622c9 8095->7984 8096 761785 8341 743b2c 8096->8341 8098 7617c8 8098->8089 8349 75b3db 8098->8349 8101 758251 2 API calls 8099->8101 8118 760be7 8101->8118 8102 7617ed 8443 743e8c 8102->8443 8103->8096 8107 7615b0 8103->8107 8105 761806 8447 74ddd3 8105->8447 8106 75571f 6 API calls 8106->8118 8527 75af1f 8107->8527 8111 7615e1 8533 745c39 8111->8533 8113 743e8c GetSystemTimeAsFileTime 8113->8118 8114 760d00 Sleep 8115 75b046 5 API calls 8114->8115 8116 760cea 8115->8116 8116->8114 8116->8118 8505 75b046 8116->8505 8117 760dd2 Sleep 8117->8118 8118->8106 8118->8113 8118->8116 8118->8117 8124 760dfe 8118->8124 8119 7615fa 8119->8089 8120 75a805 2 API calls 8119->8120 8123 761680 8120->8123 8121 76186d 8127 7618fb WSAStartup 8121->8127 8122 75571f 6 API calls 8122->8124 8125 7642b6 lstrlen 8123->8125 8124->8122 8128 760ee5 8124->8128 8139 760e49 8124->8139 8126 761695 MessageBoxA 8125->8126 8134 761738 8126->8134 8130 761928 8127->8130 8138 76197d 8127->8138 8129 75b046 5 API calls 8128->8129 8132 760ef9 8129->8132 8130->8084 8135 760f60 GetModuleFileNameA SetFileAttributesA 8132->8135 8181 76126d 8132->8181 8136 758251 2 API calls 8134->8136 8140 760fcc CopyFileA 8135->8140 8136->8089 8137 761a53 8145 761a8c CloseHandle SetFileAttributesA 8137->8145 8156 761d7e 8137->8156 8138->8137 8547 76395f 8138->8547 8139->8124 8139->8128 8141 760ea2 Sleep 8139->8141 8514 750806 8139->8514 8146 75a805 2 API calls 8140->8146 8141->8139 8142 7554d8 3 API calls 8142->8089 8148 761b05 CopyFileA 8145->8148 8149 761ae9 8145->8149 8150 761044 8146->8150 8147 7619d7 8147->8089 8151 761a29 8147->8151 8153 761b22 SetFileAttributesA 8148->8153 8154 761c76 8148->8154 8149->8148 8162 758251 2 API calls 8150->8162 8557 74f02c 8151->8557 8160 761b5b 8153->8160 8161 761b79 8153->8161 8165 74b7cd WaitForSingleObject 8154->8165 8159 761e3f SetFileAttributesA CopyFileA SetFileAttributesA 8156->8159 8174 761db5 8156->8174 8451 75571f 8156->8451 8462 74f793 8159->8462 8566 7635ad 8160->8566 8168 761c27 Sleep 8161->8168 8579 756bd8 8161->8579 8164 761077 8162->8164 8178 75a805 2 API calls 8164->8178 8188 76111d 8164->8188 8165->8089 8166 750806 9 API calls 8170 761dcb Sleep 8166->8170 8173 7554d8 3 API calls 8168->8173 8170->8174 8172 761bef 8172->8168 8173->8154 8174->8156 8174->8159 8174->8166 8175 761206 SetFileAttributesA 8175->8181 8176 761195 SetFileAttributesA 8176->8181 8184 7610ce 8178->8184 8180 75a805 2 API calls 8183 761ee6 8180->8183 8181->8142 8185 75a805 2 API calls 8183->8185 8186 758251 2 API calls 8184->8186 8187 761f29 8185->8187 8186->8188 8189 758251 2 API calls 8187->8189 8188->8175 8188->8176 8190 761f4e 8189->8190 8467 7675ce 8190->8467 8192 761f65 8193 758251 2 API calls 8192->8193 8194 761fc0 8193->8194 8471 76473b 8194->8471 8197 75a805 2 API calls 8198 762012 8197->8198 8199 75a805 2 API calls 8198->8199 8200 762031 8199->8200 8494 75074e 8200->8494 8202 762063 8203 758251 2 API calls 8202->8203 8204 762079 8203->8204 8205 758251 2 API calls 8204->8205 8206 762092 8205->8206 8497 7554d8 8206->8497 8208 7620d2 Mailbox 8209 762140 CreateThread 8208->8209 8212 762179 8209->8212 8873 7624d3 8209->8873 8210 7621c3 Sleep 8212->8210 8504 7674e8 StartServiceCtrlDispatcherA 8212->8504 8216 758268 Mailbox 8215->8216 8217 74de5a Mailbox 2 API calls 8216->8217 8218 7582cb 8217->8218 8219 75a805 8218->8219 8597 7623a6 8219->8597 8221 75a878 Mailbox 8221->7990 8223 74de8a 8222->8223 8224 76d256 GetSystemTime 8223->8224 8225 76d2ec 8224->8225 8226 743e8c GetSystemTimeAsFileTime 8225->8226 8227 76d368 GetTickCount 8226->8227 8228 76d39b 8227->8228 8228->8042 8230 7488cc 8229->8230 8231 7488ea GetVersionExA 8230->8231 8600 74e769 8231->8600 8237 7489fc 8240 748a89 CreateDirectoryA 8237->8240 8238 748b28 8239 75a805 2 API calls 8238->8239 8241 748bc2 8239->8241 8242 75a805 2 API calls 8240->8242 8623 74846d 8241->8623 8243 748ae2 8242->8243 8247 758251 2 API calls 8243->8247 8246 758251 2 API calls 8248 748c06 Mailbox 8246->8248 8247->8238 8627 74c622 8248->8627 8250 748d6f 8251 75c0de 6 API calls 8250->8251 8253 748d85 8251->8253 8252 748cfe DeleteFileA 8255 748d3d RemoveDirectoryA 8252->8255 8256 748d2b 8252->8256 8257 748dc3 CreateDirectoryA 8253->8257 8255->8250 8256->8255 8258 748e00 8257->8258 8259 74f793 lstrlen 8258->8259 8260 748e64 CreateDirectoryA 8259->8260 8262 75a805 2 API calls 8260->8262 8263 748eb8 8262->8263 8264 75a805 2 API calls 8263->8264 8265 748f10 8264->8265 8266 758251 2 API calls 8265->8266 8267 748f6c 8266->8267 8268 74846d 9 API calls 8267->8268 8269 748f89 8268->8269 8270 758251 2 API calls 8269->8270 8271 748f9b Mailbox 8270->8271 8272 74c622 5 API calls 8271->8272 8273 748fca 8272->8273 8274 749769 8273->8274 8276 74906c 8273->8276 8277 748fec 8273->8277 8275 74f793 lstrlen 8274->8275 8279 74977f SetFileAttributesA 8275->8279 8278 75a805 2 API calls 8276->8278 8280 75a805 2 API calls 8277->8280 8281 749082 8278->8281 8288 7497e1 Mailbox 8279->8288 8282 74900e 8280->8282 8283 75074e wvsprintfA 8281->8283 8284 75074e wvsprintfA 8282->8284 8285 7490a0 8283->8285 8286 749034 8284->8286 8287 758251 2 API calls 8285->8287 8289 758251 2 API calls 8286->8289 8290 74905d 8287->8290 8288->8053 8289->8290 8291 749128 8290->8291 8292 749144 CreateDirectoryA 8291->8292 8293 74917e 8292->8293 8294 74f793 lstrlen 8293->8294 8295 7491cd CreateDirectoryA 8294->8295 8296 75a805 2 API calls 8295->8296 8297 749210 8296->8297 8298 75a805 2 API calls 8297->8298 8299 74923f 8298->8299 8300 758251 2 API calls 8299->8300 8301 74927a 8300->8301 8302 74846d 9 API calls 8301->8302 8303 74928f 8302->8303 8304 758251 2 API calls 8303->8304 8305 749307 Mailbox 8304->8305 8306 74c622 5 API calls 8305->8306 8307 749336 8306->8307 8308 749716 8307->8308 8309 749341 GetTempPathA 8307->8309 8308->8274 8310 7642b6 lstrlen 8309->8310 8311 74938b 8310->8311 8312 74f793 lstrlen 8311->8312 8313 7494ae CreateDirectoryA 8312->8313 8314 7494fd 8313->8314 8315 75a805 2 API calls 8314->8315 8316 749519 8315->8316 8317 75a805 2 API calls 8316->8317 8318 749577 8317->8318 8319 758251 2 API calls 8318->8319 8320 7495a4 8319->8320 8321 74846d 9 API calls 8320->8321 8322 7495ba 8321->8322 8323 758251 2 API calls 8322->8323 8324 7495dc Mailbox 8323->8324 8325 74c622 5 API calls 8324->8325 8326 74960b 8325->8326 8326->8308 8327 749633 GetTempPathA 8326->8327 8328 749670 8327->8328 8329 75a805 2 API calls 8328->8329 8330 7496a4 8329->8330 8331 758251 2 API calls 8330->8331 8331->8308 8333 7642b6 lstrlen 8332->8333 8334 763e48 8333->8334 8334->8070 8336 7642cf lstrlen 8335->8336 8336->8075 8339 75210f CharLowerBuffA 8338->8339 8339->8082 8342 74f793 lstrlen 8341->8342 8343 743b68 8342->8343 8344 75a805 2 API calls 8343->8344 8345 743b88 8344->8345 8346 758251 2 API calls 8345->8346 8347 743bc6 CreateFileA 8346->8347 8348 743c14 Mailbox 8347->8348 8348->8098 8350 75b41c 8349->8350 8351 75b4ff GetComputerNameA 8350->8351 8352 75b536 8351->8352 8353 75b59e 8351->8353 8354 75a805 2 API calls 8352->8354 8355 75a805 2 API calls 8353->8355 8356 75b552 8354->8356 8357 75b5fa 8355->8357 8358 758251 2 API calls 8356->8358 8359 758251 2 API calls 8357->8359 8358->8353 8360 75b63d 8359->8360 8361 74846d 9 API calls 8360->8361 8362 75b661 8361->8362 8674 74695e 8362->8674 8364 75b6db Mailbox 8677 7684d7 8364->8677 8367 7642b6 lstrlen 8368 75b7d9 8367->8368 8716 750b92 8368->8716 8372 75b834 Mailbox 8373 74695e 8 API calls 8372->8373 8374 75b891 8373->8374 8375 750b92 9 API calls 8374->8375 8376 75b92e 8375->8376 8377 745724 8 API calls 8376->8377 8378 75b93d Mailbox 8377->8378 8379 74695e 8 API calls 8378->8379 8380 75b964 8379->8380 8381 750b92 9 API calls 8380->8381 8382 75b988 8381->8382 8383 745724 8 API calls 8382->8383 8384 75b997 Mailbox 8383->8384 8385 74695e 8 API calls 8384->8385 8386 75b9cf 8385->8386 8387 750b92 9 API calls 8386->8387 8388 75b9fe 8387->8388 8389 745724 8 API calls 8388->8389 8390 75ba0a Mailbox 8389->8390 8391 74695e 8 API calls 8390->8391 8392 75ba25 8391->8392 8393 750b92 9 API calls 8392->8393 8394 75ba48 8393->8394 8395 745724 8 API calls 8394->8395 8396 75ba57 Mailbox 8395->8396 8397 74695e 8 API calls 8396->8397 8398 75ba79 8397->8398 8399 75a805 2 API calls 8398->8399 8400 75ba95 8399->8400 8401 750b92 9 API calls 8400->8401 8402 75bab9 8401->8402 8403 745724 8 API calls 8402->8403 8404 75bac8 Mailbox 8403->8404 8405 758251 2 API calls 8404->8405 8406 75baf7 8405->8406 8407 74695e 8 API calls 8406->8407 8408 75bb1f 8407->8408 8409 750b92 9 API calls 8408->8409 8410 75bb3d 8409->8410 8411 745724 8 API calls 8410->8411 8412 75bb49 Mailbox 8411->8412 8413 74695e 8 API calls 8412->8413 8414 75bb75 8413->8414 8415 750b92 9 API calls 8414->8415 8416 75bb96 8415->8416 8417 745724 8 API calls 8416->8417 8418 75bba5 Mailbox 8417->8418 8419 74695e 8 API calls 8418->8419 8420 75bbcb 8419->8420 8723 743cdc 8420->8723 8424 75bc06 8425 750b92 9 API calls 8424->8425 8426 75bc12 8425->8426 8427 745724 8 API calls 8426->8427 8428 75bc21 Mailbox 8427->8428 8429 74695e 8 API calls 8428->8429 8430 75bc3f 8429->8430 8431 750b92 9 API calls 8430->8431 8432 75bc85 8431->8432 8433 745724 8 API calls 8432->8433 8434 75bc94 Mailbox 8433->8434 8733 755fba 8434->8733 8436 75bccc 8760 769707 8436->8760 8438 75bd04 Mailbox 8763 769883 8438->8763 8440 75bd30 8767 74ee34 8440->8767 8442 75bd6e Mailbox 8442->8102 8444 743ebf GetSystemTimeAsFileTime 8443->8444 8446 743f11 __aulldiv 8444->8446 8446->8105 8448 74de20 8447->8448 8449 7642b6 lstrlen 8448->8449 8450 74de3f 8449->8450 8450->8121 8452 755751 CreateToolhelp32Snapshot 8451->8452 8455 755828 8452->8455 8454 755a95 Mailbox 8454->8156 8455->8454 8456 7558da Process32First 8455->8456 8457 755a6c FindCloseChangeNotification 8456->8457 8459 75590e 8456->8459 8457->8454 8458 7520d8 2 API calls 8458->8459 8459->8458 8460 7559c2 Process32Next 8459->8460 8461 755a29 8459->8461 8460->8459 8461->8457 8463 74ddd3 lstrlen 8462->8463 8465 74f7bd 8463->8465 8464 74f80a 8464->8180 8465->8464 8466 7642b6 lstrlen 8465->8466 8466->8464 8468 7675f4 8467->8468 8469 7676ef CreateFileA 8468->8469 8470 767732 Mailbox 8469->8470 8470->8192 8472 764797 8471->8472 8473 764771 8471->8473 8474 75a805 2 API calls 8472->8474 8476 74bece 9 API calls 8473->8476 8475 7647be 8474->8475 8477 7675ce CreateFileA 8475->8477 8476->8472 8478 7647e5 8477->8478 8479 758251 2 API calls 8478->8479 8480 764803 8479->8480 8481 764835 Sleep 8480->8481 8482 7648af 8480->8482 8485 75a805 2 API calls 8481->8485 8483 761fe7 8482->8483 8484 7648cd 8482->8484 8483->8197 8817 7691aa 8484->8817 8487 764886 8485->8487 8489 7675ce CreateFileA 8487->8489 8491 76489b 8489->8491 8493 758251 2 API calls 8491->8493 8492 7648f6 8492->8483 8493->8482 8495 750764 wvsprintfA 8494->8495 8495->8202 8498 7554ea Mailbox 8497->8498 8499 7555fd CreateProcessA 8498->8499 8500 755677 8499->8500 8501 755633 8499->8501 8500->8208 8502 755645 8501->8502 8503 75564f CloseHandle CloseHandle 8501->8503 8502->8503 8503->8500 8504->8210 8506 75b068 CreateFileA 8505->8506 8508 75b142 GetFileTime 8506->8508 8513 75b11b 8506->8513 8509 75b177 CloseHandle 8508->8509 8511 75b1c7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 8508->8511 8509->8513 8512 75b264 GetFileSize CloseHandle 8511->8512 8512->8513 8513->8116 8515 75084d CreateToolhelp32Snapshot 8514->8515 8517 750b20 Mailbox 8515->8517 8518 7508ee Process32First 8515->8518 8517->8139 8521 750988 8518->8521 8525 750aea CloseHandle 8518->8525 8522 7520d8 2 API calls 8521->8522 8523 7509f5 OpenProcess 8521->8523 8524 750aa4 Process32Next 8521->8524 8526 750a61 TerminateProcess CloseHandle 8521->8526 8522->8521 8523->8521 8524->8521 8524->8525 8525->8517 8526->8521 8528 75af3f 8527->8528 8823 75111e 8528->8823 8530 75af7b 8531 7554d8 3 API calls 8530->8531 8532 75afe0 Mailbox 8531->8532 8532->8111 8534 745c69 8533->8534 8535 7642b6 lstrlen 8534->8535 8542 746052 Mailbox 8534->8542 8536 745dce Sleep 8535->8536 8537 745e25 8536->8537 8538 75a805 2 API calls 8537->8538 8539 745e52 8538->8539 8540 758251 2 API calls 8539->8540 8541 745e87 FindFirstFileA 8540->8541 8541->8542 8544 745ecd 8541->8544 8542->8119 8543 745fdb DeleteFileA 8543->8544 8545 746018 FindNextFileA 8543->8545 8544->8543 8544->8545 8545->8544 8546 74602e FindClose 8545->8546 8546->8542 8548 763980 8547->8548 8549 74f793 lstrlen 8548->8549 8550 7639f3 8549->8550 8551 75a805 2 API calls 8550->8551 8556 763a11 Mailbox 8550->8556 8552 763ace 8551->8552 8553 758251 2 API calls 8552->8553 8554 763b0d 8553->8554 8854 759b78 8554->8854 8556->8147 8558 74f065 8557->8558 8559 743e8c GetSystemTimeAsFileTime 8558->8559 8560 74f079 8559->8560 8561 743e8c GetSystemTimeAsFileTime 8560->8561 8562 74f15a 8560->8562 8565 74f104 8561->8565 8562->8137 8563 74f10f Sleep 8564 743e8c GetSystemTimeAsFileTime 8563->8564 8564->8565 8565->8562 8565->8563 8567 7635f3 OpenSCManagerA 8566->8567 8569 7636a9 CreateServiceA 8567->8569 8577 7638db 8567->8577 8570 763777 OpenServiceA 8569->8570 8571 7636f0 ChangeServiceConfig2A StartServiceA CloseServiceHandle 8569->8571 8575 7637eb 8570->8575 8573 76388e CloseServiceHandle 8571->8573 8573->8577 8576 763811 StartServiceA CloseServiceHandle 8575->8576 8578 763866 8575->8578 8576->8578 8577->8161 8578->8573 8580 756c36 8579->8580 8581 75a805 2 API calls 8580->8581 8582 756c9d RegOpenKeyA 8581->8582 8583 758251 2 API calls 8582->8583 8584 756ccb 8583->8584 8585 756d31 RegCloseKey 8584->8585 8586 7642b6 lstrlen 8584->8586 8585->8172 8587 756d0f RegSetValueExA 8586->8587 8587->8585 8871 75bf87 8588->8871 8590 751600 ExitProcess 8592 74e30a 8591->8592 8593 74b7cd WaitForSingleObject 8592->8593 8594 74e324 8593->8594 8595 7515e5 ExitProcess 8594->8595 8596 74e35a 8595->8596 8596->8095 8598 7623e2 GetProcessHeap RtlAllocateHeap 8597->8598 8599 7623c0 8597->8599 8598->8221 8599->8598 8602 74e79e AllocateAndInitializeSid 8600->8602 8603 74e883 CheckTokenMembership 8602->8603 8604 748954 8602->8604 8605 74e89f 8603->8605 8606 74e8c9 FreeSid 8603->8606 8607 74457c 8604->8607 8605->8606 8606->8604 8608 744595 8607->8608 8609 75a805 2 API calls 8608->8609 8610 7445da GetProcAddress 8609->8610 8611 758251 2 API calls 8610->8611 8612 744613 8611->8612 8613 744623 GetCurrentProcess 8612->8613 8614 74463a 8612->8614 8613->8614 8614->8238 8615 75c0de GetWindowsDirectoryA 8614->8615 8616 75c125 8615->8616 8617 75a805 2 API calls 8616->8617 8622 75c1b6 8616->8622 8618 75c164 8617->8618 8619 758251 2 API calls 8618->8619 8620 75c1a4 8619->8620 8621 7642b6 lstrlen 8620->8621 8621->8622 8622->8237 8624 74848a 8623->8624 8643 744f47 8624->8643 8628 74c62f 8627->8628 8629 74b7cd WaitForSingleObject 8628->8629 8630 74c686 8629->8630 8631 74c6b3 8630->8631 8632 74c6ef CreateFileA 8630->8632 8633 744eb1 ReleaseMutex 8631->8633 8635 74c75d 8632->8635 8637 74c79f Mailbox 8632->8637 8642 748c6e 8633->8642 8636 744eb1 ReleaseMutex 8635->8636 8636->8642 8638 74c8fa WriteFile 8637->8638 8638->8637 8639 74c94e FindCloseChangeNotification 8638->8639 8672 744eb1 ReleaseMutex 8639->8672 8642->8250 8642->8252 8644 744f6e 8643->8644 8645 7642b6 lstrlen 8644->8645 8646 744f99 8645->8646 8649 762f94 8646->8649 8648 744fa3 8648->8246 8652 7694ec 8649->8652 8651 762fac Mailbox 8651->8648 8653 769509 Mailbox 8652->8653 8655 76950e Mailbox 8653->8655 8656 74f821 8653->8656 8655->8651 8657 74f845 8656->8657 8659 74f85a Mailbox 8657->8659 8660 757f29 8657->8660 8659->8655 8661 757f48 Mailbox 8660->8661 8662 758135 8661->8662 8664 75802a 8661->8664 8668 758109 Mailbox 8661->8668 8669 7690f1 8662->8669 8665 7623a6 Mailbox 2 API calls 8664->8665 8666 758057 Mailbox 8665->8666 8667 74de5a Mailbox 2 API calls 8666->8667 8667->8668 8668->8659 8670 769152 GetProcessHeap HeapAlloc 8669->8670 8671 76912b GetProcessHeap RtlReAllocateHeap 8669->8671 8670->8668 8671->8668 8673 744ecb 8672->8673 8673->8642 8675 769883 8 API calls 8674->8675 8676 746983 8675->8676 8676->8364 8678 768577 8677->8678 8679 75a805 2 API calls 8678->8679 8680 768652 8679->8680 8681 758251 2 API calls 8680->8681 8682 7686d5 GetProcessHeap 8681->8682 8683 768711 8682->8683 8695 75b7c4 8682->8695 8684 75a805 2 API calls 8683->8684 8685 768739 LoadLibraryA 8684->8685 8687 758251 2 API calls 8685->8687 8688 76878f 8687->8688 8689 75a805 2 API calls 8688->8689 8688->8695 8690 768837 GetProcAddress 8689->8690 8691 758251 2 API calls 8690->8691 8692 76886e 8691->8692 8693 768886 FreeLibrary 8692->8693 8694 7688ac RtlAllocateHeap 8692->8694 8693->8695 8696 768926 GetAdaptersInfo 8694->8696 8697 7688fb FreeLibrary 8694->8697 8695->8367 8698 768950 8696->8698 8697->8695 8699 76896c HeapFree 8698->8699 8700 768a39 GetAdaptersInfo 8698->8700 8701 76898e HeapAlloc 8699->8701 8706 768a94 8700->8706 8715 768d26 Mailbox 8700->8715 8704 768a27 8701->8704 8705 7689fb FreeLibrary 8701->8705 8704->8700 8705->8695 8707 75a805 2 API calls 8706->8707 8709 768ac3 8707->8709 8708 769094 HeapFree FreeLibrary 8708->8695 8710 758251 2 API calls 8709->8710 8711 768b17 8710->8711 8712 75a805 2 API calls 8711->8712 8711->8715 8713 768d41 8712->8713 8714 758251 2 API calls 8713->8714 8714->8715 8715->8708 8773 7523e9 8716->8773 8719 745724 8720 74573e Mailbox 8719->8720 8721 769883 8 API calls 8720->8721 8722 745789 8721->8722 8722->8372 8724 743d0f Mailbox 8723->8724 8725 75a805 2 API calls 8724->8725 8726 743d74 8725->8726 8727 758251 2 API calls 8726->8727 8728 743db8 8727->8728 8729 744d07 8728->8729 8730 744d1f 8729->8730 8731 7642b6 lstrlen 8730->8731 8732 744d4c 8731->8732 8732->8424 8734 756020 8733->8734 8735 75a805 2 API calls 8734->8735 8736 75604e 8735->8736 8737 75a805 2 API calls 8736->8737 8738 756067 8737->8738 8739 75a805 2 API calls 8738->8739 8740 7560be 8739->8740 8741 758251 2 API calls 8740->8741 8742 7560d2 8741->8742 8743 75a805 2 API calls 8742->8743 8744 756144 8743->8744 8745 758251 2 API calls 8744->8745 8746 7561a1 8745->8746 8747 758251 2 API calls 8746->8747 8750 75621c 8747->8750 8748 756a70 8749 758251 2 API calls 8748->8749 8754 756b1c Mailbox 8749->8754 8751 75664d Mailbox 8750->8751 8758 745071 9 API calls 8750->8758 8779 7507f5 8750->8779 8751->8748 8752 7507f5 8 API calls 8751->8752 8755 756983 8751->8755 8757 745071 9 API calls 8751->8757 8752->8751 8754->8436 8755->8748 8756 7507f5 8 API calls 8755->8756 8782 745071 8755->8782 8756->8755 8757->8751 8758->8750 8761 7694ec Mailbox 8 API calls 8760->8761 8762 76970e 8761->8762 8762->8438 8764 769898 Mailbox 8763->8764 8765 7694ec Mailbox 8 API calls 8764->8765 8766 7698a3 Mailbox 8765->8766 8766->8440 8768 74ee52 8767->8768 8792 751da2 8768->8792 8770 74ee71 Mailbox 8771 769883 8 API calls 8770->8771 8772 74ef9f 8770->8772 8771->8772 8772->8442 8774 7523f5 8773->8774 8775 7642b6 lstrlen 8774->8775 8776 752488 8775->8776 8777 762f94 8 API calls 8776->8777 8778 750ba0 8777->8778 8778->8719 8788 74ba10 8779->8788 8781 750802 8781->8750 8783 74acbe 8782->8783 8784 7642b6 lstrlen 8783->8784 8785 74ad02 8784->8785 8786 769883 8 API calls 8785->8786 8787 74ad0c 8786->8787 8787->8755 8789 74ba25 Mailbox 8788->8789 8790 7694ec Mailbox 8 API calls 8789->8790 8791 74ba30 Mailbox 8790->8791 8791->8781 8797 74db48 8792->8797 8794 751db4 8796 751e43 8794->8796 8801 74bece 8794->8801 8796->8770 8798 74db9f 8797->8798 8799 74db5b Mailbox 8797->8799 8798->8794 8800 769707 Mailbox 8 API calls 8799->8800 8800->8798 8802 74bf08 8801->8802 8803 74b7cd WaitForSingleObject 8802->8803 8804 74bfa2 8803->8804 8805 75a805 2 API calls 8804->8805 8816 74c09d 8804->8816 8807 74bfe5 GetProcAddress 8805->8807 8806 74c1c7 CryptGenRandom 8814 74c1dd 8806->8814 8808 75a805 2 API calls 8807->8808 8810 74c033 8808->8810 8809 744eb1 ReleaseMutex 8811 74c2bd 8809->8811 8812 758251 2 API calls 8810->8812 8811->8794 8813 74c06d GetProcAddress 8812->8813 8815 758251 2 API calls 8813->8815 8814->8809 8815->8816 8816->8806 8816->8814 8819 7691e0 8817->8819 8818 7648e6 8821 74ea59 CloseHandle 8818->8821 8819->8818 8820 7692ba WriteFile 8819->8820 8820->8818 8822 74ea8e 8821->8822 8822->8492 8824 75114d 8823->8824 8825 7511d9 CreateFileA 8824->8825 8826 751219 8825->8826 8827 7515a4 8826->8827 8828 75124b ReadFile CloseHandle 8826->8828 8827->8530 8829 75129d 8828->8829 8830 7512bd GetTickCount 8829->8830 8850 7451ca 8830->8850 8832 7512de 8833 7642b6 lstrlen 8832->8833 8834 751310 8833->8834 8835 75a805 2 API calls 8834->8835 8836 751378 8835->8836 8837 758251 2 API calls 8836->8837 8840 751416 8837->8840 8839 75154f 8839->8827 8841 751564 WriteFile CloseHandle 8839->8841 8842 75a805 2 API calls 8840->8842 8849 7514e0 CreateFileA 8840->8849 8841->8827 8843 75147e 8842->8843 8844 7642b6 lstrlen 8843->8844 8845 7514a0 8844->8845 8846 75074e wvsprintfA 8845->8846 8847 7514a9 8846->8847 8848 758251 2 API calls 8847->8848 8848->8849 8849->8839 8851 7451ea 8850->8851 8852 7642b6 lstrlen 8851->8852 8853 745235 8852->8853 8853->8832 8855 759b85 8854->8855 8856 769707 Mailbox 8 API calls 8855->8856 8857 759c02 8856->8857 8858 74b7cd WaitForSingleObject 8857->8858 8859 759c24 CreateFileA 8858->8859 8860 759c5a 8859->8860 8864 759c78 Mailbox 8859->8864 8862 744eb1 ReleaseMutex 8860->8862 8861 759c8b ReadFile 8861->8864 8870 759e2f Mailbox 8862->8870 8863 757f29 Mailbox 8 API calls 8863->8864 8864->8861 8864->8863 8865 759e6a CloseHandle 8864->8865 8866 769883 8 API calls 8864->8866 8867 759dbc CloseHandle 8864->8867 8865->8860 8866->8864 8868 759dd9 8867->8868 8869 744eb1 ReleaseMutex 8868->8869 8869->8870 8870->8556 8872 75bfa3 8871->8872 8872->8590 8874 76250c 8873->8874 8875 76d256 3 API calls 8874->8875 8876 76261c 8875->8876 8877 745c39 10 API calls 8876->8877 8878 762645 8877->8878 8879 74f793 lstrlen 8878->8879 8880 762697 8879->8880 8881 75a805 2 API calls 8880->8881 8882 7626ad 8881->8882 8883 758251 2 API calls 8882->8883 8892 762706 Mailbox 8883->8892 8884 743e8c GetSystemTimeAsFileTime 8884->8892 8885 76473b 13 API calls 8885->8892 8886 769707 Mailbox 8 API calls 8887 762cf0 Sleep 8886->8887 9017 752192 8887->9017 8889 75571f 6 API calls 8889->8892 8890 7554d8 3 API calls 8890->8892 8892->8884 8892->8885 8892->8886 8892->8889 8892->8890 8893 75a805 2 API calls 8892->8893 8905 76443e 8892->8905 8917 758695 8892->8917 8893->8892 8895 758251 GetProcessHeap RtlFreeHeap 8903 7629d3 Mailbox 8895->8903 8896 767dc0 51 API calls 8896->8903 8897 74846d 9 API calls 8897->8903 8898 74695e 8 API calls 8898->8903 8900 745724 8 API calls 8900->8903 8901 75a805 GetProcessHeap RtlAllocateHeap 8901->8903 8902 758695 21 API calls 8902->8903 8903->8892 8903->8895 8903->8896 8903->8897 8903->8898 8903->8900 8903->8901 8903->8902 8904 764927 33 API calls 8903->8904 9027 74fe4b 8903->9027 8904->8903 8906 764470 8905->8906 8907 75a805 2 API calls 8906->8907 8908 7644cd 8907->8908 8909 75a805 2 API calls 8908->8909 8910 7644fc 8909->8910 9031 74a928 8910->9031 8913 758251 2 API calls 8914 764546 8913->8914 8915 758251 2 API calls 8914->8915 8916 76456f 8915->8916 8916->8892 8918 7586b6 8917->8918 8919 743e8c GetSystemTimeAsFileTime 8918->8919 8920 758873 8919->8920 8921 7642b6 lstrlen 8920->8921 8926 7588d0 8921->8926 8922 7642b6 lstrlen 8923 758a48 8922->8923 8924 7642b6 lstrlen 8923->8924 8925 758a56 8924->8925 8927 75a805 2 API calls 8925->8927 9009 759185 Mailbox 8925->9009 8926->8922 8926->9009 8928 758ad5 8927->8928 8929 74846d 9 API calls 8928->8929 8930 758b0f 8929->8930 8931 758251 2 API calls 8930->8931 8932 758b3d Mailbox 8931->8932 8933 75a805 2 API calls 8932->8933 8947 758d19 8932->8947 8935 758b9e 8933->8935 8934 750b92 9 API calls 8936 758dbe 8934->8936 8937 7523e9 9 API calls 8935->8937 8938 745724 8 API calls 8936->8938 8940 758bc8 Mailbox 8937->8940 8939 758dca Mailbox 8938->8939 8941 75a805 2 API calls 8939->8941 8943 758251 2 API calls 8940->8943 8942 758ded 8941->8942 8944 750b92 9 API calls 8942->8944 8949 758bf7 8943->8949 8945 758e04 8944->8945 8946 745724 8 API calls 8945->8946 8948 758e10 Mailbox 8946->8948 8947->8934 8951 758251 2 API calls 8948->8951 8949->8947 9037 751c14 8949->9037 8953 758e3b 8951->8953 8952 758c77 8954 75a805 2 API calls 8952->8954 8955 750b92 9 API calls 8953->8955 8956 758cbd 8954->8956 8957 758e8b 8955->8957 8959 74846d 9 API calls 8956->8959 8958 745724 8 API calls 8957->8958 8962 758e9a Mailbox 8958->8962 8960 758cff 8959->8960 8961 758251 2 API calls 8960->8961 8961->8947 8964 75a805 2 API calls 8962->8964 8999 759051 Mailbox 8962->8999 8963 75a805 2 API calls 8965 759087 8963->8965 8966 758f09 8964->8966 8968 750b92 9 API calls 8965->8968 8967 750b92 9 API calls 8966->8967 8969 758f23 8967->8969 8970 7590d7 8968->8970 8971 745724 8 API calls 8969->8971 8972 745724 8 API calls 8970->8972 8973 758f32 Mailbox 8971->8973 8974 7590e3 Mailbox 8972->8974 8975 75a805 2 API calls 8973->8975 8976 758251 2 API calls 8974->8976 8977 758f5b 8975->8977 8978 7590fd 8976->8978 8980 758251 2 API calls 8977->8980 8979 759142 socket 8978->8979 8981 745724 8 API calls 8978->8981 8983 759197 8979->8983 8979->9009 8982 758fbc Mailbox 8980->8982 8981->8979 8986 75074e wvsprintfA 8982->8986 8984 7591f3 gethostbyname 8983->8984 8985 7591bb setsockopt 8983->8985 8989 759289 inet_ntoa inet_addr 8984->8989 8984->9009 8985->8984 8988 758fdd 8986->8988 8990 758251 2 API calls 8988->8990 8993 7592ef 8989->8993 8994 7592f9 htons connect 8989->8994 8992 758ff4 8990->8992 8995 750b92 9 API calls 8992->8995 8993->8994 8997 75932f Mailbox 8994->8997 8994->9009 8996 759042 8995->8996 8998 745724 8 API calls 8996->8998 9000 75939f send 8997->9000 8998->8999 8999->8963 9001 7593bb Mailbox 9000->9001 9002 769707 Mailbox 8 API calls 9001->9002 9001->9009 9016 7593df Mailbox 9002->9016 9003 75946b recv 9003->9016 9004 759784 closesocket 9007 7597e1 9004->9007 9004->9009 9008 751c14 8 API calls 9007->9008 9008->9009 9009->8903 9010 757f29 Mailbox 8 API calls 9010->9016 9011 769883 8 API calls 9011->9016 9012 75a805 GetProcessHeap RtlAllocateHeap 9012->9016 9013 758251 GetProcessHeap RtlFreeHeap 9013->9016 9015 7523e9 9 API calls 9015->9016 9016->9003 9016->9004 9016->9010 9016->9011 9016->9012 9016->9013 9016->9015 9041 76d5e8 9016->9041 9045 74f1bd 9016->9045 9018 7521ab 9017->9018 9021 752298 9018->9021 9022 75233c 9018->9022 9026 7523d9 9018->9026 9019 7522b7 DeleteFileA 9019->9021 9021->9018 9021->9019 9063 759ef6 9021->9063 9023 7523c2 9022->9023 9068 74b920 9022->9068 9072 745430 9023->9072 9026->8892 9028 74fe66 Mailbox 9027->9028 9029 769883 8 API calls 9028->9029 9030 74ff60 Mailbox 9028->9030 9029->9030 9030->8903 9032 74a95f Mailbox 9031->9032 9033 75a805 2 API calls 9032->9033 9034 74ac5d 9033->9034 9035 758251 2 API calls 9034->9035 9036 74ac90 9035->9036 9036->8913 9038 751c36 Mailbox 9037->9038 9059 74bdcb 9038->9059 9040 751ce6 Mailbox 9040->8952 9042 76d5ff 9041->9042 9043 743e8c GetSystemTimeAsFileTime 9042->9043 9044 76d628 9042->9044 9043->9044 9044->9016 9046 74f206 9045->9046 9047 75a805 2 API calls 9046->9047 9048 74f22f 9047->9048 9049 7523e9 9 API calls 9048->9049 9050 74f250 Mailbox 9049->9050 9051 758251 2 API calls 9050->9051 9052 74f28d 9051->9052 9053 75a805 2 API calls 9052->9053 9058 74f2a5 9052->9058 9054 74f2cb 9053->9054 9055 7523e9 9 API calls 9054->9055 9056 74f2e2 Mailbox 9055->9056 9057 758251 2 API calls 9056->9057 9057->9058 9058->9016 9060 74bde1 Mailbox 9059->9060 9061 757f29 Mailbox 8 API calls 9060->9061 9062 74be04 Mailbox 9061->9062 9062->9040 9076 755b3e 9063->9076 9065 759f0d 9080 7482bf 9065->9080 9069 74b93a 9068->9069 9070 74b97f 9069->9070 9095 74de9c 9069->9095 9070->9022 9073 745438 9072->9073 9102 7694b4 9073->9102 9077 755b5a Mailbox 9076->9077 9078 757f29 Mailbox 8 API calls 9077->9078 9079 755b64 Mailbox 9078->9079 9079->9065 9081 7482cc 9080->9081 9082 7482dc 9081->9082 9084 759a0f 9081->9084 9082->9021 9087 767848 9084->9087 9086 759a1d 9086->9082 9088 76785a Mailbox 9087->9088 9091 764333 9088->9091 9090 767870 Mailbox 9090->9086 9092 76433e 9091->9092 9093 74f821 Mailbox 8 API calls 9092->9093 9094 7643a8 9093->9094 9094->9090 9098 7484ea 9095->9098 9099 748529 9098->9099 9100 74bdcb 8 API calls 9099->9100 9101 74854b 9100->9101 9101->9070 9103 7694e3 9102->9103 9104 7694bd Mailbox 9102->9104 9105 74de5a Mailbox 2 API calls 9104->9105 9105->9103 9396 7695bd 9397 7695c3 Mailbox 9396->9397 9398 7690f1 Mailbox 4 API calls 9397->9398 9399 769605 Mailbox 9398->9399 9406 7459a1 9409 76cf7e 9406->9409 9410 76236a lstrlen 9409->9410 9411 7459af 9410->9411 9339 76df16 9344 756bb9 9339->9344 9351 7692e8 9344->9351 9352 7692fe 9351->9352 9353 74db48 Mailbox 8 API calls 9352->9353 9354 769338 9353->9354 9419 74519e 9420 7623a6 Mailbox 2 API calls 9419->9420 9421 7451b3 9420->9421 9190 76d01d 9191 76d03a 9190->9191 9197 765d58 9191->9197 9195 76d067 9196 76d108 ExitProcess 9195->9196 9198 765d93 9197->9198 9208 74565e 9198->9208 9200 765dbb 9201 755d50 9200->9201 9202 755d74 9201->9202 9203 755d87 GetStdHandle 9201->9203 9202->9203 9204 755dc5 GetStdHandle 9203->9204 9205 755db3 9203->9205 9206 755dfa GetStdHandle 9204->9206 9205->9204 9206->9195 9209 7456c5 GetProcessHeap HeapAlloc 9208->9209 9210 745695 9208->9210 9209->9200 9210->9209 9295 755485 9297 755488 Mailbox 9295->9297 9296 7555fd CreateProcessA 9298 755677 9296->9298 9299 755633 CloseHandle CloseHandle 9296->9299 9297->9296 9299->9298 9301 757686 9304 74fc1b 9301->9304 9305 7694b4 Mailbox 2 API calls 9304->9305 9306 74fc29 9305->9306 9426 74ad87 9427 74ada3 9426->9427 9482 74501c 9427->9482 9429 74ae0e 9430 76443e 4 API calls 9429->9430 9435 74b26c Mailbox 9429->9435 9431 74aeff 9430->9431 9432 75a805 2 API calls 9431->9432 9433 74af15 9432->9433 9434 74846d 9 API calls 9433->9434 9436 74af2d 9434->9436 9437 758251 2 API calls 9436->9437 9438 74af56 9437->9438 9485 762306 9438->9485 9443 745724 8 API calls 9444 74af88 Mailbox 9443->9444 9445 75a805 2 API calls 9444->9445 9446 74afc5 9445->9446 9447 750b92 9 API calls 9446->9447 9448 74afe2 9447->9448 9449 745724 8 API calls 9448->9449 9450 74afee Mailbox 9449->9450 9451 758251 2 API calls 9450->9451 9452 74b00f 9451->9452 9453 74fe4b 8 API calls 9452->9453 9454 74b02d 9453->9454 9455 745724 8 API calls 9454->9455 9456 74b036 Mailbox 9455->9456 9457 751c14 8 API calls 9456->9457 9458 74b066 9457->9458 9491 7460ad 9458->9491 9460 74b085 Mailbox 9461 755fba 9 API calls 9460->9461 9462 74b0c9 9461->9462 9545 747ef1 9462->9545 9465 75a805 2 API calls 9466 74b0f8 9465->9466 9467 750b92 9 API calls 9466->9467 9468 74b149 9467->9468 9469 745724 8 API calls 9468->9469 9470 74b155 Mailbox 9469->9470 9471 758251 2 API calls 9470->9471 9472 74b174 Mailbox 9471->9472 9473 769883 8 API calls 9472->9473 9474 74b19a 9473->9474 9475 769707 Mailbox 8 API calls 9474->9475 9476 74b1ea 9475->9476 9477 75a805 2 API calls 9476->9477 9478 74b217 9477->9478 9479 758695 21 API calls 9478->9479 9480 74b235 9479->9480 9481 758251 2 API calls 9480->9481 9481->9435 9483 769883 8 API calls 9482->9483 9484 745042 SetEvent 9483->9484 9484->9429 9549 744f0b 9485->9549 9488 751bc3 9489 767848 8 API calls 9488->9489 9490 74af7c 9489->9490 9490->9443 9492 746101 9491->9492 9493 75a805 2 API calls 9492->9493 9498 74623b Mailbox 9492->9498 9494 7461a7 9493->9494 9495 74846d 9 API calls 9494->9495 9496 7461d6 9495->9496 9497 758251 2 API calls 9496->9497 9497->9498 9499 746321 9498->9499 9503 7463fd 9498->9503 9500 75a805 2 API calls 9499->9500 9501 74635d 9500->9501 9502 74846d 9 API calls 9501->9502 9504 746381 9502->9504 9506 75a805 2 API calls 9503->9506 9505 758251 2 API calls 9504->9505 9507 74639c Mailbox 9505->9507 9508 746487 Mailbox 9506->9508 9507->9460 9557 757ab8 9508->9557 9511 758251 2 API calls 9512 7464eb 9511->9512 9513 74651c 9512->9513 9514 746598 9512->9514 9516 75a805 2 API calls 9513->9516 9569 748036 9514->9569 9518 746532 9516->9518 9521 74846d 9 API calls 9518->9521 9519 746668 9522 74ddd3 lstrlen 9519->9522 9520 7465cb 9525 75a805 2 API calls 9520->9525 9523 746548 9521->9523 9524 7466a4 9522->9524 9526 758251 2 API calls 9523->9526 9573 75ae3b 9524->9573 9527 7465f2 9525->9527 9526->9507 9529 74846d 9 API calls 9527->9529 9531 746612 9529->9531 9533 758251 2 API calls 9531->9533 9533->9507 9535 75a805 2 API calls 9536 746718 9535->9536 9537 758251 2 API calls 9536->9537 9538 746775 9537->9538 9539 7642b6 lstrlen 9538->9539 9540 7467c4 9539->9540 9541 74c622 5 API calls 9540->9541 9542 7467e3 9541->9542 9581 76d831 9542->9581 9546 747f14 9545->9546 9547 74dd8f 8 API calls 9546->9547 9548 747f37 9547->9548 9548->9465 9550 744f16 9549->9550 9553 74e739 9550->9553 9554 74e751 9553->9554 9555 74dd8f 8 API calls 9554->9555 9556 744f36 9555->9556 9556->9488 9558 757ae2 9557->9558 9565 7464bc 9558->9565 9610 766c12 9558->9610 9562 757c94 Mailbox 9637 75761b 9562->9637 9564 757d11 9564->9562 9620 75bff6 9564->9620 9565->9511 9567 757dab 9627 7570e6 9567->9627 9570 74804b GetModuleFileNameA 9569->9570 9572 7465c2 9570->9572 9572->9519 9572->9520 9574 75ae5e 9573->9574 9575 74bece 9 API calls 9574->9575 9576 7466de 9574->9576 9575->9576 9577 763ca3 9576->9577 9578 746702 9577->9578 9580 763cd9 9577->9580 9578->9535 9579 75ae3b 9 API calls 9579->9580 9580->9578 9580->9579 9582 76d84e Mailbox 9581->9582 9583 76d94f CreatePipe 9582->9583 9584 76d9ad SetHandleInformation 9583->9584 9585 76d999 9583->9585 9589 76da12 9584->9589 9590 76da3b CreatePipe 9584->9590 9586 769707 Mailbox 8 API calls 9585->9586 9588 746894 DeleteFileA 9585->9588 9586->9588 9588->9507 9589->9590 9591 76da66 SetHandleInformation 9590->9591 9592 76da52 9590->9592 9595 76da9a Mailbox 9591->9595 9593 76de64 CloseHandle 9592->9593 9593->9585 9594 76de7b CloseHandle 9593->9594 9594->9585 9596 76db76 CreateProcessA 9595->9596 9597 76dc04 WriteFile 9596->9597 9598 76dbe0 CloseHandle 9596->9598 9597->9598 9600 76dc3e CloseHandle CloseHandle 9597->9600 9601 76ddd2 CloseHandle 9598->9601 9604 76dca1 9600->9604 9601->9593 9772 764101 9604->9772 9608 76dd6c CloseHandle CloseHandle 9608->9601 9611 766c2d 9610->9611 9612 744088 4 API calls 9611->9612 9613 766cb8 9612->9613 9614 7486e2 4 API calls 9613->9614 9615 757c5d 9613->9615 9614->9615 9615->9562 9616 7486e2 9615->9616 9617 7486f8 9616->9617 9618 744088 4 API calls 9617->9618 9619 74873e Mailbox 9618->9619 9619->9564 9640 747bf8 9620->9640 9624 75c05c 9652 74774c 9624->9652 9626 75c089 Mailbox 9626->9567 9628 7570f3 9627->9628 9633 7571ef 9628->9633 9664 75a4b9 9628->9664 9631 75a805 2 API calls 9634 75740b 9631->9634 9632 75a805 2 API calls 9632->9633 9633->9562 9634->9633 9635 758251 2 API calls 9634->9635 9636 75745e 9635->9636 9636->9632 9636->9633 9638 76572d 2 API calls 9637->9638 9639 757661 9638->9639 9639->9565 9641 747c25 9640->9641 9642 75a805 2 API calls 9641->9642 9643 747c4e Mailbox 9642->9643 9644 758251 2 API calls 9643->9644 9645 747c82 9644->9645 9646 750ce6 9645->9646 9647 750d32 Mailbox 9646->9647 9649 750ecd 9647->9649 9650 751054 Mailbox 9647->9650 9658 750113 9647->9658 9649->9650 9651 750113 4 API calls 9649->9651 9650->9624 9651->9649 9653 7477a8 Mailbox 9652->9653 9654 750ce6 4 API calls 9653->9654 9655 747a60 9654->9655 9656 750ce6 4 API calls 9655->9656 9657 747ab2 9656->9657 9657->9626 9659 750132 Mailbox 9658->9659 9660 75a805 2 API calls 9659->9660 9661 750318 9660->9661 9662 758251 2 API calls 9661->9662 9663 7505f9 9662->9663 9663->9649 9665 75a506 9664->9665 9666 766c12 4 API calls 9665->9666 9668 75a539 9666->9668 9667 76572d 2 API calls 9672 75719b 9667->9672 9669 75a563 9668->9669 9670 75a58e 9668->9670 9674 75a5e4 9668->9674 9671 76572d 2 API calls 9669->9671 9675 7469a8 9670->9675 9671->9672 9672->9631 9672->9633 9672->9636 9674->9667 9677 7469c7 Mailbox 9675->9677 9676 7476f7 9676->9674 9677->9676 9678 744088 4 API calls 9677->9678 9679 746c45 9678->9679 9681 744088 4 API calls 9679->9681 9709 7470f3 9679->9709 9680 7476cf 9682 7476e7 9680->9682 9683 7476fc 9680->9683 9687 746c6a 9681->9687 9685 76572d 2 API calls 9682->9685 9686 76572d 2 API calls 9683->9686 9684 76572d 2 API calls 9684->9709 9685->9676 9686->9676 9688 744088 4 API calls 9687->9688 9687->9709 9689 746c97 9688->9689 9690 7486e2 4 API calls 9689->9690 9700 746cb9 Mailbox 9689->9700 9689->9709 9691 746d18 9690->9691 9691->9709 9710 74dec6 9691->9710 9694 746e4c 9697 7485a4 4 API calls 9694->9697 9695 746e3d 9696 762405 4 API calls 9695->9696 9699 746e47 9696->9699 9697->9699 9701 7485a4 4 API calls 9699->9701 9700->9694 9700->9695 9700->9709 9702 746ec5 9701->9702 9703 744088 4 API calls 9702->9703 9702->9709 9704 746f71 9703->9704 9705 7485a4 4 API calls 9704->9705 9704->9709 9707 746f9e 9705->9707 9706 744088 4 API calls 9706->9707 9707->9706 9708 7485a4 4 API calls 9707->9708 9707->9709 9708->9707 9709->9680 9709->9684 9711 74df1f 9710->9711 9712 744088 4 API calls 9711->9712 9713 746d62 9711->9713 9712->9713 9713->9709 9714 762405 9713->9714 9715 762431 9714->9715 9722 749903 9715->9722 9717 7624b6 9717->9700 9718 762450 9718->9717 9719 74e4e4 4 API calls 9718->9719 9720 76248c 9718->9720 9719->9718 9720->9717 9762 756d72 9720->9762 9723 749924 9722->9723 9724 7499a4 9723->9724 9726 749a10 9723->9726 9729 749952 9723->9729 9725 7499c4 9724->9725 9727 7486e2 4 API calls 9724->9727 9728 7485a4 4 API calls 9725->9728 9725->9729 9755 7499ea 9725->9755 9730 7485a4 4 API calls 9726->9730 9727->9725 9728->9755 9729->9718 9732 749a45 9730->9732 9731 76572d 2 API calls 9731->9729 9733 7485a4 4 API calls 9732->9733 9732->9755 9734 749aaa 9733->9734 9735 744088 4 API calls 9734->9735 9734->9755 9736 749aed 9735->9736 9737 7486e2 4 API calls 9736->9737 9736->9755 9738 749b25 9737->9738 9739 744088 4 API calls 9738->9739 9738->9755 9740 749b46 9739->9740 9741 744088 4 API calls 9740->9741 9740->9755 9742 749b73 9741->9742 9743 74dec6 4 API calls 9742->9743 9744 749c7b 9742->9744 9742->9755 9745 749c56 9743->9745 9746 74dec6 4 API calls 9744->9746 9744->9755 9747 74dec6 4 API calls 9745->9747 9745->9755 9748 749d47 9746->9748 9747->9744 9749 756d72 4 API calls 9748->9749 9757 749e51 9748->9757 9749->9748 9750 74a66b 9751 7485a4 4 API calls 9750->9751 9752 74a6fa 9750->9752 9751->9752 9753 7485a4 4 API calls 9752->9753 9752->9755 9753->9755 9754 74534c GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9754->9757 9755->9729 9755->9731 9756 7486e2 GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9756->9757 9757->9750 9757->9754 9757->9755 9757->9756 9758 756d72 4 API calls 9757->9758 9759 7485a4 4 API calls 9757->9759 9760 74dec6 GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9757->9760 9761 74e4e4 4 API calls 9757->9761 9758->9757 9759->9757 9760->9757 9761->9757 9763 756d97 9762->9763 9764 756f07 9763->9764 9766 756dd4 9763->9766 9765 74b38e 4 API calls 9764->9765 9771 756e24 9765->9771 9767 756df4 9766->9767 9768 756e66 9766->9768 9769 7658f9 4 API calls 9767->9769 9770 7658f9 4 API calls 9768->9770 9769->9771 9770->9771 9771->9720 9774 76410e 9772->9774 9773 769707 Mailbox 8 API calls 9777 76419c 9773->9777 9774->9773 9775 7641f1 ReadFile 9776 764256 WaitForSingleObject 9775->9776 9775->9777 9776->9608 9777->9775 9777->9776 9778 769883 8 API calls 9777->9778 9778->9777

                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                            Function 0075FF2A Relevance: 68.5, APIs: 29, Strings: 9, Instructions: 2026synchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,C:\Windows\system32\config\systemprofile,00000104), ref: 00760590
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 007605E4
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00760629
                                                                                                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00760649
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 007606E6
                                                                                                                                                                                                            • GetCommandLineA.KERNEL32 ref: 00760873
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateMutex$CommandCountEnvironmentLineTickVariable
                                                                                                                                                                                                            • String ID: $}\N$241$C:\Windows\system32\config\systemprofile$C:\hjflhukc\xxxniijvj.exe$HO$^d/$tgtbxnf8r33w "c:\hjflhukc\yanidfx.exe"$wb_m$~z0
                                                                                                                                                                                                            • API String ID: 3327569919-2039580995
                                                                                                                                                                                                            • Opcode ID: b1771a39554c1f9514a54c2555303194813295cf95f3b76d768b64eab0336eb6
                                                                                                                                                                                                            • Instruction ID: 351fc37a19fb045a9f5cf539365717174466d4e89d51cdedf5293a07ae452612
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b1771a39554c1f9514a54c2555303194813295cf95f3b76d768b64eab0336eb6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CA03AB71600601DBD758DF64EC8A97A37B4F744391B54C52AE90ECA2B1EB7C98C0CB5E
                                                                                                                                                                                                            Function 007488A8 Relevance: 30.6, APIs: 12, Strings: 5, Instructions: 877fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 490 7488a8-7488de call 7457a9 493 7488e0 490->493 494 7488ea-74898e GetVersionExA call 74e769 call 74457c 490->494 493->494 499 748990-74899a 494->499 500 74899c-7489c2 494->500 501 7489d7-7489dd 499->501 500->501 502 7489c4-7489d1 500->502 503 7489e3-748add call 75c0de call 74f38b CreateDirectoryA call 75a805 501->503 504 748b3f-748b5f 501->504 502->501 517 748ae2-748b3d call 74f38b call 758251 503->517 505 748b65-748b77 504->505 507 748ba9-748bb0 505->507 508 748b79-748b93 505->508 511 748bb6-748c17 call 75a805 call 74846d call 758251 507->511 510 748b95-748ba7 508->510 508->511 510->511 525 748c2d-748c3f 511->525 526 748c19-748c2b 511->526 517->505 528 748c4b-748c73 call 74c9ba call 76d492 call 74c622 525->528 529 748c41 525->529 526->528 536 748d6f-748e0c call 75c0de call 74f38b CreateDirectoryA call 765eaf 528->536 537 748c79-748ccc 528->537 529->528 549 748e0e-748e18 536->549 550 748e1a 536->550 539 748cfe-748d29 DeleteFileA 537->539 540 748cce-748cec 537->540 543 748d3d-748d65 RemoveDirectoryA 539->543 544 748d2b-748d37 539->544 540->539 542 748cee-748cf8 540->542 542->539 543->536 544->543 551 748e24-748e26 549->551 550->551 552 748e44 551->552 553 748e28-748e42 551->553 554 748e46-748e73 call 74f793 552->554 553->554 557 748e75-748e87 554->557 558 748e89-748e8e 554->558 559 748e94-748f2f CreateDirectoryA call 75a805 call 74f38b call 75a805 557->559 558->559 566 748f64-748fcf call 758251 call 74846d call 758251 call 74c9ba call 76d492 call 74c622 559->566 567 748f31-748f57 559->567 581 748fd5-748fe6 566->581 582 749769-7497f8 call 74f793 SetFileAttributesA call 7506af 566->582 567->566 568 748f59-748f5e 567->568 568->566 584 74906c-7490da call 75a805 call 75074e call 758251 581->584 585 748fec-74906a call 75a805 call 75074e call 758251 581->585 596 7497fa-749815 582->596 597 74981b-749826 call 745017 582->597 605 7490e0-74910d 584->605 585->605 596->597 606 749132-749192 call 74f38b CreateDirectoryA call 765eaf 605->606 607 74910f-749126 605->607 613 749194-7491a0 606->613 614 7491c1-749257 call 74f793 CreateDirectoryA call 75a805 call 74f38b call 75a805 606->614 607->606 608 749128 607->608 608->606 613->614 615 7491a2-7491bb 613->615 624 749272-7492a4 call 758251 call 74846d 614->624 625 749259-74926c 614->625 615->614 630 7492a6-7492be 624->630 631 7492c0-7492e7 624->631 625->624 632 7492ff-74933b call 758251 call 74c9ba call 76d492 call 74c622 630->632 631->632 633 7492e9-7492f9 631->633 642 749756-749763 632->642 643 749341-7493c2 GetTempPathA call 7642b6 632->643 633->632 642->582 646 7493ea-7493ec 643->646 647 7493c4-7493dd 646->647 648 7493ee 646->648 649 7493f0-749412 647->649 650 7493df-7493e9 647->650 651 74946e-7494fb call 765eaf call 74f793 CreateDirectoryA 648->651 652 749414-74941c 649->652 653 749422-749453 649->653 650->646 659 74950d-749557 call 75a805 call 74f38b 651->659 660 7494fd-749507 651->660 652->653 653->651 655 749455-749469 653->655 655->651 665 749559-749565 659->665 666 74956b-749610 call 75a805 call 758251 call 74846d call 758251 call 74c9ba call 76d492 call 74c622 659->666 660->659 665->666 681 749736-749751 666->681 682 749616-749627 666->682 681->642 683 749633-7496ce GetTempPathA call 765eaf call 75a805 682->683 684 749629 682->684 689 7496d0 683->689 690 7496da-7496fe call 74f38b 683->690 684->683 689->690 693 749700-74970a 690->693 694 74970f-74972a call 758251 690->694 693->694 694->681 697 74972c 694->697 697->681
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetVersionExA.KERNEL32(0077B028), ref: 0074893E
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00748AB6
                                                                                                                                                                                                            • DeleteFileA.KERNELBASE(?,00000000), ref: 00748D05
                                                                                                                                                                                                            • RemoveDirectoryA.KERNELBASE(00000000), ref: 00748D5F
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00748DD9
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00748E9C
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00749158
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 007491F4
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,?,?,?,?,00000000), ref: 0074936E
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(0000005C,00000000,?,?,?,?,?,?,00000000), ref: 007494DA
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,0000005C,?,?,?,00000000), ref: 0074963F
                                                                                                                                                                                                            • SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,00000000), ref: 007497B0
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
                                                                                                                                                                                                            • String ID: C:\Windows\system32\config\systemprofile$C:\hjflhukc\$\$gKV`$h)N^
                                                                                                                                                                                                            • API String ID: 1691758827-4224816522
                                                                                                                                                                                                            • Opcode ID: 0b5ec13e09de181e212b54349ba19fdcfff61136d0197711d2b6e0a9d38078f7
                                                                                                                                                                                                            • Instruction ID: ba6d161f0cfa0a0c98b843a2b97ce4f8203674bae49a0947d921165e7346437b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0b5ec13e09de181e212b54349ba19fdcfff61136d0197711d2b6e0a9d38078f7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C182E3B1540204DBD708DF64EC8A9BA37B4F744381B40C42AEA0ED62B1EB7C99C5CB5E
                                                                                                                                                                                                            Function 007684D7 Relevance: 26.9, APIs: 13, Strings: 2, Instructions: 688memorylibraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 698 7684d7-768575 699 768577-768595 698->699 700 76859b-7685a7 698->700 699->700 701 7685b3-7685e0 700->701 702 7685a9 700->702 703 7685e2-7685ec 701->703 704 768608-768619 701->704 702->701 705 768601-768606 703->705 706 7685ee-7685ff 703->706 707 76861b-768622 704->707 708 768628-768670 call 75a805 704->708 705->708 706->708 707->708 711 768672 708->711 712 76867c-768697 call 765eaf 708->712 711->712 715 7686cd-7686f6 call 758251 GetProcessHeap 712->715 716 768699-7686b2 712->716 720 768711-76871d 715->720 721 7686f8-76870c 715->721 716->715 717 7686b4-7686c6 716->717 717->715 723 76871f-768727 720->723 724 76872d-76875c call 75a805 720->724 722 7690ec-7690f0 721->722 723->724 727 76875e 724->727 728 768768-7687aa LoadLibraryA call 758251 724->728 727->728 731 7687ce 728->731 732 7687ac-7687cc 728->732 733 7687d8-7687da 731->733 732->733 734 7687f5-768805 733->734 735 7687dc-7687f0 733->735 736 768807-768824 734->736 737 76882a-768884 call 75a805 GetProcAddress call 758251 734->737 738 7690eb 735->738 736->737 743 768886-7688a7 FreeLibrary 737->743 744 7688ac-7688f9 RtlAllocateHeap 737->744 738->722 745 768a20-768a22 743->745 746 768926-76894e GetAdaptersInfo 744->746 747 7688fb-768921 FreeLibrary 744->747 748 7690ea 745->748 749 768963-768966 746->749 750 768950-76895d 746->750 747->745 748->738 751 76896c-76898c HeapFree 749->751 752 768a39-768a4b 749->752 750->749 755 76898e-7689a9 751->755 756 7689ab-7689b7 751->756 753 768a5e-768a6e 752->753 754 768a4d-768a5c 752->754 757 768a73-768a8e GetAdaptersInfo 753->757 754->757 758 7689bd-7689f9 HeapAlloc 755->758 756->758 761 768a94-768afb call 75a805 call 765eaf 757->761 762 76906d-76908e 757->762 759 768a27-768a33 758->759 760 7689fb-768a16 FreeLibrary 758->760 759->752 760->745 768 768b0f-768b2d call 758251 761->768 769 768afd-768b09 761->769 764 769094-7690e7 HeapFree FreeLibrary 762->764 764->748 772 768b2f 768->772 773 768b39-768b59 768->773 769->768 772->773 774 768b7f 773->774 775 768b5b-768b65 773->775 778 768b89-768bb1 call 767406 774->778 776 768b67-768b71 775->776 777 768b73-768b7d 775->777 776->778 777->778 781 768ca7-768cbc 778->781 782 768bb7-768bf4 call 767406 778->782 783 768cf4-768d18 781->783 784 768cbe-768cd7 781->784 790 768bf6-768c13 782->790 791 768c22-768c24 782->791 787 768d1e-768d20 783->787 784->783 786 768cd9-768cef 784->786 786->783 787->778 789 768d26 787->789 792 769043-76906b call 7506af 789->792 790->791 793 768c15-768c1b 790->793 794 768c26-768c80 791->794 795 768c9d 791->795 792->764 793->791 796 768c86-768c98 794->796 797 768d2b-768d66 call 75a805 794->797 795->781 796->787 802 768d75-768d86 797->802 803 768d68-768d73 797->803 805 768d94-768da0 802->805 806 768d88-768d92 802->806 804 768da6-768df5 call 765eaf call 758251 803->804 811 768fe2-76903d call 7506af 804->811 812 768dfb-768e22 804->812 805->804 806->804 811->792 814 768e24-768e36 812->814 815 768e38-768e42 812->815 817 768e54-768eab 814->817 815->817 818 768e44-768e4e 815->818 819 768ed2-768ede 817->819 820 768ead-768ed0 817->820 818->817 821 768ee4-768f32 819->821 820->821 822 768f34-768f50 821->822 823 768f55-768f5b 821->823 822->823 824 768f62-768f72 823->824 825 768f5d-768f61 823->825 826 768f74-768f94 824->826 827 768f9a-768fd9 824->827 825->824 826->827 827->812 828 768fdf 827->828 828->811
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,0075B7C4,?,?,00000000,00000100,00000009), ref: 007686E1
                                                                                                                                                                                                            • LoadLibraryA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,0075B7C4,?,?,00000000,00000100,00000009), ref: 0076876A
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00768854
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,0075B7C4,?,?,00000000,00000100,00000009), ref: 00768891
                                                                                                                                                                                                            • RtlAllocateHeap.NTDLL(?,00000000,00000288,?,?,?,?,?,?,?,?,0075B7C4,?,?,00000000,00000100), ref: 007688DD
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000100,?,?,?,?,?,?,?,?,0075B7C4,?,?,00000000,00000100,00000009), ref: 00768908
                                                                                                                                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,00000009,?,?,?,?,?,?,?,?,0075B7C4,?,?,00000000,00000100,00000009), ref: 00768935
                                                                                                                                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,0075B7C4,?,?,00000000,00000100), ref: 0076897A
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(?,00000000,00000009,?,?,?,?,?,?,?,?,0075B7C4,?,?,00000000,00000100), ref: 007689C3
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000100,?,?,?,?,?,?,?,?,0075B7C4,?,?,00000000,00000100,00000009), ref: 00768A10
                                                                                                                                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,00000009,?,?,?,?,?,?,?,?,0075B7C4,?,?,00000000,00000100,00000009), ref: 00768A78
                                                                                                                                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,0075B7C4,?,?,00000000,00000100), ref: 007690B2
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000100,?,?,?,?,?,?,?,?,0075B7C4,?,?,00000000,00000100,00000009), ref: 007690D7
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Free$HeapLibrary$AdaptersInfo$AddressAllocAllocateLoadProcProcess
                                                                                                                                                                                                            • String ID: Q:3q$SAcA
                                                                                                                                                                                                            • API String ID: 3577610392-494069912
                                                                                                                                                                                                            • Opcode ID: 0ea9ce0713135d178214f031ff7df5a110c980fe7b4e082a3d1ceb3ca5d9bafa
                                                                                                                                                                                                            • Instruction ID: 45e45d4d94d9e51ebb09071d5819525051dd3bad23efc10af7de767ceaa374e2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0ea9ce0713135d178214f031ff7df5a110c980fe7b4e082a3d1ceb3ca5d9bafa
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FD52AA75615600CBC358DF68EC89A6937F4FB58391B14C51AE90ECA2B1EB7C98C0CB5E
                                                                                                                                                                                                            Function 00758695 Relevance: 22.0, APIs: 10, Strings: 2, Instructions: 1045networkCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 00759154
                                                                                                                                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00001006,00000000,00000004), ref: 007591DB
                                                                                                                                                                                                            • gethostbyname.WS2_32(?), ref: 00759261
                                                                                                                                                                                                            • inet_ntoa.WS2_32(?), ref: 007592CF
                                                                                                                                                                                                            • inet_addr.WS2_32(00000000), ref: 007592D6
                                                                                                                                                                                                            • htons.WS2_32(00000050), ref: 007592FB
                                                                                                                                                                                                            • connect.WS2_32(00000000,?,00000010), ref: 00759316
                                                                                                                                                                                                            • send.WS2_32(00000000,00000000,00000000,00000000), ref: 007593A1
                                                                                                                                                                                                            • recv.WS2_32(0000000B,?,00000400,00000000), ref: 0075947C
                                                                                                                                                                                                            • closesocket.WS2_32(0000000B), ref: 007597C6
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: closesocketconnectgethostbynamehtonsinet_addrinet_ntoarecvsendsetsockoptsocket
                                                                                                                                                                                                            • String ID: /$;$Rb
                                                                                                                                                                                                            • API String ID: 4203722200-1076244922
                                                                                                                                                                                                            • Opcode ID: d50ec3684e26ff0a5cc88c183488d8d024b6d5ea8bf7895afe372cb384461324
                                                                                                                                                                                                            • Instruction ID: 543c808c4c643f2ebe5c83615db42120ae169c3657cc4ce032b7adde553d5371
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d50ec3684e26ff0a5cc88c183488d8d024b6d5ea8bf7895afe372cb384461324
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4792E271511600DBD718DF24EC86AB937B4FB44392B10C42AE90EDA2B1EBBC99C5CF59
                                                                                                                                                                                                            Function 00745C39 Relevance: 7.7, APIs: 5, Instructions: 247filesleepCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1144 745c39-745c67 1145 745c8e-745ca3 1144->1145 1146 745c69-745c8c 1144->1146 1147 745ca9-745cb2 1145->1147 1146->1147 1148 7460a8-7460ac 1147->1148 1149 745cb8-745ce0 1147->1149 1150 745ce2-745cf1 1149->1150 1151 745d09 1149->1151 1152 745d13-745d4a 1150->1152 1153 745cf3-745d07 1150->1153 1151->1152 1154 745d85 1152->1154 1155 745d4c-745d63 1152->1155 1153->1152 1158 745d8f-745ec7 call 767d24 call 7642b6 Sleep call 74f38b call 75a805 call 74f38b call 758251 FindFirstFileA 1154->1158 1156 745d65-745d77 1155->1156 1157 745d79-745d83 1155->1157 1156->1158 1157->1158 1171 746052-746066 1158->1171 1172 745ecd 1158->1172 1174 746072-74609c call 7506af 1171->1174 1175 746068 1171->1175 1173 745ed7-745ef2 1172->1173 1176 745ef4-745f2b 1173->1176 1177 745f2d 1173->1177 1174->1148 1183 74609e 1174->1183 1175->1174 1179 745f37-745f5c 1176->1179 1177->1179 1181 745f70-745f97 call 74f38b 1179->1181 1182 745f5e-745f6a 1179->1182 1186 745fbe-745fd4 1181->1186 1187 745f99-745fa3 1181->1187 1182->1181 1183->1148 1190 745fdb-745ffd DeleteFileA 1186->1190 1188 745fa5-745faf 1187->1188 1189 745fb1-745fbc 1187->1189 1188->1190 1189->1190 1191 745fff-746011 1190->1191 1192 746018-746028 FindNextFileA 1190->1192 1191->1192 1192->1173 1193 74602e-746048 FindClose 1192->1193 1193->1171
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • Sleep.KERNELBASE(000003E8), ref: 00745DEC
                                                                                                                                                                                                            • FindFirstFileA.KERNELBASE(?,?), ref: 00745EB2
                                                                                                                                                                                                            • DeleteFileA.KERNELBASE(?), ref: 00745FE2
                                                                                                                                                                                                            • FindNextFileA.KERNELBASE(00000000,?), ref: 00746020
                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00746042
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FileFind$CloseDeleteFirstNextSleep
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1528862845-0
                                                                                                                                                                                                            • Opcode ID: 01d18aafec02c22e6073d5d067dc97199db91445d759ed3b2044b7bfff68d9b9
                                                                                                                                                                                                            • Instruction ID: 503270ab9cef37b7f1e5e863a0a0c43c84c2d78cd78332923fd9047175fb517d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 01d18aafec02c22e6073d5d067dc97199db91445d759ed3b2044b7bfff68d9b9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EBA1BB71610A45DBD358CB64EC8A9A933B8F744381710C01AE90ECA671EB7C99C5CF5E
                                                                                                                                                                                                            Function 0075571F Relevance: 6.2, APIs: 4, Instructions: 213processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1231 75571f-75574f 1232 755751-75576b 1231->1232 1233 75577f-755796 1231->1233 1232->1233 1234 75576d-755779 1232->1234 1235 7557b6-7557d1 1233->1235 1236 755798-7557aa 1233->1236 1234->1233 1238 7557d3 1235->1238 1239 7557dd-755826 CreateToolhelp32Snapshot 1235->1239 1236->1235 1237 7557ac 1236->1237 1237->1235 1238->1239 1240 75584f-755865 1239->1240 1241 755828-75584d 1239->1241 1242 75586b-75586d 1240->1242 1241->1242 1243 755ab1-755af0 call 7506af 1242->1243 1244 755873-7558b1 1242->1244 1246 7558b3-7558c6 1244->1246 1247 7558da-755908 Process32First 1244->1247 1246->1247 1249 7558c8-7558d4 1246->1249 1250 755a6c-755a93 FindCloseChangeNotification 1247->1250 1251 75590e-755934 1247->1251 1249->1247 1254 755a95-755a9f 1250->1254 1255 755aa1-755aab 1250->1255 1252 755936-755950 1251->1252 1253 755952 1251->1253 1256 75595c-7559c0 call 765eaf call 7520d8 call 767406 1252->1256 1253->1256 1254->1243 1255->1243 1263 7559c2-755a08 Process32Next 1256->1263 1264 755a2b-755a42 1256->1264 1265 755a21-755a23 1263->1265 1266 755a0a-755a1c 1263->1266 1267 755a44-755a53 1264->1267 1268 755a62 1264->1268 1265->1251 1269 755a29 1265->1269 1266->1265 1267->1250 1270 755a55-755a60 1267->1270 1268->1250 1269->1250 1270->1250
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00755804
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 007558E2
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 007559E8
                                                                                                                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00755A7E
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3243318325-0
                                                                                                                                                                                                            • Opcode ID: c6ebf96ba146eccceabbe73003dc974cdd2292699dc6f71059ff594445a9a899
                                                                                                                                                                                                            • Instruction ID: 028dab1f6ea502545a50babc2c6d019c4d9c5a7b5d164e054c0901058bb5b811
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c6ebf96ba146eccceabbe73003dc974cdd2292699dc6f71059ff594445a9a899
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2591DC75A05600CFC748DB28ECAA5A937B4F748392B10C51AE90ACA670EB7C99D5CF49
                                                                                                                                                                                                            Function 0075B3DB Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 588COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1271 75b3db-75b41a 1272 75b441-75b4a1 call 74fe2b 1271->1272 1273 75b41c-75b434 1271->1273 1277 75b4a3-75b4ad 1272->1277 1278 75b4b2-75b4e9 call 7457a9 call 747ec1 1272->1278 1273->1272 1274 75b436-75b43c 1273->1274 1274->1272 1277->1278 1283 75b4f9 1278->1283 1284 75b4eb-75b4f7 call 7576a5 1278->1284 1286 75b4ff-75b530 GetComputerNameA 1283->1286 1284->1286 1288 75b536-75b5bc call 75a805 call 765eaf call 758251 1286->1288 1289 75b5c2-75b66b call 75a805 call 765eaf call 758251 call 74846d 1286->1289 1288->1289 1304 75b66d-75b688 1289->1304 1305 75b6cf-75b715 call 74695e call 765eaf 1289->1305 1306 75b6af-75b6ca 1304->1306 1307 75b68a-75b6ad 1304->1307 1312 75b717-75b736 1305->1312 1313 75b73c-75b776 call 74f38b 1305->1313 1306->1305 1307->1305 1312->1313 1316 75b787-75b854 call 7506af call 7684d7 call 7642b6 call 750b92 call 745724 call 745017 1313->1316 1317 75b778-75b782 1313->1317 1330 75b856-75b869 1316->1330 1331 75b888-75b8a0 call 74695e 1316->1331 1317->1316 1330->1331 1332 75b86b-75b882 1330->1332 1335 75b8a2 1331->1335 1336 75b8ac-75b8d0 1331->1336 1332->1331 1335->1336 1337 75b913 1336->1337 1338 75b8d2-75b8fc 1336->1338 1341 75b91d-75b9ae call 750b92 call 745724 call 745017 call 74695e call 750b92 call 745724 call 745017 1337->1341 1339 75b8fe-75b908 1338->1339 1340 75b90a-75b911 1338->1340 1339->1341 1340->1341 1356 75b9b0-75b9ba 1341->1356 1357 75b9bc 1341->1357 1358 75b9c6-75b9e4 call 74695e 1356->1358 1357->1358 1361 75b9e6 1358->1361 1362 75b9f0-75bae3 call 750b92 call 745724 call 745017 call 74695e call 750b92 call 745724 call 745017 call 74695e call 75a805 call 750b92 call 745724 call 745017 1358->1362 1361->1362 1387 75bae5 1362->1387 1388 75baef-75bb0a call 758251 1362->1388 1387->1388 1391 75bb16-75bc67 call 74695e call 750b92 call 745724 call 745017 call 74695e call 750b92 call 745724 call 745017 call 74695e call 743cdc call 744d07 call 750b92 call 745724 call 745017 call 74695e call 7452d0 1388->1391 1392 75bb0c 1388->1392 1425 75bc74-75bcdb call 750b92 call 745724 call 745017 call 74c9ba call 76d492 call 755fba 1391->1425 1426 75bc69-75bc6e 1391->1426 1392->1391 1439 75bcdd-75bcef 1425->1439 1440 75bcfc-75bdb7 call 769707 call 74c9ba call 76d492 call 769883 call 759ab1 call 74ee34 call 7506af * 2 1425->1440 1426->1425 1439->1440 1441 75bcf1-75bcf6 1439->1441 1458 75bdd0-75be13 call 7506af call 745017 call 759a04 1440->1458 1459 75bdb9-75bdca 1440->1459 1441->1440 1459->1458
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetComputerNameA.KERNEL32(?,?), ref: 0075B528
                                                                                                                                                                                                              • Part of subcall function 007642B6: lstrlen.KERNEL32(?,?,00745DCE,?,00000104,?), ref: 00764320
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ComputerNamelstrlen
                                                                                                                                                                                                            • String ID: K]g[$myiW
                                                                                                                                                                                                            • API String ID: 4141851928-3148350528
                                                                                                                                                                                                            • Opcode ID: 942b4be34c60c2d2241269fa53a376a4e473d66dedf6fe1957c2ad43fdfc684b
                                                                                                                                                                                                            • Instruction ID: 95ab95026a94a035e0c5c9d20ec61927b2a0aeec599abb4c8241d2022c05f3ff
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 942b4be34c60c2d2241269fa53a376a4e473d66dedf6fe1957c2ad43fdfc684b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2742B271900605DBCB18EF64ED969FD73B8FB14381B40801AE50AD61B2EB7C9AC5CF5A
                                                                                                                                                                                                            Function 007624D3 Relevance: 5.0, APIs: 1, Strings: 2, Instructions: 520sleepCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1466 7624d3-76252b call 7457a9 * 2 1471 76255e 1466->1471 1472 76252d-76254d 1466->1472 1475 762568-76258b 1471->1475 1473 762557-76255c 1472->1473 1474 76254f-762555 1472->1474 1473->1475 1474->1475 1476 7625a0-7625c1 1475->1476 1477 76258d-76259b 1475->1477 1478 7625c3 1476->1478 1479 7625cd-762661 call 76d256 call 7446b3 call 745c39 1476->1479 1477->1476 1478->1479 1486 762675-762686 1479->1486 1487 762663-762673 1479->1487 1488 76268b-7626c4 call 74f793 call 75a805 1486->1488 1487->1488 1493 7626c6-7626cb 1488->1493 1494 7626d1-7626f2 call 74f38b 1488->1494 1493->1494 1497 7626f4 1494->1497 1498 7626fe-76271b call 758251 1494->1498 1497->1498 1501 76272c-762757 1498->1501 1502 76271d-762727 1498->1502 1503 76276d-762783 1501->1503 1504 762759-76276b 1501->1504 1502->1501 1505 76278a-7627b8 call 743e8c 1503->1505 1504->1505 1508 7627c4-762812 call 76473b 1505->1508 1509 7627ba 1505->1509 1512 762cd6-762d35 call 769707 Sleep call 752192 call 75571f 1508->1512 1513 762818 1508->1513 1509->1508 1526 762d3a-762d3d 1512->1526 1515 762822-76288a call 7585e7 1513->1515 1516 76281a-76281c 1513->1516 1522 76289c-7628af 1515->1522 1523 76288c-762896 1515->1523 1516->1512 1516->1515 1524 762c62-762c64 1522->1524 1523->1522 1527 7628b4-7628c5 1524->1527 1528 762c6a 1524->1528 1531 762de6-762df0 1526->1531 1532 762d43-762d5b 1526->1532 1529 7628d6-762902 call 743e8c 1527->1529 1530 7628c7-7628d1 1527->1530 1533 762cb4-762ccc 1528->1533 1541 762904 1529->1541 1542 762961-7629ce call 76443e call 75a805 call 758695 1529->1542 1530->1529 1531->1505 1535 762d5d-762d6e 1532->1535 1536 762d7b-762d82 1532->1536 1533->1512 1535->1536 1538 762d70-762d75 1535->1538 1539 762d84-762dba call 7554d8 1536->1539 1540 762dcb-762de1 1536->1540 1538->1536 1539->1540 1548 762dbc-762dc6 1539->1548 1540->1531 1545 762906-762909 1541->1545 1546 76290b-76295e call 76473b 1541->1546 1555 7629d3-762a40 call 758251 call 767dc0 call 764927 1542->1555 1545->1542 1545->1546 1546->1542 1548->1540 1562 762a46-762a87 call 75a805 1555->1562 1563 762c08-762c46 call 7506af 1555->1563 1568 762a93-762af3 call 74846d call 758251 call 745724 1562->1568 1569 762a89 1562->1569 1570 762c6c-762c93 1563->1570 1571 762c48-762c5f 1563->1571 1580 762af5 1568->1580 1581 762aff-762b16 call 74695e 1568->1581 1569->1568 1572 762c95-762c9f 1570->1572 1573 762ca1-762cae 1570->1573 1571->1524 1572->1533 1573->1533 1580->1581 1584 762b2a-762c03 call 74fe4b call 745724 call 745017 call 75a805 call 758695 call 758251 call 767dc0 call 764927 1581->1584 1585 762b18-762b24 1581->1585 1584->1563 1585->1584
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • Sleep.KERNELBASE(000008AE), ref: 00762D0A
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • C:\hjflhukc\xxxniijvj.exe, xrefs: 00762D9E
                                                                                                                                                                                                            • tgtbxnf8r33w "c:\hjflhukc\yanidfx.exe", xrefs: 00762D94
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Sleep
                                                                                                                                                                                                            • String ID: C:\hjflhukc\xxxniijvj.exe$tgtbxnf8r33w "c:\hjflhukc\yanidfx.exe"
                                                                                                                                                                                                            • API String ID: 3472027048-2520137044
                                                                                                                                                                                                            • Opcode ID: 71046394ced923067c81f3675949dc66f52f312f7782c00106168c06955c5e82
                                                                                                                                                                                                            • Instruction ID: 042cbe7680456917e68a0bf2468e7844d643f2065583e9134a45f2658c78c5b0
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 71046394ced923067c81f3675949dc66f52f312f7782c00106168c06955c5e82
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F132BF71900604DFD758DF64ED96AA937F4FB04381B10C42AE80EDB2A2EB7C99C5CB59
                                                                                                                                                                                                            Function 0074BECE Relevance: 4.7, APIs: 3, Instructions: 222libraryloaderencryptionCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1602 74bece-74bf06 1603 74bf17-74bf60 1602->1603 1604 74bf08-74bf12 1602->1604 1605 74bf84-74bfb4 call 74b7cd 1603->1605 1606 74bf62-74bf73 1603->1606 1604->1603 1610 74c1ae-74c1c5 1605->1610 1611 74bfba-74c04d call 75a805 GetProcAddress call 75a805 1605->1611 1606->1605 1607 74bf75-74bf7f 1606->1607 1607->1605 1613 74c236-74c24c 1610->1613 1614 74c1c7-74c1db CryptGenRandom 1610->1614 1628 74c065-74c0b1 call 758251 GetProcAddress call 758251 1611->1628 1629 74c04f-74c059 1611->1629 1616 74c29e-74c2d7 call 744eb1 1613->1616 1617 74c24e-74c299 call 74ce70 * 4 1613->1617 1614->1613 1615 74c1dd-74c1fd 1614->1615 1619 74c1ff-74c213 1615->1619 1620 74c21a-74c230 1615->1620 1617->1616 1619->1620 1620->1613 1639 74c0f1-74c132 1628->1639 1640 74c0b3-74c0ba 1628->1640 1629->1628 1632 74c05b 1629->1632 1632->1628 1643 74c134-74c166 1639->1643 1644 74c172-74c195 1639->1644 1640->1639 1642 74c0bc-74c0c3 1640->1642 1647 74c0ca-74c0cc 1642->1647 1643->1644 1645 74c168 1643->1645 1644->1610 1646 74c197-74c1a8 1644->1646 1645->1644 1646->1610 1647->1639 1648 74c0ce-74c0ec 1647->1648 1648->1644
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0074C004
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0074C080
                                                                                                                                                                                                            • CryptGenRandom.ADVAPI32(00000004,?,00000000,?,00764797,?,007627D6,?), ref: 0074C1D3
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc$CryptRandom
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 646182245-0
                                                                                                                                                                                                            • Opcode ID: 8f5c33d6028fbadf54965343ffc19a0489e8d2225cbb979fa9c0254d001e493c
                                                                                                                                                                                                            • Instruction ID: 3ebdcbe9acf5ec3b329c15ab38cdeaaabe82e0e275a146322461563d22afb595
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8f5c33d6028fbadf54965343ffc19a0489e8d2225cbb979fa9c0254d001e493c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7C91AC71615601DBE7589F68EC5AA3937E5FB543D1710C21AE40EC66B0EBBC88C0CB5E
                                                                                                                                                                                                            Function 007674E8 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 00767525
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CtrlDispatcherServiceStart
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3789849863-0
                                                                                                                                                                                                            • Opcode ID: f3f172231995c76cfde71bbf68703e65f8fe055f6295912373019552af8d72cd
                                                                                                                                                                                                            • Instruction ID: 84d4866cbd5f88d2e3bce7adc9f8a507cc1e53a05037496e26d80cd5851a2893
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f3f172231995c76cfde71bbf68703e65f8fe055f6295912373019552af8d72cd
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 38F05EB2A202089FD704DF58E94576977F8F704356F04856AD41DD3250E779A654CF44
                                                                                                                                                                                                            Function 0074C9ED Relevance: 12.2, APIs: 8, Instructions: 196registrysynchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1116 74c9ed-74ca6d 1117 74ca9c-74caa6 1116->1117 1118 74ca6f-74ca7b 1116->1118 1120 74caab-74cb0d RegisterServiceCtrlHandlerA 1117->1120 1119 74ca7d-74ca9a 1118->1119 1118->1120 1119->1120 1121 74cb13-74cb37 1120->1121 1122 74cdba-74cdd1 1120->1122 1123 74cb57-74cbcb SetServiceStatus CreateEventA 1121->1123 1124 74cb39-74cb51 1121->1124 1125 74cbcd-74cbd8 1123->1125 1126 74cbde-74cbfe SetServiceStatus 1123->1126 1124->1123 1125->1126 1127 74cc30-74cc3c 1126->1127 1128 74cc00-74cc13 1126->1128 1131 74cc42-74cc6d WaitForSingleObject 1127->1131 1129 74cc15-74cc27 1128->1129 1130 74cc29-74cc2e 1128->1130 1129->1131 1130->1131 1131->1131 1132 74cc6f-74ccff call 74b7cd SetServiceStatus CloseHandle 1131->1132 1135 74cd10-74cd21 1132->1135 1136 74cd01-74cd0b 1132->1136 1137 74cd23-74cd2d 1135->1137 1138 74cd2f-74cd3c 1135->1138 1136->1135 1139 74cd42-74cd69 1137->1139 1138->1139 1140 74cd88-74cda5 SetServiceStatus 1139->1140 1141 74cd6b-74cd7b 1139->1141 1140->1122 1143 74cda7-74cdb4 1140->1143 1141->1140 1142 74cd7d-74cd83 1141->1142 1142->1140 1143->1122
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegisterServiceCtrlHandlerA.ADVAPI32(Function_0000BA72), ref: 0074CAF2
                                                                                                                                                                                                            • SetServiceStatus.SECHOST(0077B2DC), ref: 0074CB64
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0074CB78
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0077B2DC), ref: 0074CBE5
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00001388), ref: 0074CC62
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0077B2DC), ref: 0074CCAF
                                                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 0074CCC5
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0077B2DC), ref: 0074CD8F
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3399922960-0
                                                                                                                                                                                                            • Opcode ID: c8b877f52ea3dd56e2a20f352f9960a6c0dd03b90f06fa0c246fd65e649a7447
                                                                                                                                                                                                            • Instruction ID: adb5f683aefeabdfbee8c75a0f16eaf8ebd1ffd09f129f040b3c29d7029df94f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c8b877f52ea3dd56e2a20f352f9960a6c0dd03b90f06fa0c246fd65e649a7447
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 71913F745122019FD359DF68EE89A293BF5F718385350C52AE40ECA271EB7C98C1CB9E
                                                                                                                                                                                                            Function 00755485 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1194 755485-755486 1195 7554ff-75550c 1194->1195 1196 755488-7554d5 1194->1196 1197 75550e-755529 1195->1197 1198 75552b 1195->1198 1196->1195 1200 755535-7555d8 call 7506af * 2 1197->1200 1198->1200 1205 7555fd-755631 CreateProcessA 1200->1205 1206 7555da-7555f6 1200->1206 1208 755677 1205->1208 1209 755633-755643 1205->1209 1206->1205 1207 7555f8 1206->1207 1207->1205 1212 755681-75568e 1208->1212 1210 755645 1209->1210 1211 75564f-755675 CloseHandle * 2 1209->1211 1210->1211 1211->1212
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,0074DA33,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 00755628
                                                                                                                                                                                                            • CloseHandle.KERNEL32(0074DA33,?,?,?,?,00000000), ref: 00755652
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 00755665
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 2922976086-2746444292
                                                                                                                                                                                                            • Opcode ID: 209d7f70ee109695907a81dac0f221592afc4cfbd2c90528c1362b267f4ea3f1
                                                                                                                                                                                                            • Instruction ID: 986e87d0dee8ec301c6f4693b0a91b8e4c090b4f9aeba68a2c8c8b6088e87152
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 209d7f70ee109695907a81dac0f221592afc4cfbd2c90528c1362b267f4ea3f1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F0411371501644DBCB18DFA5ED969AA77B5FB84381710C02AE90ECA170E7BC88D5CB1E
                                                                                                                                                                                                            Function 007554D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1213 7554d8-7554e8 1214 755535-7555d8 call 7506af * 2 1213->1214 1215 7554ea-75550c 1213->1215 1223 7555fd-755631 CreateProcessA 1214->1223 1224 7555da-7555f6 1214->1224 1218 75550e-755529 1215->1218 1219 75552b 1215->1219 1218->1214 1219->1214 1226 755677 1223->1226 1227 755633-755643 1223->1227 1224->1223 1225 7555f8 1224->1225 1225->1223 1230 755681-75568e 1226->1230 1228 755645 1227->1228 1229 75564f-755675 CloseHandle * 2 1227->1229 1228->1229 1229->1230
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,0074DA33,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 00755628
                                                                                                                                                                                                            • CloseHandle.KERNEL32(0074DA33,?,?,?,?,00000000), ref: 00755652
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 00755665
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 2922976086-2746444292
                                                                                                                                                                                                            • Opcode ID: 48d812dcba309806bcb2f03d60804f091087d602f7820cbb58af4e64fa19d166
                                                                                                                                                                                                            • Instruction ID: e1c1125b1401e1dce14546906e936b77e2bcdff4c3560ace18c2170adf26f073
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 48d812dcba309806bcb2f03d60804f091087d602f7820cbb58af4e64fa19d166
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4C41EE71500644DBDB18DFA4ED9A9BA77B5FB84781B00C01AE90E86170EBBC48D4CF1E
                                                                                                                                                                                                            Function 0074C622 Relevance: 4.7, APIs: 3, Instructions: 206fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1649 74c622-74c69d call 76dfa1 call 74b7cd 1654 74c69f 1649->1654 1655 74c6a9-74c6b1 1649->1655 1654->1655 1656 74c6b3-74c6ea call 744eb1 1655->1656 1657 74c6ef-74c709 1655->1657 1667 74c9b6-74c9b9 1656->1667 1659 74c737-74c75b CreateFileA 1657->1659 1660 74c70b-74c71a 1657->1660 1661 74c75d-74c784 call 744eb1 1659->1661 1662 74c79f-74c7b3 1659->1662 1660->1659 1664 74c71c-74c731 1660->1664 1671 74c786-74c792 1661->1671 1672 74c798-74c79a 1661->1672 1666 74c7b8-74c7d2 1662->1666 1664->1659 1669 74c7d4-74c7f4 1666->1669 1670 74c7f9-74c7fb 1666->1670 1669->1670 1673 74c7fd-74c819 1670->1673 1674 74c81b-74c82d 1670->1674 1671->1672 1675 74c9b5 1672->1675 1676 74c837-74c8a2 call 7585e7 call 76970f 1673->1676 1674->1676 1675->1667 1681 74c8a4-74c8d4 1676->1681 1682 74c8d6-74c8ee 1676->1682 1683 74c8fa-74c948 WriteFile 1681->1683 1682->1683 1684 74c8f0 1682->1684 1683->1666 1685 74c94e-74c962 1683->1685 1684->1683 1686 74c964-74c96e 1685->1686 1687 74c970-74c97c 1685->1687 1688 74c982-74c9a2 FindCloseChangeNotification call 744eb1 1686->1688 1687->1688 1690 74c9a7-74c9b4 1688->1690 1690->1675
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0074B7CD: WaitForSingleObject.KERNEL32(007627D6,00004E20,00000000,?,0074BFA2,00000000,00000000,?,00764797,?,007627D6,?), ref: 0074B81D
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000000,00000000,00000000,0074D913,00000000,00000000,?,00000000), ref: 0074C746
                                                                                                                                                                                                            • WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,?,?,?,00000000,?), ref: 0074C90B
                                                                                                                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000,?,?,00000000,?), ref: 0074C983
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$ChangeCloseCreateFindNotificationObjectSingleWaitWrite
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2552625159-0
                                                                                                                                                                                                            • Opcode ID: 6c491641a2a2165c4a12b2f091cd051dda37ce04c6ecf45c56b4b67747a55721
                                                                                                                                                                                                            • Instruction ID: 9e1fd3c8e9f40fc1ce4129841172a1f1ee4a077fa93be2228b60157793a7e6cb
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6c491641a2a2165c4a12b2f091cd051dda37ce04c6ecf45c56b4b67747a55721
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8C91B9B1612605DBC749CF28ED899297BB4FB84391710C12AE60ECA2B4E73C99C0DF0D
                                                                                                                                                                                                            Function 0074E769 Relevance: 4.6, APIs: 3, Instructions: 101memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1691 74e769-74e79c 1692 74e79e-74e7b7 1691->1692 1693 74e7b9-74e7ce 1691->1693 1694 74e7d4-74e807 1692->1694 1693->1694 1695 74e809-74e818 1694->1695 1696 74e81a-74e82f 1694->1696 1697 74e83b-74e881 AllocateAndInitializeSid 1695->1697 1696->1697 1698 74e831 1696->1698 1699 74e883-74e89d CheckTokenMembership 1697->1699 1700 74e8ef-74e908 1697->1700 1698->1697 1701 74e89f-74e8c2 1699->1701 1702 74e8c9-74e8e9 FreeSid 1699->1702 1701->1702 1702->1700
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • AllocateAndInitializeSid.ADVAPI32(00748954,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00748954), ref: 0074E865
                                                                                                                                                                                                            • CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 0074E895
                                                                                                                                                                                                            • FreeSid.ADVAPI32(?), ref: 0074E8DC
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3429775523-0
                                                                                                                                                                                                            • Opcode ID: 4ee2ec24ab14a1767100d8d68247152d50a3a15adb14b331f600dca6f0123098
                                                                                                                                                                                                            • Instruction ID: 6613d183a5ec98cefb6ec52ba4fae6446e6300aead6e8fb5cd45cfaf91430f6c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4ee2ec24ab14a1767100d8d68247152d50a3a15adb14b331f600dca6f0123098
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E2418875915204EFDB44CFA5EC88A7977B4FB08395B80C01AE60AD7261E73C99C0CB1E
                                                                                                                                                                                                            Function 007520D8 Relevance: 3.0, APIs: 2, Instructions: 27stringCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1703 7520d8-75210d lstrlen 1704 75210f-752119 1703->1704 1705 75211b-752127 1703->1705 1706 75212d-75214f CharLowerBuffA 1704->1706 1705->1706
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • lstrlen.KERNEL32(?,?,00755997,?,?,?), ref: 007520F0
                                                                                                                                                                                                            • CharLowerBuffA.USER32(?,00000000,?,00755997,?,?,?), ref: 00752131
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: BuffCharLowerlstrlen
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 794975171-0
                                                                                                                                                                                                            • Opcode ID: d2a5fc5a06489bc0a1b6049a0af1965055ffbf20750ef217c5f42d9532ccd34e
                                                                                                                                                                                                            • Instruction ID: 7ff3d76142b422a5f5e5cb311ba74c4c625e1203c3992cc6f4de1740f9b106a2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d2a5fc5a06489bc0a1b6049a0af1965055ffbf20750ef217c5f42d9532ccd34e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DCF06D312246049BDB498F45ED4A47A3BF1F754781700C019E80E8A671E73D9DC0AB9A
                                                                                                                                                                                                            Function 007623A6 Relevance: 3.0, APIs: 2, Instructions: 23memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1707 7623a6-7623be 1708 7623e2-762404 GetProcessHeap RtlAllocateHeap 1707->1708 1709 7623c0-7623d6 1707->1709 1709->1708 1710 7623d8 1709->1710 1710->1708
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,0076A3A7,?,?,?,0076D0BE), ref: 007623F6
                                                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,0076A3A7,?,?,?,0076D0BE), ref: 007623FD
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1357844191-0
                                                                                                                                                                                                            • Opcode ID: 9951d2934db34d68b7f40710c78829eae6e8035ad9e9a9e54e741949a6726ef2
                                                                                                                                                                                                            • Instruction ID: 6b6fd2ab9cdfebf0f17ea3a0e73e3ba58c0d5b566ee1f4aac0208c822daf1966
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9951d2934db34d68b7f40710c78829eae6e8035ad9e9a9e54e741949a6726ef2
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3FF0A036201301ABCA008FA9FD8D9593764F304394B208002F55EDA1A1D37CE8908F98
                                                                                                                                                                                                            Function 0074DE5A Relevance: 3.0, APIs: 2, Instructions: 17memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1711 74de5a-74de88 GetProcessHeap RtlFreeHeap 1712 74de9a-74de9b 1711->1712 1713 74de8a-74de94 1711->1713 1713->1712
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000002,?,007582CB,000036E2,000036E2,00000000,-00000002,?,00745E87,00000002,00000000,?,00000000,000036E2,00000002), ref: 0074DE6C
                                                                                                                                                                                                            • RtlFreeHeap.NTDLL(00000000,?,007582CB,000036E2,000036E2,00000000,-00000002,?,00745E87,00000002,00000000,?,00000000,000036E2,00000002,?), ref: 0074DE73
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$FreeProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3859560861-0
                                                                                                                                                                                                            • Opcode ID: 67433bdd19c016d95999e4154ce50c231460c9b79d7e877c1951eb4c30f858d5
                                                                                                                                                                                                            • Instruction ID: 68de796a6693888b46f7e479e951522ebad2193c2db315de217aa30bd353125f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 67433bdd19c016d95999e4154ce50c231460c9b79d7e877c1951eb4c30f858d5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8EE08C32600348EBEE149BE5FC4A6043BECFB21381B00C520F11ECA130D72999808A8D
                                                                                                                                                                                                            Function 007675CE Relevance: 1.7, APIs: 1, Instructions: 152fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(007627D6,80000000,00000000,00000000,00000003,00000000,00000000,00000000,00000000,00000000,?,007647E5,007627D6,00000000,00003571,00000003), ref: 0076770C
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                                                            • Opcode ID: fd81ec042631f558597adcdb26644b04166357ca922f1ef161170bbb8d5e9104
                                                                                                                                                                                                            • Instruction ID: d35f18ef0d289789890ffaa8cc73d48f371090e899c63ffcfc261e73c47c287c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: fd81ec042631f558597adcdb26644b04166357ca922f1ef161170bbb8d5e9104
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CB510236659301DBE30C9B68FD56A3637A4F7503E6B10C02AE90ECA5B0E76D99C0CB5D
                                                                                                                                                                                                            Function 00743B2C Relevance: 1.6, APIs: 1, Instructions: 104fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00743BF6
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                                                            • Opcode ID: aee5dad8de1a7d345022a1b383246881d991e693e5bd9b799685f0137bc5da48
                                                                                                                                                                                                            • Instruction ID: 3c0007159605df09e171263f5b018fcbfdc12cc9f80eeee93c49f3737c520202
                                                                                                                                                                                                            • Opcode Fuzzy Hash: aee5dad8de1a7d345022a1b383246881d991e693e5bd9b799685f0137bc5da48
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 48410472941209DBC364DF69EC4A9E237B8E740395B04C52AE60DD7260EB7C95C1CFA9
                                                                                                                                                                                                            Function 0076473B Relevance: 1.4, APIs: 1, Instructions: 107sleepCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • Sleep.KERNELBASE(000003E8,?,00000000,00000000,?,007627D6,?), ref: 00764859
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Sleep
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3472027048-0
                                                                                                                                                                                                            • Opcode ID: 5f656a1d51d8b699b2f4816ac9971ce2f90cd7c5e81fc713808011d368b39b07
                                                                                                                                                                                                            • Instruction ID: fc84d31ab16e7c8aa0e7e84b3a82f0164422660323eb5d9d82f6f0c0e0e1ae67
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5f656a1d51d8b699b2f4816ac9971ce2f90cd7c5e81fc713808011d368b39b07
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6341F071540601DBD329AB64EC4BA2537B0FB447D1B51C42EE90E8A271EBBC85C0CB6E

                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                            Function 0076D831 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 388pipeprocessfileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreatePipe.KERNEL32(00000000,?,?,00000000,?,00000001,?), ref: 0076D98F
                                                                                                                                                                                                            • SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 0076D9F9
                                                                                                                                                                                                            • CreatePipe.KERNEL32(?,?,?,00000000), ref: 0076DA48
                                                                                                                                                                                                            • SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 0076DA7E
                                                                                                                                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 0076DBCC
                                                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000020,00000020,00000000), ref: 0076DC1C
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0076DC33
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0076DC66
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0076DC89
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,00002710), ref: 0076DD4F
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0076DD9F
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0076DDB2
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0076DE41
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0076DE67
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0076DE7E
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Handle$Close$Create$InformationPipe$FileObjectProcessSingleWaitWrite
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 1130065513-2746444292
                                                                                                                                                                                                            • Opcode ID: fa84efb41be3743c0922df205026b6ce91084918fe287269569a5ea6ca4a5cb6
                                                                                                                                                                                                            • Instruction ID: 3cf5bedc0599248fe8a72db546849f5e28db29ee81c3d71f835f725f1ba8bb0f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: fa84efb41be3743c0922df205026b6ce91084918fe287269569a5ea6ca4a5cb6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2302A976A10604DFDB18DF68EC859697BB4FB48380714C11AE90AD6270EB7C99D0CF5E
                                                                                                                                                                                                            Function 007635AD Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00763685
                                                                                                                                                                                                            • CreateServiceA.ADVAPI32(00000000,00DBE5D8,00DBE5D8,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 007636D6
                                                                                                                                                                                                            • ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00763728
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0076374C
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0076375D
                                                                                                                                                                                                            • OpenServiceA.ADVAPI32(00000000,00000010), ref: 007637D1
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00763836
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00763847
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 007638B1
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
                                                                                                                                                                                                            • String ID: 3ch$qh~B
                                                                                                                                                                                                            • API String ID: 3525021261-274300185
                                                                                                                                                                                                            • Opcode ID: 4f175bff90c494f202d3e8111aab1c78ebbca763b23bbd7b6bf00d10bbbb601f
                                                                                                                                                                                                            • Instruction ID: 6877a4a1c5289d3fc8c1c5975d0ce75663111c4129615aad8aa070607724a3bf
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4f175bff90c494f202d3e8111aab1c78ebbca763b23bbd7b6bf00d10bbbb601f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EB91A8B5614A00EBE3088F28ED8597937F5F748781340C41AE80EDA271EBBC99C1CB6D
                                                                                                                                                                                                            Function 0075111E Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 289fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007511F7
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00751267
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0075128B
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 007512D1
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0075153B
                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0075157E
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0075158F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseCreateHandle$CountReadTickWrite
                                                                                                                                                                                                            • String ID: Ra);
                                                                                                                                                                                                            • API String ID: 3478262135-4229484525
                                                                                                                                                                                                            • Opcode ID: 2effb4b96f0121aa175d48304b2eab2d30cc502c1722c4ac9f7764bd1195892f
                                                                                                                                                                                                            • Instruction ID: 09c115d9edcad917b02eb13a90213368f0c4213444fd9414eb8c48fb56fae57e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2effb4b96f0121aa175d48304b2eab2d30cc502c1722c4ac9f7764bd1195892f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 74B1E071511600EEE7189F68EC89A7937B4FB443D6750C11AE90DC62B1EBBC89C5CB1E
                                                                                                                                                                                                            Function 00751636 Relevance: 10.8, APIs: 7, Instructions: 279processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007516B2
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 007517BE
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00751932
                                                                                                                                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 00751991
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,0000000A), ref: 00751A6A
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 00751ACE
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00751AF5
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 930127669-0
                                                                                                                                                                                                            • Opcode ID: 495a0f9b425ef54f6f55690740096fdc57e7f59eeac303080643d8444f127486
                                                                                                                                                                                                            • Instruction ID: 436db10102f0c31205cdf80eadfdea07c8a74757e6637a72d57054922e555ffb
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 495a0f9b425ef54f6f55690740096fdc57e7f59eeac303080643d8444f127486
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 34C1CE76901600DBD718DB64EC8AAB937B4F754392B00C11AEA0DC62A1EBBC99C5CF5D
                                                                                                                                                                                                            Function 00759F24 Relevance: 7.8, APIs: 5, Instructions: 329serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 00759FF7
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,?), ref: 0075A049
                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0075A061
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,?), ref: 0075A162
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0075A3B6
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1579346331-0
                                                                                                                                                                                                            • Opcode ID: cc1f84ebbefaf0268ac1206fc57b2d468dc4816395b4350afafb6c6d56b39376
                                                                                                                                                                                                            • Instruction ID: 72521336b914b9c4ff56fa75d3896f7e159c1e73bbb16bff6d1b801cdfc97a6e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cc1f84ebbefaf0268ac1206fc57b2d468dc4816395b4350afafb6c6d56b39376
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F0D1EE76901600EFD308CF68EC859A937F4F744391B15C52AE90DDA270EBBC99C0CB5A
                                                                                                                                                                                                            Function 00750806 Relevance: 10.7, APIs: 7, Instructions: 195processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 007508C2
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 00750966
                                                                                                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?,?,?,?,?,000000B3), ref: 00750A15
                                                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,000000FF,?,?,?,?,000000B3), ref: 00750A64
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,000000B3), ref: 00750A82
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 00750AD2
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00750B10
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2696918072-0
                                                                                                                                                                                                            • Opcode ID: 8f3ed777eed7cf5fd7c0ee6e69e66fd27d636991e5ca8fd34f2f33910e16e1e8
                                                                                                                                                                                                            • Instruction ID: d195b8f6e396df37a5c35d176be022b1ba8768123394b4141ab1bd6eadd90b30
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8f3ed777eed7cf5fd7c0ee6e69e66fd27d636991e5ca8fd34f2f33910e16e1e8
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A381CD72611611DBD358DF68FC85A6933B4FB48392B00C12AE90DC6671EB7C99D4CB8D
                                                                                                                                                                                                            Function 0075B046 Relevance: 9.2, APIs: 6, Instructions: 184filetimeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 0075B104
                                                                                                                                                                                                            • GetFileTime.KERNEL32(00000000,?,?,?), ref: 0075B16D
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0075B1B2
                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0075B25F
                                                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 0075B2AB
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0075B2D8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3236713533-0
                                                                                                                                                                                                            • Opcode ID: 99f3c446e6c40058ef6e09e87bb140e14c829807ddc5b2a126f6fa40087113fd
                                                                                                                                                                                                            • Instruction ID: c44948147c225e605d46c5b7cdb7306044445ac5a884f875bf8184ccd8542280
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 99f3c446e6c40058ef6e09e87bb140e14c829807ddc5b2a126f6fa40087113fd
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E971EA71601604DFD344DF68ED858BA3BB4F7483A6710C52AE90EC66B0E77C89C4CB2A
                                                                                                                                                                                                            Function 00764589 Relevance: 7.6, APIs: 5, Instructions: 104synchronizationthreadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000009,00000002,?,0074D583,0074AD87,00000002,00000000), ref: 00764637
                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00000002,?,00000000,00000000), ref: 00764655
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,0074D583,0074AD87,00000002,00000000,?,?,?,?,?,?,?,00000009,?,?), ref: 0076468D
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,0074D583,0074AD87,00000002,00000000,?,?,?,?,?,?,?,00000009,?), ref: 007646A1
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,0074D583,0074AD87,00000002,00000000,?,?,?,?,?,?,?,00000009,?,?), ref: 00764712
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateHandle$EventObjectSingleThreadWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1404307249-0
                                                                                                                                                                                                            • Opcode ID: ef3cbd54d16ed3f9065e611d0baa6726a1d3ce46d2206c3b1dbaf197339d1a3f
                                                                                                                                                                                                            • Instruction ID: 97cc0602d13743eb60ff6295ac4d57ca1904c2fc686dd7a1bffd4c2d72783aed
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ef3cbd54d16ed3f9065e611d0baa6726a1d3ce46d2206c3b1dbaf197339d1a3f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A6418875101240DFC328DF28ED8992A3BB6F78A791311C42AE80EC6631E73C98E1CB19
                                                                                                                                                                                                            Function 00764927 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 323sleepfileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00764CBC
                                                                                                                                                                                                              • Part of subcall function 0075074E: wvsprintfA.USER32(?,?,00000000), ref: 007507C3
                                                                                                                                                                                                            • Sleep.KERNEL32(00015F90), ref: 00764E60
                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 00764E7F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$DeleteModuleNameSleepwvsprintf
                                                                                                                                                                                                            • String ID: KU
                                                                                                                                                                                                            • API String ID: 4183770253-1793860563
                                                                                                                                                                                                            • Opcode ID: 6ee4bd521f2e3254741b79d1cd96fe8e3bf3d8e93923c5caa406115b02adce69
                                                                                                                                                                                                            • Instruction ID: 0f1c2a5009b178e06f4e787d15fddc2bc757d1401254151adac414cf157f242a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6ee4bd521f2e3254741b79d1cd96fe8e3bf3d8e93923c5caa406115b02adce69
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 75D1E275610604DED718DF64EC969A937F8FB44781B00C41AEA0ECB2B1EB7C99C1CB59
                                                                                                                                                                                                            Function 00759B78 Relevance: 6.2, APIs: 4, Instructions: 201fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00759C43
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00759CA8
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00759DC7
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00759E86
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseFileHandle$CreateRead
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2564258376-0
                                                                                                                                                                                                            • Opcode ID: 3a75383e18586bee0532fc47a39a469df3d856c2a5c76dfded887011ee2def6d
                                                                                                                                                                                                            • Instruction ID: 64b3296519e9b48f005f80af368d0cdddb0e41fc082880d8026812cdb6df5529
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3a75383e18586bee0532fc47a39a469df3d856c2a5c76dfded887011ee2def6d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B281CE75611600DBD714DF64EC8AABA33B9FB44392B00C419EA0EC62A1E77C98C1CF5E
                                                                                                                                                                                                            Function 007690F1 Relevance: 6.0, APIs: 4, Instructions: 38memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00758146,00000000,?,00000000,?,0074F85A,0076970E,?,?,00769573,0076970E,00000001), ref: 00769143
                                                                                                                                                                                                            • RtlReAllocateHeap.NTDLL(00000000,?,00758146,00000000), ref: 0076914A
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,?,00758146,00000000,?,00000000,?,0074F85A,0076970E,?,?,00769573,0076970E,00000001,?), ref: 00769174
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,00758146,00000000,?,00000000,?,0074F85A,0076970E,?,?,00769573,0076970E,00000001,?), ref: 0076917B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2205066447.0000000000741000.00000020.00000001.01000000.00000005.sdmp, Offset: 00740000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205048640.0000000000740000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205096110.000000000076F000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205113588.0000000000770000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205132801.0000000000773000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2205153312.000000000077C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_740000_yanidfx.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$Process$AllocAllocate
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1154092256-0
                                                                                                                                                                                                            • Opcode ID: 58ac25b8bc53b0ab33cd3029d9bf86ddbae31c35fadfda3710e801d8c02d43fb
                                                                                                                                                                                                            • Instruction ID: 1cac2c4002c204d31b80bcd51773fe075a7f1656628a4926ea4bf5c6f066e455
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 58ac25b8bc53b0ab33cd3029d9bf86ddbae31c35fadfda3710e801d8c02d43fb
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1C011E76640604DFCB049F54FC4962537A4F708391F44C025F91EC6262DBBDA4D08B5D

                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                            Execution Coverage:8.9%
                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                                                            Total number of Nodes:1504
                                                                                                                                                                                                            Total number of Limit Nodes:7
                                                                                                                                                                                                            execution_graph 9041 ce444e 9042 ce446b 9041->9042 9045 cee4e4 9042->9045 9046 cee513 9045->9046 9047 cee69a 9046->9047 9048 cee553 9046->9048 9063 ceb38e 9047->9063 9050 cee576 9048->9050 9051 cee621 9048->9051 9055 d058f9 9050->9055 9053 d058f9 4 API calls 9051->9053 9054 ce4575 9053->9054 9057 d05931 9055->9057 9056 d05937 9056->9054 9057->9056 9059 d059a1 9057->9059 9071 ce85a4 9057->9071 9060 ce85a4 4 API calls 9059->9060 9062 d059f4 9059->9062 9060->9062 9075 d0572d 9062->9075 9064 ceb3c3 9063->9064 9065 ce85a4 4 API calls 9064->9065 9066 ceb456 9064->9066 9065->9066 9067 ce4088 4 API calls 9066->9067 9068 ceb7b4 9066->9068 9069 ceb4c3 9067->9069 9068->9054 9069->9068 9070 ce4088 4 API calls 9069->9070 9070->9069 9072 ce85be 9071->9072 9074 ce860a Mailbox 9072->9074 9079 ce4088 9072->9079 9074->9059 9077 d05761 Mailbox 9075->9077 9076 d058d3 9076->9056 9077->9076 9078 cede5a Mailbox 2 API calls 9077->9078 9078->9077 9080 ce40bc 9079->9080 9081 ce40d8 9079->9081 9082 d023a6 Mailbox 2 API calls 9080->9082 9081->9074 9083 ce40d1 Mailbox 9082->9083 9083->9081 9084 cede5a Mailbox 2 API calls 9083->9084 9084->9081 8830 d024d3 8831 d0250c 8830->8831 8832 d0d256 3 API calls 8831->8832 8833 d0261c 8832->8833 8834 ce5c39 10 API calls 8833->8834 8835 d02645 8834->8835 8836 cef793 lstrlen 8835->8836 8837 d02697 8836->8837 8838 cfa805 2 API calls 8837->8838 8839 d026ad 8838->8839 8840 cf8251 2 API calls 8839->8840 8856 d02706 Mailbox 8840->8856 8841 d09707 Mailbox 8 API calls 8842 d02cf0 Sleep 8841->8842 8875 cf2192 8842->8875 8844 cf571f 6 API calls 8844->8856 8845 ce3e8c GetSystemTimeAsFileTime 8845->8856 8846 cf54d8 3 API calls 8846->8856 8848 d0473b 12 API calls 8848->8856 8849 cfa805 GetProcessHeap RtlAllocateHeap 8849->8856 8850 ce846d 9 API calls 8850->8856 8851 ce5724 8 API calls 8851->8856 8852 ce695e 8 API calls 8852->8856 8854 cf8695 21 API calls 8854->8856 8855 cf8251 GetProcessHeap RtlFreeHeap 8855->8856 8856->8841 8856->8844 8856->8845 8856->8846 8856->8848 8856->8849 8856->8850 8856->8851 8856->8852 8856->8854 8856->8855 8857 d07dc0 50 API calls 8856->8857 8858 d04927 32 API calls 8856->8858 8859 d0443e 8856->8859 8871 cefe4b 8856->8871 8857->8856 8858->8856 8860 d04470 8859->8860 8861 cfa805 2 API calls 8860->8861 8862 d044cd 8861->8862 8863 cfa805 2 API calls 8862->8863 8864 d044fc 8863->8864 8884 cea928 8864->8884 8867 cf8251 2 API calls 8868 d04546 8867->8868 8869 cf8251 2 API calls 8868->8869 8870 d0456f 8869->8870 8870->8856 8872 cefe66 Mailbox 8871->8872 8873 d09883 8 API calls 8872->8873 8874 ceff60 Mailbox 8872->8874 8873->8874 8874->8856 8876 cf21ab 8875->8876 8877 cf22b7 DeleteFileA 8876->8877 8882 cf233c 8876->8882 8883 cf23d9 8876->8883 8890 cf9ef6 8876->8890 8877->8876 8879 cf23c2 8899 ce5430 8879->8899 8882->8879 8895 ceb920 8882->8895 8883->8856 8885 cea95f Mailbox 8884->8885 8886 cfa805 2 API calls 8885->8886 8887 ceac5d 8886->8887 8888 cf8251 2 API calls 8887->8888 8889 ceac90 8888->8889 8889->8867 8903 cf5b3e 8890->8903 8892 cf9f0d 8907 ce82bf 8892->8907 8896 ceb93a 8895->8896 8897 ceb97f 8896->8897 8922 cede9c 8896->8922 8897->8882 8900 ce5438 8899->8900 8933 d094b4 8900->8933 8904 cf5b5a Mailbox 8903->8904 8905 cf7f29 Mailbox 8 API calls 8904->8905 8906 cf5b64 Mailbox 8905->8906 8906->8892 8908 ce82cc 8907->8908 8909 ce82dc 8908->8909 8911 cf9a0f 8908->8911 8909->8876 8914 d07848 8911->8914 8913 cf9a1d 8913->8909 8915 d0785a Mailbox 8914->8915 8918 d04333 8915->8918 8917 d07870 Mailbox 8917->8913 8919 d0433e 8918->8919 8920 cef821 Mailbox 8 API calls 8919->8920 8921 d043a8 8920->8921 8921->8917 8925 ce84ea 8922->8925 8926 ce8529 8925->8926 8929 cebdcb 8926->8929 8928 ce854b 8928->8897 8930 cebde1 Mailbox 8929->8930 8931 cf7f29 Mailbox 8 API calls 8930->8931 8932 cebe04 Mailbox 8931->8932 8932->8928 8934 d094e3 8933->8934 8935 d094bd Mailbox 8933->8935 8936 cede5a Mailbox 2 API calls 8935->8936 8936->8934 8937 cf98cc 8938 cf1da2 12 API calls 8937->8938 8939 cf9900 8938->8939 8940 d09883 8 API calls 8939->8940 8941 cf9994 8940->8941 8942 cf1ecc 8943 cf1ee8 Mailbox 8942->8943 8946 cfa7bc 8943->8946 8945 cf1f5b 8947 cef821 Mailbox 8 API calls 8946->8947 8948 cfa7d6 Mailbox 8947->8948 8948->8945 8949 ce50c3 8950 ce50e0 8949->8950 8951 d042b6 lstrlen 8950->8951 8952 ce510f Mailbox 8951->8952 8953 cf7f29 Mailbox 8 API calls 8952->8953 8954 ce5123 8953->8954 8955 ce5071 9 API calls 8954->8955 8956 ce5145 8955->8956 8959 cfbf07 8956->8959 8960 cfbf15 Mailbox 8959->8960 8961 d09883 8 API calls 8960->8961 8962 ce5183 8961->8962 8963 d056dd 8964 d056f1 8963->8964 8967 cf56c6 8964->8967 8968 cf56e3 Mailbox 8967->8968 8969 cfa7bc 8 API calls 8968->8969 8970 cf56f4 8969->8970 9703 d02f5d ExitProcess 8971 d084c2 8974 ce8020 8971->8974 8977 d0236a 8974->8977 8976 ce802b 8978 d042b6 lstrlen 8977->8978 8979 d02378 8978->8979 8979->8976 8980 cebcdc 8981 cebcfa 8980->8981 8982 d09707 Mailbox 8 API calls 8981->8982 8983 cebd13 8982->8983 8988 ce563a 8983->8988 8985 cebd3a Mailbox 8986 d09707 Mailbox 8 API calls 8985->8986 8987 cebdb8 8986->8987 8989 ce5648 8988->8989 8992 cedd8f 8989->8992 8993 cedda0 8992->8993 8994 d02f94 8 API calls 8993->8994 8995 ce5659 8994->8995 8995->8985 9000 cecedb FlushFileBuffers 9001 cecf0d GetLastError 9000->9001 9002 cecf39 9000->9002 9001->9002 9704 cef553 9705 cef5b5 9704->9705 9706 cef567 9704->9706 9705->9706 9707 cef671 ReadFile 9705->9707 9707->9706 9708 ceb353 9709 d02f94 8 API calls 9708->9709 9710 ceb377 9709->9710 9143 cec9ed 9144 ceca6f RegisterServiceCtrlHandlerA 9143->9144 9146 cecb13 SetServiceStatus CreateEventA 9144->9146 9157 cecda7 9144->9157 9148 cecbde SetServiceStatus 9146->9148 9149 cecbcd 9146->9149 9150 cecc00 9148->9150 9149->9148 9151 cecc42 WaitForSingleObject 9150->9151 9151->9151 9152 cecc6f 9151->9152 9153 ceb7cd WaitForSingleObject 9152->9153 9154 cecc84 SetServiceStatus CloseHandle 9153->9154 9155 cecd01 SetServiceStatus 9154->9155 9155->9157 9158 d0cffe 9159 d0d050 9158->9159 9160 d05d58 2 API calls 9159->9160 9161 d0d055 9160->9161 9162 cf5d50 3 API calls 9161->9162 9163 d0d067 9162->9163 9164 d0d108 ExitProcess 9163->9164 9711 cfb360 9712 cfb378 9711->9712 9713 d042b6 lstrlen 9712->9713 9714 cfb3a5 9713->9714 9717 cefc31 9714->9717 9720 d098df 9717->9720 9719 cefc47 9721 d09923 9720->9721 9722 d09982 9721->9722 9723 d0998f 9721->9723 9724 cebdcb 8 API calls 9722->9724 9725 d0998d Mailbox 9723->9725 9726 cedbdf 8 API calls 9723->9726 9724->9725 9725->9719 9726->9725 9003 d04ee1 9004 d04efa 9003->9004 9007 d0d527 9004->9007 9006 d04f99 9008 d0d544 9007->9008 9011 cedbdf 9008->9011 9010 d0d559 Mailbox 9010->9006 9012 cedbf5 Mailbox 9011->9012 9013 cef821 Mailbox 8 API calls 9012->9013 9014 cedc18 9013->9014 9014->9010 9088 ce507a 9089 d042b6 lstrlen 9088->9089 9090 ce50a9 9089->9090 9015 cee2f9 9016 cee30a 9015->9016 9017 ceb7cd WaitForSingleObject 9016->9017 9018 cee324 9017->9018 9019 cf15e5 ExitProcess 9018->9019 9020 cee35a 9019->9020 9171 cecdf7 9172 cece11 Mailbox 9171->9172 9175 cf1c14 9172->9175 9174 cece3a 9176 cf1c36 Mailbox 9175->9176 9177 cebdcb 8 API calls 9176->9177 9178 cf1ce6 Mailbox 9177->9178 9178->9174 9091 ceba72 9095 ceba89 9091->9095 9098 cebb03 SetServiceStatus 9091->9098 9094 cebb88 SetEvent 9096 cebcd8 9094->9096 9095->9098 9099 cebaa1 SetServiceStatus 9095->9099 9098->9094 9099->9096 9021 cf7686 9024 cefc1b 9021->9024 9025 d094b4 Mailbox 2 API calls 9024->9025 9026 cefc29 9025->9026 9185 cead87 9186 ceada3 9185->9186 9241 ce501c 9186->9241 9188 ceae0e 9189 d0443e 4 API calls 9188->9189 9194 ceb26c Mailbox 9188->9194 9190 ceaeff 9189->9190 9191 cfa805 2 API calls 9190->9191 9192 ceaf15 9191->9192 9193 ce846d 9 API calls 9192->9193 9195 ceaf2d 9193->9195 9196 cf8251 2 API calls 9195->9196 9197 ceaf56 9196->9197 9244 d02306 9197->9244 9202 ce5724 8 API calls 9203 ceaf88 Mailbox 9202->9203 9204 cfa805 2 API calls 9203->9204 9205 ceafc5 9204->9205 9206 cf0b92 9 API calls 9205->9206 9207 ceafe2 9206->9207 9208 ce5724 8 API calls 9207->9208 9209 ceafee Mailbox 9208->9209 9210 cf8251 2 API calls 9209->9210 9211 ceb00f 9210->9211 9212 cefe4b 8 API calls 9211->9212 9213 ceb02d 9212->9213 9214 ce5724 8 API calls 9213->9214 9215 ceb036 Mailbox 9214->9215 9216 cf1c14 8 API calls 9215->9216 9217 ceb066 9216->9217 9250 ce60ad 9217->9250 9219 ceb085 Mailbox 9220 cf5fba 9 API calls 9219->9220 9221 ceb0c9 9220->9221 9304 ce7ef1 9221->9304 9224 cfa805 2 API calls 9225 ceb0f8 9224->9225 9226 cf0b92 9 API calls 9225->9226 9227 ceb149 9226->9227 9228 ce5724 8 API calls 9227->9228 9229 ceb155 Mailbox 9228->9229 9230 cf8251 2 API calls 9229->9230 9231 ceb174 Mailbox 9230->9231 9232 d09883 8 API calls 9231->9232 9233 ceb19a 9232->9233 9234 d09707 Mailbox 8 API calls 9233->9234 9235 ceb1ea 9234->9235 9236 cfa805 2 API calls 9235->9236 9237 ceb217 9236->9237 9308 cf8695 9237->9308 9239 ceb235 9240 cf8251 2 API calls 9239->9240 9240->9194 9242 d09883 8 API calls 9241->9242 9243 ce5042 SetEvent 9242->9243 9243->9188 9408 ce4f0b 9244->9408 9247 cf1bc3 9248 d07848 8 API calls 9247->9248 9249 ceaf7c 9248->9249 9249->9202 9251 ce6101 9250->9251 9252 cfa805 2 API calls 9251->9252 9257 ce623b Mailbox 9251->9257 9253 ce61a7 9252->9253 9254 ce846d 9 API calls 9253->9254 9255 ce61d6 9254->9255 9256 cf8251 2 API calls 9255->9256 9256->9257 9258 ce6321 9257->9258 9261 ce63fd 9257->9261 9259 cfa805 2 API calls 9258->9259 9260 ce635d 9259->9260 9262 ce846d 9 API calls 9260->9262 9264 cfa805 2 API calls 9261->9264 9263 ce6381 9262->9263 9265 cf8251 2 API calls 9263->9265 9266 ce6487 Mailbox 9264->9266 9267 ce639c Mailbox 9265->9267 9416 cf7ab8 9266->9416 9267->9219 9270 cf8251 2 API calls 9271 ce64eb 9270->9271 9272 ce651c 9271->9272 9273 ce6598 9271->9273 9274 cfa805 2 API calls 9272->9274 9428 ce8036 9273->9428 9276 ce6532 9274->9276 9278 ce846d 9 API calls 9276->9278 9281 ce6548 9278->9281 9279 ce65cb 9283 cfa805 2 API calls 9279->9283 9280 ce6668 9282 ceddd3 lstrlen 9280->9282 9284 cf8251 2 API calls 9281->9284 9285 ce66a4 9282->9285 9286 ce65f2 9283->9286 9284->9267 9432 cfae3b 9285->9432 9287 ce846d 9 API calls 9286->9287 9290 ce6612 9287->9290 9292 cf8251 2 API calls 9290->9292 9292->9267 9294 cfa805 2 API calls 9295 ce6718 9294->9295 9296 cf8251 2 API calls 9295->9296 9297 ce6775 9296->9297 9298 d042b6 lstrlen 9297->9298 9299 ce67c4 9298->9299 9300 cec622 5 API calls 9299->9300 9301 ce67e3 9300->9301 9440 d0d831 9301->9440 9305 ce7f14 9304->9305 9306 cedd8f 8 API calls 9305->9306 9307 ce7f37 9306->9307 9307->9224 9309 cf86b6 9308->9309 9310 ce3e8c GetSystemTimeAsFileTime 9309->9310 9311 cf8873 9310->9311 9312 d042b6 lstrlen 9311->9312 9317 cf88d0 9312->9317 9313 d042b6 lstrlen 9314 cf8a48 9313->9314 9315 d042b6 lstrlen 9314->9315 9316 cf8a56 9315->9316 9318 cfa805 2 API calls 9316->9318 9400 cf9185 Mailbox 9316->9400 9317->9313 9317->9400 9319 cf8ad5 9318->9319 9320 ce846d 9 API calls 9319->9320 9321 cf8b0f 9320->9321 9322 cf8251 2 API calls 9321->9322 9323 cf8b3d Mailbox 9322->9323 9324 cfa805 2 API calls 9323->9324 9338 cf8d19 9323->9338 9326 cf8b9e 9324->9326 9325 cf0b92 9 API calls 9327 cf8dbe 9325->9327 9328 cf23e9 9 API calls 9326->9328 9329 ce5724 8 API calls 9327->9329 9331 cf8bc8 Mailbox 9328->9331 9330 cf8dca Mailbox 9329->9330 9332 cfa805 2 API calls 9330->9332 9334 cf8251 2 API calls 9331->9334 9333 cf8ded 9332->9333 9335 cf0b92 9 API calls 9333->9335 9340 cf8bf7 9334->9340 9336 cf8e04 9335->9336 9337 ce5724 8 API calls 9336->9337 9339 cf8e10 Mailbox 9337->9339 9338->9325 9342 cf8251 2 API calls 9339->9342 9340->9338 9341 cf1c14 8 API calls 9340->9341 9343 cf8c77 9341->9343 9344 cf8e3b 9342->9344 9345 cfa805 2 API calls 9343->9345 9346 cf0b92 9 API calls 9344->9346 9347 cf8cbd 9345->9347 9348 cf8e8b 9346->9348 9350 ce846d 9 API calls 9347->9350 9349 ce5724 8 API calls 9348->9349 9353 cf8e9a Mailbox 9349->9353 9351 cf8cff 9350->9351 9352 cf8251 2 API calls 9351->9352 9352->9338 9355 cfa805 2 API calls 9353->9355 9390 cf9051 Mailbox 9353->9390 9354 cfa805 2 API calls 9356 cf9087 9354->9356 9357 cf8f09 9355->9357 9359 cf0b92 9 API calls 9356->9359 9358 cf0b92 9 API calls 9357->9358 9360 cf8f23 9358->9360 9361 cf90d7 9359->9361 9362 ce5724 8 API calls 9360->9362 9363 ce5724 8 API calls 9361->9363 9364 cf8f32 Mailbox 9362->9364 9365 cf90e3 Mailbox 9363->9365 9366 cfa805 2 API calls 9364->9366 9367 cf8251 2 API calls 9365->9367 9368 cf8f5b 9366->9368 9369 cf90fd 9367->9369 9371 cf8251 2 API calls 9368->9371 9370 cf9142 socket 9369->9370 9372 ce5724 8 API calls 9369->9372 9374 cf9197 9370->9374 9370->9400 9373 cf8fbc Mailbox 9371->9373 9372->9370 9377 cf074e wvsprintfA 9373->9377 9375 cf91bb setsockopt 9374->9375 9376 cf91f3 gethostbyname 9374->9376 9375->9376 9380 cf9289 inet_ntoa inet_addr 9376->9380 9376->9400 9379 cf8fdd 9377->9379 9381 cf8251 2 API calls 9379->9381 9384 cf92ef 9380->9384 9385 cf92f9 htons connect 9380->9385 9383 cf8ff4 9381->9383 9386 cf0b92 9 API calls 9383->9386 9384->9385 9388 cf932f Mailbox 9385->9388 9385->9400 9387 cf9042 9386->9387 9389 ce5724 8 API calls 9387->9389 9391 cf939f send 9388->9391 9389->9390 9390->9354 9392 cf93bb Mailbox 9391->9392 9393 d09707 Mailbox 8 API calls 9392->9393 9392->9400 9407 cf93df Mailbox 9393->9407 9394 cf946b recv 9394->9407 9395 cf9784 closesocket 9398 cf97e1 9395->9398 9395->9400 9399 cf1c14 8 API calls 9398->9399 9399->9400 9400->9239 9401 cf7f29 Mailbox 8 API calls 9401->9407 9402 d09883 8 API calls 9402->9407 9403 cf8251 GetProcessHeap RtlFreeHeap 9403->9407 9405 cfa805 GetProcessHeap RtlAllocateHeap 9405->9407 9406 cf23e9 9 API calls 9406->9407 9407->9394 9407->9395 9407->9401 9407->9402 9407->9403 9407->9405 9407->9406 9638 d0d5e8 9407->9638 9642 cef1bd 9407->9642 9409 ce4f16 9408->9409 9412 cee739 9409->9412 9413 cee751 9412->9413 9414 cedd8f 8 API calls 9413->9414 9415 ce4f36 9414->9415 9415->9247 9418 cf7ae2 9416->9418 9417 ce64bc 9417->9270 9418->9417 9469 d06c12 9418->9469 9422 cf7c94 Mailbox 9496 cf761b 9422->9496 9423 cf7d11 9423->9422 9479 cfbff6 9423->9479 9426 cf7dab 9486 cf70e6 9426->9486 9429 ce804b GetModuleFileNameA 9428->9429 9431 ce65c2 9429->9431 9431->9279 9431->9280 9433 cfae5e 9432->9433 9434 cebece 8 API calls 9433->9434 9435 ce66de 9433->9435 9434->9435 9436 d03ca3 9435->9436 9437 ce6702 9436->9437 9438 d03cd9 9436->9438 9437->9294 9438->9437 9439 cfae3b 8 API calls 9438->9439 9439->9438 9441 d0d84e Mailbox 9440->9441 9442 d0d94f CreatePipe 9441->9442 9443 d0d999 9442->9443 9444 d0d9ad SetHandleInformation 9442->9444 9445 d09707 Mailbox 8 API calls 9443->9445 9447 ce6894 DeleteFileA 9443->9447 9448 d0da12 9444->9448 9449 d0da3b CreatePipe 9444->9449 9445->9447 9447->9267 9448->9449 9450 d0da52 9449->9450 9451 d0da66 SetHandleInformation 9449->9451 9452 d0de64 CloseHandle 9450->9452 9454 d0da9a Mailbox 9451->9454 9452->9443 9453 d0de7b CloseHandle 9452->9453 9453->9443 9455 d0db76 CreateProcessA 9454->9455 9456 d0dbe0 CloseHandle 9455->9456 9457 d0dc04 WriteFile 9455->9457 9460 d0ddd2 CloseHandle 9456->9460 9457->9456 9459 d0dc3e CloseHandle CloseHandle 9457->9459 9463 d0dca1 9459->9463 9460->9452 9631 d04101 9463->9631 9467 d0dd6c CloseHandle CloseHandle 9467->9460 9470 d06c2d 9469->9470 9471 ce4088 4 API calls 9470->9471 9472 d06cb8 9471->9472 9473 ce86e2 4 API calls 9472->9473 9474 cf7c5d 9472->9474 9473->9474 9474->9422 9475 ce86e2 9474->9475 9476 ce86f8 9475->9476 9477 ce4088 4 API calls 9476->9477 9478 ce873e Mailbox 9477->9478 9478->9423 9499 ce7bf8 9479->9499 9483 cfc05c 9511 ce774c 9483->9511 9485 cfc089 Mailbox 9485->9426 9487 cf70f3 9486->9487 9492 cf71ef 9487->9492 9523 cfa4b9 9487->9523 9490 cfa805 2 API calls 9493 cf740b 9490->9493 9491 cfa805 2 API calls 9491->9492 9492->9422 9493->9492 9494 cf8251 2 API calls 9493->9494 9495 cf745e 9494->9495 9495->9491 9495->9492 9497 d0572d 2 API calls 9496->9497 9498 cf7661 9497->9498 9498->9417 9500 ce7c25 9499->9500 9501 cfa805 2 API calls 9500->9501 9502 ce7c4e Mailbox 9501->9502 9503 cf8251 2 API calls 9502->9503 9504 ce7c82 9503->9504 9505 cf0ce6 9504->9505 9506 cf0d32 Mailbox 9505->9506 9508 cf1054 Mailbox 9506->9508 9509 cf0ecd 9506->9509 9517 cf0113 9506->9517 9508->9483 9509->9508 9510 cf0113 4 API calls 9509->9510 9510->9509 9512 ce77a8 Mailbox 9511->9512 9513 cf0ce6 4 API calls 9512->9513 9514 ce7a60 9513->9514 9515 cf0ce6 4 API calls 9514->9515 9516 ce7ab2 9515->9516 9516->9485 9518 cf0132 Mailbox 9517->9518 9519 cfa805 2 API calls 9518->9519 9520 cf0318 9519->9520 9521 cf8251 2 API calls 9520->9521 9522 cf05f9 9521->9522 9522->9509 9524 cfa506 9523->9524 9525 d06c12 4 API calls 9524->9525 9527 cfa539 9525->9527 9526 d0572d 2 API calls 9531 cf719b 9526->9531 9528 cfa58e 9527->9528 9529 cfa563 9527->9529 9533 cfa5e4 9527->9533 9534 ce69a8 9528->9534 9530 d0572d 2 API calls 9529->9530 9530->9531 9531->9490 9531->9492 9531->9495 9533->9526 9535 ce69c7 Mailbox 9534->9535 9536 ce4088 4 API calls 9535->9536 9546 ce76f7 9535->9546 9537 ce6c45 9536->9537 9538 ce4088 4 API calls 9537->9538 9568 ce70f3 9537->9568 9540 ce6c6a 9538->9540 9539 ce76cf 9541 ce76fc 9539->9541 9542 ce76e7 9539->9542 9547 ce4088 4 API calls 9540->9547 9540->9568 9543 d0572d 2 API calls 9541->9543 9545 d0572d 2 API calls 9542->9545 9543->9546 9544 d0572d 2 API calls 9544->9568 9545->9546 9546->9533 9548 ce6c97 9547->9548 9549 ce86e2 4 API calls 9548->9549 9559 ce6cb9 Mailbox 9548->9559 9548->9568 9550 ce6d18 9549->9550 9550->9568 9569 cedec6 9550->9569 9552 ce6e4c 9556 ce85a4 4 API calls 9552->9556 9553 ce6e3d 9555 d02405 4 API calls 9553->9555 9558 ce6e47 9555->9558 9556->9558 9560 ce85a4 4 API calls 9558->9560 9559->9552 9559->9553 9559->9568 9561 ce6ec5 9560->9561 9562 ce4088 4 API calls 9561->9562 9561->9568 9563 ce6f71 9562->9563 9564 ce85a4 4 API calls 9563->9564 9563->9568 9566 ce6f9e 9564->9566 9565 ce4088 4 API calls 9565->9566 9566->9565 9567 ce85a4 4 API calls 9566->9567 9566->9568 9567->9566 9568->9539 9568->9544 9570 cedf1f 9569->9570 9571 ce4088 4 API calls 9570->9571 9572 ce6d62 9570->9572 9571->9572 9572->9568 9573 d02405 9572->9573 9574 d02431 9573->9574 9581 ce9903 9574->9581 9576 d02450 9577 cee4e4 4 API calls 9576->9577 9578 d0248c 9576->9578 9579 d024b6 9576->9579 9577->9576 9578->9579 9621 cf6d72 9578->9621 9579->9559 9582 ce9924 9581->9582 9583 ce99a4 9582->9583 9584 ce9a10 9582->9584 9587 ce9952 9582->9587 9585 ce99c4 9583->9585 9586 ce86e2 4 API calls 9583->9586 9588 ce85a4 4 API calls 9584->9588 9585->9587 9589 ce85a4 4 API calls 9585->9589 9615 ce99ea 9585->9615 9586->9585 9587->9576 9591 ce9a45 9588->9591 9589->9615 9590 d0572d 2 API calls 9590->9587 9592 ce85a4 4 API calls 9591->9592 9591->9615 9593 ce9aaa 9592->9593 9594 ce4088 4 API calls 9593->9594 9593->9615 9595 ce9aed 9594->9595 9596 ce86e2 4 API calls 9595->9596 9595->9615 9597 ce9b25 9596->9597 9598 ce4088 4 API calls 9597->9598 9597->9615 9599 ce9b46 9598->9599 9600 ce4088 4 API calls 9599->9600 9599->9615 9601 ce9b73 9600->9601 9602 cedec6 4 API calls 9601->9602 9604 ce9c7b 9601->9604 9601->9615 9603 ce9c56 9602->9603 9606 cedec6 4 API calls 9603->9606 9603->9615 9605 cedec6 4 API calls 9604->9605 9604->9615 9607 ce9d47 9605->9607 9606->9604 9608 cf6d72 4 API calls 9607->9608 9616 ce9e51 9607->9616 9608->9607 9609 cea66b 9610 ce85a4 4 API calls 9609->9610 9611 cea6fa 9609->9611 9610->9611 9613 ce85a4 4 API calls 9611->9613 9611->9615 9612 ce86e2 GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9612->9616 9613->9615 9614 ce534c GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9614->9616 9615->9587 9615->9590 9616->9609 9616->9612 9616->9614 9616->9615 9617 cf6d72 4 API calls 9616->9617 9618 ce85a4 4 API calls 9616->9618 9619 cedec6 GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9616->9619 9620 cee4e4 4 API calls 9616->9620 9617->9616 9618->9616 9619->9616 9620->9616 9622 cf6d97 9621->9622 9623 cf6f07 9622->9623 9624 cf6dd4 9622->9624 9625 ceb38e 4 API calls 9623->9625 9627 cf6e66 9624->9627 9628 cf6df4 9624->9628 9626 cf6e24 9625->9626 9626->9578 9630 d058f9 4 API calls 9627->9630 9629 d058f9 4 API calls 9628->9629 9629->9626 9630->9626 9632 d0410e 9631->9632 9633 d09707 Mailbox 8 API calls 9632->9633 9635 d0419c 9633->9635 9634 d041f1 ReadFile 9634->9635 9636 d04256 WaitForSingleObject 9634->9636 9635->9634 9635->9636 9637 d09883 8 API calls 9635->9637 9636->9467 9637->9635 9639 d0d5ff 9638->9639 9640 ce3e8c GetSystemTimeAsFileTime 9639->9640 9641 d0d628 9639->9641 9640->9641 9641->9407 9643 cef206 9642->9643 9644 cfa805 2 API calls 9643->9644 9645 cef22f 9644->9645 9646 cf23e9 9 API calls 9645->9646 9647 cef250 Mailbox 9646->9647 9648 cf8251 2 API calls 9647->9648 9649 cef28d 9648->9649 9650 cef2a5 9649->9650 9651 cfa805 2 API calls 9649->9651 9650->9407 9652 cef2cb 9651->9652 9653 cf23e9 9 API calls 9652->9653 9654 cef2e2 Mailbox 9653->9654 9655 cf8251 2 API calls 9654->9655 9655->9650 9100 d0d01d 9101 d0d03a 9100->9101 9107 d05d58 9101->9107 9105 d0d067 9106 d0d108 ExitProcess 9105->9106 9108 d05d93 9107->9108 9118 ce565e 9108->9118 9110 d05dbb 9111 cf5d50 9110->9111 9112 cf5d87 GetStdHandle 9111->9112 9113 cf5d74 9111->9113 9114 cf5dc5 GetStdHandle 9112->9114 9115 cf5db3 9112->9115 9113->9112 9116 cf5dfa GetStdHandle 9114->9116 9115->9114 9116->9105 9119 ce56c5 GetProcessHeap HeapAlloc 9118->9119 9120 ce5695 9118->9120 9119->9110 9120->9119 9656 ce519e 9657 d023a6 Mailbox 2 API calls 9656->9657 9658 ce51b3 9657->9658 9027 cf549d 9028 cf54ba 9027->9028 9029 cf550a Mailbox 9027->9029 9030 cf55fd CreateProcessA 9029->9030 9031 cf5633 CloseHandle CloseHandle 9030->9031 9032 cf5677 9030->9032 9031->9032 9670 d095bd 9671 d095c3 Mailbox 9670->9671 9672 d090f1 Mailbox 4 API calls 9671->9672 9673 d09605 Mailbox 9672->9673 7943 d0cdbf 7944 d0ce1b 7943->7944 7947 cfff2a 7944->7947 7945 d0cf4c 8174 cf8251 7947->8174 7951 cfff74 7952 cf8251 2 API calls 7951->7952 7953 cfff88 7952->7953 7954 cfa805 2 API calls 7953->7954 7955 cfffc7 7954->7955 7956 cf8251 2 API calls 7955->7956 7957 cfffdb 7956->7957 7958 cfa805 2 API calls 7957->7958 7959 d0001a 7958->7959 7960 cf8251 2 API calls 7959->7960 7961 d0002e 7960->7961 7962 cfa805 2 API calls 7961->7962 7963 d00063 7962->7963 7964 cf8251 2 API calls 7963->7964 7965 d00077 7964->7965 7966 cfa805 2 API calls 7965->7966 7967 d000f0 7966->7967 7968 cf8251 2 API calls 7967->7968 7969 d00126 7968->7969 7970 cfa805 2 API calls 7969->7970 7971 d001a6 7970->7971 7972 cf8251 2 API calls 7971->7972 7973 d001c4 7972->7973 7974 cfa805 2 API calls 7973->7974 7975 d00238 7974->7975 7976 cf8251 2 API calls 7975->7976 7977 d00252 7976->7977 7978 cfa805 2 API calls 7977->7978 7979 d00283 7978->7979 7980 cf8251 2 API calls 7979->7980 7981 d002bf 7980->7981 7982 cfa805 2 API calls 7981->7982 7983 d00325 7982->7983 7984 cf8251 2 API calls 7983->7984 7985 d00339 7984->7985 7986 cfa805 2 API calls 7985->7986 7987 d0036a 7986->7987 7988 cf8251 2 API calls 7987->7988 7989 d003bd 7988->7989 7990 cfa805 2 API calls 7989->7990 7991 d00402 7990->7991 7992 cf8251 2 API calls 7991->7992 7993 d00422 7992->7993 7994 cfa805 2 API calls 7993->7994 7995 d00469 7994->7995 7996 cf8251 2 API calls 7995->7996 7997 d004b2 7996->7997 7998 cf8251 2 API calls 7997->7998 7999 d00503 Mailbox 7998->7999 8181 cede5a GetProcessHeap RtlFreeHeap 7999->8181 8003 d0054a 8004 cfa805 2 API calls 8003->8004 8005 d00560 GetEnvironmentVariableA 8004->8005 8006 d005b2 8005->8006 8007 cf8251 2 API calls 8006->8007 8008 d005d0 CreateMutexA CreateMutexA CreateMutexA 8007->8008 8009 d00665 8008->8009 8010 d00809 8009->8010 8011 d006c9 8009->8011 8012 d006de GetTickCount 8009->8012 8188 ce88a8 8010->8188 8011->8012 8014 d006f2 8012->8014 8016 cfa805 2 API calls 8014->8016 8015 d00818 GetCommandLineA 8018 d008a8 8015->8018 8020 d00710 8016->8020 8019 cfa805 2 API calls 8018->8019 8022 d008c5 8019->8022 8021 cf8251 2 API calls 8020->8021 8023 d007b7 8021->8023 8024 cf8251 2 API calls 8022->8024 8023->8010 8025 d0092f 8024->8025 8026 d01311 GetCommandLineA 8025->8026 8027 d00964 8025->8027 8347 d03e09 8026->8347 8028 cfa805 2 API calls 8027->8028 8032 d00996 8028->8032 8031 d013a1 8350 d042b6 8031->8350 8033 cf8251 2 API calls 8032->8033 8035 d00a10 8033->8035 8039 cfa805 2 API calls 8035->8039 8041 d00a21 8035->8041 8036 d013dc 8037 d01417 GetModuleFileNameA 8036->8037 8038 d013f9 8036->8038 8353 cf20d8 lstrlen 8037->8353 8038->8037 8043 d00ac3 8039->8043 8344 cf15e5 8041->8344 8045 cf8251 2 API calls 8043->8045 8047 d00b1f 8045->8047 8046 d0145c 8050 cf20d8 2 API calls 8046->8050 8047->8041 8291 cef793 8047->8291 8048 cfa805 2 API calls 8049 d022a4 8048->8049 8554 cee2f8 8049->8554 8052 d01510 8050->8052 8054 cf20d8 2 API calls 8052->8054 8066 d01523 8054->8066 8056 cfa805 2 API calls 8062 d00ba4 8056->8062 8057 d01785 8376 ce3b2c 8057->8376 8058 d022c9 8058->7945 8060 d017c8 8061 d0175d 8060->8061 8384 cfb3db 8060->8384 8061->8041 8064 cf8251 2 API calls 8062->8064 8083 d00be7 8064->8083 8065 d017ed 8067 ce3e8c GetSystemTimeAsFileTime 8065->8067 8066->8057 8070 d015b0 8066->8070 8068 d01806 8067->8068 8478 ceddd3 8068->8478 8356 cfaf1f 8070->8356 8073 d015e1 8362 ce5c39 8073->8362 8077 d00d00 Sleep 8078 cfb046 5 API calls 8077->8078 8079 d00d57 8078->8079 8079->8083 8080 d015fa 8080->8061 8081 cfa805 2 API calls 8080->8081 8084 d01680 8081->8084 8082 d00dd2 Sleep 8082->8083 8083->8077 8083->8082 8107 d00dfe 8083->8107 8296 cf571f 8083->8296 8307 cfb046 8083->8307 8319 ce3e8c 8083->8319 8087 d042b6 lstrlen 8084->8087 8085 d0186d 8090 d018fb WSAStartup 8085->8090 8086 cf571f 6 API calls 8086->8107 8089 d01695 MessageBoxA 8087->8089 8088 d00ee5 8091 cfb046 5 API calls 8088->8091 8096 d01738 8089->8096 8092 d01928 8090->8092 8101 d0197d 8090->8101 8095 d00ef9 8091->8095 8092->8048 8097 d00f60 GetModuleFileNameA SetFileAttributesA 8095->8097 8098 d012ba 8095->8098 8099 cf8251 2 API calls 8096->8099 8102 d00fcc CopyFileA 8097->8102 8337 cf54d8 8098->8337 8099->8061 8100 d01a3d 8108 d01a8c CloseHandle SetFileAttributesA 8100->8108 8133 d01d7e 8100->8133 8101->8100 8482 d0395f 8101->8482 8109 cfa805 2 API calls 8102->8109 8103 d00ea2 Sleep 8103->8107 8107->8086 8107->8088 8107->8103 8323 cf0806 8107->8323 8110 d01b05 CopyFileA 8108->8110 8111 d01ae9 8108->8111 8112 d01044 8109->8112 8114 d01b22 SetFileAttributesA 8110->8114 8115 d01c76 8110->8115 8111->8110 8122 cf8251 2 API calls 8112->8122 8113 cf571f 6 API calls 8113->8133 8120 d01b79 8114->8120 8121 d01b5b 8114->8121 8523 ceb7cd WaitForSingleObject 8115->8523 8117 d019d7 8117->8061 8492 cef02c 8117->8492 8119 d01e3f SetFileAttributesA CopyFileA SetFileAttributesA 8134 cef793 lstrlen 8119->8134 8129 d01c27 Sleep 8120->8129 8514 cf6bd8 8120->8514 8501 d035ad 8121->8501 8125 d01077 8122->8125 8123 cf0806 9 API calls 8127 d01dcb Sleep 8123->8127 8135 d0111d 8125->8135 8139 cfa805 2 API calls 8125->8139 8127->8133 8132 cf54d8 3 API calls 8129->8132 8131 d01bef 8131->8129 8132->8115 8133->8113 8133->8119 8133->8123 8138 d01ed0 8134->8138 8136 d01195 SetFileAttributesA 8135->8136 8137 d01206 SetFileAttributesA 8135->8137 8144 d0126d 8136->8144 8137->8144 8141 cfa805 2 API calls 8138->8141 8142 d010ce 8139->8142 8145 d01ee6 8141->8145 8147 cf8251 2 API calls 8142->8147 8144->8098 8146 cfa805 2 API calls 8145->8146 8148 d01f29 8146->8148 8147->8135 8149 cf8251 2 API calls 8148->8149 8150 d01f4e 8149->8150 8525 d075ce 8150->8525 8152 d01f65 8153 cf8251 2 API calls 8152->8153 8154 d01fc0 8153->8154 8529 d0473b 8154->8529 8157 cfa805 2 API calls 8158 d02012 8157->8158 8159 cfa805 2 API calls 8158->8159 8160 d02031 8159->8160 8550 cf074e 8160->8550 8162 d02063 8163 cf8251 2 API calls 8162->8163 8164 d02079 8163->8164 8165 cf8251 2 API calls 8164->8165 8166 d02092 8165->8166 8167 cf54d8 3 API calls 8166->8167 8168 d020d2 Mailbox 8167->8168 8169 d02140 CreateThread 8168->8169 8171 d02179 8169->8171 8170 d021c3 Sleep 8171->8170 8553 d074e8 StartServiceCtrlDispatcherA 8171->8553 8175 cf8268 Mailbox 8174->8175 8176 cede5a Mailbox 2 API calls 8175->8176 8177 cf82cb 8176->8177 8178 cfa805 8177->8178 8560 d023a6 8178->8560 8180 cfa878 Mailbox 8180->7951 8182 cede8a 8181->8182 8183 d0d256 GetSystemTime 8182->8183 8184 d0d2ec 8183->8184 8185 ce3e8c GetSystemTimeAsFileTime 8184->8185 8186 d0d368 GetTickCount 8185->8186 8187 d0d39b 8186->8187 8187->8003 8189 ce88cc 8188->8189 8190 ce88ea GetVersionExA 8189->8190 8563 cee769 8190->8563 8196 ce89fc 8199 ce8a89 CreateDirectoryA 8196->8199 8197 ce8b28 8198 cfa805 2 API calls 8197->8198 8200 ce8bc2 8198->8200 8201 cfa805 2 API calls 8199->8201 8586 ce846d 8200->8586 8203 ce8ae2 8201->8203 8206 cf8251 2 API calls 8203->8206 8205 cf8251 2 API calls 8207 ce8c06 Mailbox 8205->8207 8206->8197 8590 cec622 8207->8590 8209 ce8d6f 8211 cfc0de 6 API calls 8209->8211 8210 ce8cfe DeleteFileA 8213 ce8d3d RemoveDirectoryA 8210->8213 8214 ce8d2b 8210->8214 8215 ce8d85 8211->8215 8213->8209 8214->8213 8216 ce8dc3 CreateDirectoryA 8215->8216 8217 ce8e00 8216->8217 8218 cef793 lstrlen 8217->8218 8219 ce8e64 CreateDirectoryA 8218->8219 8221 cfa805 2 API calls 8219->8221 8222 ce8eb8 8221->8222 8223 cfa805 2 API calls 8222->8223 8224 ce8f10 8223->8224 8225 cf8251 2 API calls 8224->8225 8226 ce8f6c 8225->8226 8227 ce846d 9 API calls 8226->8227 8228 ce8f89 8227->8228 8229 cf8251 2 API calls 8228->8229 8230 ce8f9b Mailbox 8229->8230 8231 cec622 5 API calls 8230->8231 8232 ce8fca 8231->8232 8233 ce9769 8232->8233 8235 ce906c 8232->8235 8236 ce8fec 8232->8236 8234 cef793 lstrlen 8233->8234 8239 ce977f SetFileAttributesA 8234->8239 8238 cfa805 2 API calls 8235->8238 8237 cfa805 2 API calls 8236->8237 8240 ce900e 8237->8240 8241 ce9082 8238->8241 8246 ce97e1 Mailbox 8239->8246 8242 cf074e wvsprintfA 8240->8242 8243 cf074e wvsprintfA 8241->8243 8244 ce9034 8242->8244 8245 ce90a0 8243->8245 8247 cf8251 2 API calls 8244->8247 8248 cf8251 2 API calls 8245->8248 8246->8015 8249 ce905d 8247->8249 8248->8249 8250 ce9128 8249->8250 8251 ce9144 CreateDirectoryA 8250->8251 8252 ce917e 8251->8252 8253 cef793 lstrlen 8252->8253 8254 ce91cd CreateDirectoryA 8253->8254 8255 cfa805 2 API calls 8254->8255 8256 ce9210 8255->8256 8257 cfa805 2 API calls 8256->8257 8258 ce923f 8257->8258 8259 cf8251 2 API calls 8258->8259 8260 ce927a 8259->8260 8261 ce846d 9 API calls 8260->8261 8262 ce928f 8261->8262 8263 cf8251 2 API calls 8262->8263 8264 ce9307 Mailbox 8263->8264 8265 cec622 5 API calls 8264->8265 8266 ce9336 8265->8266 8267 ce9716 8266->8267 8268 ce9341 GetTempPathA 8266->8268 8267->8233 8269 d042b6 lstrlen 8268->8269 8270 ce938b 8269->8270 8271 cef793 lstrlen 8270->8271 8272 ce94ae CreateDirectoryA 8271->8272 8273 ce94fd 8272->8273 8274 cfa805 2 API calls 8273->8274 8275 ce9519 8274->8275 8276 cfa805 2 API calls 8275->8276 8277 ce9577 8276->8277 8278 cf8251 2 API calls 8277->8278 8279 ce95a4 8278->8279 8280 ce846d 9 API calls 8279->8280 8281 ce95ba 8280->8281 8282 cf8251 2 API calls 8281->8282 8283 ce95dc Mailbox 8282->8283 8284 cec622 5 API calls 8283->8284 8285 ce960b 8284->8285 8285->8267 8286 ce9633 GetTempPathA 8285->8286 8287 ce9670 8286->8287 8288 cfa805 2 API calls 8287->8288 8289 ce96a4 8288->8289 8290 cf8251 2 API calls 8289->8290 8290->8267 8292 ceddd3 lstrlen 8291->8292 8295 cef7bd 8292->8295 8293 cef80a 8293->8056 8294 d042b6 lstrlen 8294->8293 8295->8293 8295->8294 8297 cf5751 CreateToolhelp32Snapshot 8296->8297 8301 cf5828 8297->8301 8299 cf5a95 Mailbox 8299->8083 8300 cf58da Process32First 8302 cf5a6c FindCloseChangeNotification 8300->8302 8304 cf590e 8300->8304 8301->8299 8301->8300 8302->8299 8303 cf20d8 2 API calls 8303->8304 8304->8303 8305 cf5a29 8304->8305 8306 cf59c2 Process32Next 8304->8306 8305->8302 8306->8304 8308 cfb068 CreateFileA 8307->8308 8310 cfb11b 8308->8310 8311 cfb142 GetFileTime 8308->8311 8310->8083 8312 cfb1c7 8311->8312 8313 cfb177 8311->8313 8316 cfb204 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 8312->8316 8314 cfb193 8313->8314 8315 cfb1b1 CloseHandle 8313->8315 8314->8315 8315->8310 8317 cfb264 GetFileSize CloseHandle 8316->8317 8318 cfb2f4 8317->8318 8318->8310 8320 ce3ebf GetSystemTimeAsFileTime 8319->8320 8322 ce3f11 __aulldiv 8320->8322 8322->8083 8325 cf084d CreateToolhelp32Snapshot 8323->8325 8326 cf08ee Process32First 8325->8326 8327 cf0b20 Mailbox 8325->8327 8329 cf0aeb 8326->8329 8335 cf0988 8326->8335 8327->8107 8330 cf0b0f CloseHandle 8329->8330 8331 cf0aea 8329->8331 8330->8327 8331->8329 8331->8330 8332 cf20d8 2 API calls 8332->8335 8333 cf09f5 OpenProcess 8333->8335 8334 cf0aa4 Process32Next 8334->8331 8334->8335 8335->8332 8335->8333 8335->8334 8336 cf0a61 TerminateProcess CloseHandle 8335->8336 8336->8335 8338 cf54ea Mailbox 8337->8338 8339 cf55fd CreateProcessA 8338->8339 8340 cf5677 8339->8340 8341 cf5633 8339->8341 8340->8041 8342 cf564f CloseHandle CloseHandle 8341->8342 8343 cf5645 8341->8343 8342->8340 8343->8342 8637 cfbf87 8344->8637 8346 cf1600 ExitProcess 8348 d042b6 lstrlen 8347->8348 8349 d03e48 8348->8349 8349->8031 8351 d042cf lstrlen 8350->8351 8351->8036 8354 cf210f CharLowerBuffA 8353->8354 8354->8046 8357 cfaf3f 8356->8357 8639 cf111e 8357->8639 8359 cfaf7b 8360 cf54d8 3 API calls 8359->8360 8361 cfafe0 Mailbox 8360->8361 8361->8073 8363 ce5c69 8362->8363 8364 d042b6 lstrlen 8363->8364 8371 ce6052 Mailbox 8363->8371 8365 ce5dce Sleep 8364->8365 8366 ce5e25 8365->8366 8367 cfa805 2 API calls 8366->8367 8368 ce5e52 8367->8368 8369 cf8251 2 API calls 8368->8369 8370 ce5e87 FindFirstFileA 8369->8370 8370->8371 8373 ce5ecd 8370->8373 8371->8080 8372 ce5fdb DeleteFileA 8372->8373 8374 ce6018 FindNextFileA 8372->8374 8373->8372 8373->8374 8374->8373 8375 ce602e FindClose 8374->8375 8375->8371 8377 cef793 lstrlen 8376->8377 8378 ce3b68 8377->8378 8379 cfa805 2 API calls 8378->8379 8380 ce3b88 8379->8380 8381 cf8251 2 API calls 8380->8381 8382 ce3bc6 CreateFileA 8381->8382 8383 ce3c14 Mailbox 8382->8383 8383->8060 8385 cfb41c 8384->8385 8386 cfb4ff GetComputerNameA 8385->8386 8387 cfb536 8386->8387 8388 cfb59e 8386->8388 8390 cfa805 2 API calls 8387->8390 8389 cfa805 2 API calls 8388->8389 8391 cfb5fa 8389->8391 8392 cfb552 8390->8392 8394 cf8251 2 API calls 8391->8394 8393 cf8251 2 API calls 8392->8393 8393->8388 8395 cfb63d 8394->8395 8396 ce846d 9 API calls 8395->8396 8397 cfb661 8396->8397 8670 ce695e 8397->8670 8399 cfb6db Mailbox 8673 d084d7 8399->8673 8402 d042b6 lstrlen 8403 cfb7d9 8402->8403 8708 cf0b92 8403->8708 8407 cfb834 Mailbox 8408 ce695e 8 API calls 8407->8408 8409 cfb891 8408->8409 8410 cf0b92 9 API calls 8409->8410 8411 cfb92e 8410->8411 8412 ce5724 8 API calls 8411->8412 8413 cfb93d Mailbox 8412->8413 8414 ce695e 8 API calls 8413->8414 8415 cfb964 8414->8415 8416 cf0b92 9 API calls 8415->8416 8417 cfb988 8416->8417 8418 ce5724 8 API calls 8417->8418 8419 cfb997 Mailbox 8418->8419 8420 ce695e 8 API calls 8419->8420 8421 cfb9cf 8420->8421 8422 cf0b92 9 API calls 8421->8422 8423 cfb9fe 8422->8423 8424 ce5724 8 API calls 8423->8424 8425 cfba0a Mailbox 8424->8425 8426 ce695e 8 API calls 8425->8426 8427 cfba25 8426->8427 8428 cf0b92 9 API calls 8427->8428 8429 cfba48 8428->8429 8430 ce5724 8 API calls 8429->8430 8431 cfba57 Mailbox 8430->8431 8432 ce695e 8 API calls 8431->8432 8433 cfba79 8432->8433 8434 cfa805 2 API calls 8433->8434 8435 cfba95 8434->8435 8436 cf0b92 9 API calls 8435->8436 8437 cfbab9 8436->8437 8438 ce5724 8 API calls 8437->8438 8439 cfbac8 Mailbox 8438->8439 8440 cf8251 2 API calls 8439->8440 8441 cfbaf7 8440->8441 8442 ce695e 8 API calls 8441->8442 8443 cfbb1f 8442->8443 8444 cf0b92 9 API calls 8443->8444 8445 cfbb3d 8444->8445 8446 ce5724 8 API calls 8445->8446 8447 cfbb49 Mailbox 8446->8447 8448 ce695e 8 API calls 8447->8448 8449 cfbb75 8448->8449 8450 cf0b92 9 API calls 8449->8450 8451 cfbb96 8450->8451 8452 ce5724 8 API calls 8451->8452 8453 cfbba5 Mailbox 8452->8453 8454 ce695e 8 API calls 8453->8454 8455 cfbbcb 8454->8455 8715 ce3cdc 8455->8715 8459 cfbc06 8460 cf0b92 9 API calls 8459->8460 8461 cfbc12 8460->8461 8462 ce5724 8 API calls 8461->8462 8463 cfbc21 Mailbox 8462->8463 8464 ce695e 8 API calls 8463->8464 8465 cfbc3f 8464->8465 8466 cf0b92 9 API calls 8465->8466 8467 cfbc85 8466->8467 8468 ce5724 8 API calls 8467->8468 8469 cfbc94 Mailbox 8468->8469 8725 cf5fba 8469->8725 8471 cfbccc 8752 d09707 8471->8752 8473 cfbd04 Mailbox 8755 d09883 8473->8755 8475 cfbd30 8759 ceee34 8475->8759 8477 cfbd6e Mailbox 8477->8065 8479 cede20 8478->8479 8480 d042b6 lstrlen 8479->8480 8481 cede3f 8480->8481 8481->8085 8483 d03980 8482->8483 8484 cef793 lstrlen 8483->8484 8485 d039f3 8484->8485 8486 cfa805 2 API calls 8485->8486 8488 d03a11 Mailbox 8485->8488 8487 d03ace 8486->8487 8489 cf8251 2 API calls 8487->8489 8488->8117 8490 d03b0d 8489->8490 8807 cf9b78 8490->8807 8493 cef065 8492->8493 8494 ce3e8c GetSystemTimeAsFileTime 8493->8494 8495 cef079 8494->8495 8496 cef15a 8495->8496 8497 ce3e8c GetSystemTimeAsFileTime 8495->8497 8496->8100 8500 cef104 8497->8500 8498 cef10f Sleep 8499 ce3e8c GetSystemTimeAsFileTime 8498->8499 8499->8500 8500->8496 8500->8498 8502 d035f3 OpenSCManagerA 8501->8502 8504 d036a9 CreateServiceA 8502->8504 8505 d038db 8502->8505 8506 d036f0 ChangeServiceConfig2A StartServiceA CloseServiceHandle 8504->8506 8507 d03777 OpenServiceA 8504->8507 8505->8120 8509 d0388e CloseServiceHandle 8506->8509 8511 d037eb 8507->8511 8509->8505 8512 d03811 StartServiceA CloseServiceHandle 8511->8512 8513 d03866 8511->8513 8512->8513 8513->8509 8515 cf6c36 8514->8515 8516 cfa805 2 API calls 8515->8516 8517 cf6c9d RegOpenKeyA 8516->8517 8518 cf8251 2 API calls 8517->8518 8519 cf6ccb 8518->8519 8520 cf6d31 RegCloseKey 8519->8520 8521 d042b6 lstrlen 8519->8521 8520->8131 8522 cf6d0f RegSetValueExA 8521->8522 8522->8520 8524 ceb846 8523->8524 8524->8061 8526 d075f4 8525->8526 8527 d076ef CreateFileA 8526->8527 8528 d07732 Mailbox 8527->8528 8528->8152 8530 d04771 8529->8530 8531 d04797 8529->8531 8534 cebece 8 API calls 8530->8534 8532 cfa805 2 API calls 8531->8532 8533 d047be 8532->8533 8535 d075ce CreateFileA 8533->8535 8534->8531 8536 d047e5 8535->8536 8537 cf8251 2 API calls 8536->8537 8538 d04803 8537->8538 8539 d04835 Sleep 8538->8539 8540 d048af 8538->8540 8542 cfa805 2 API calls 8539->8542 8541 d01fe7 8540->8541 8824 d091aa 8540->8824 8541->8157 8544 d04886 8542->8544 8546 d075ce CreateFileA 8544->8546 8548 d0489b 8546->8548 8549 cf8251 2 API calls 8548->8549 8549->8540 8551 cf0764 wvsprintfA 8550->8551 8551->8162 8553->8170 8555 cee30a 8554->8555 8556 ceb7cd WaitForSingleObject 8555->8556 8557 cee324 8556->8557 8558 cf15e5 ExitProcess 8557->8558 8559 cee35a 8558->8559 8559->8058 8561 d023c0 8560->8561 8562 d023e2 GetProcessHeap RtlAllocateHeap 8560->8562 8561->8562 8562->8180 8565 cee79e AllocateAndInitializeSid 8563->8565 8566 ce8954 8565->8566 8567 cee883 CheckTokenMembership 8565->8567 8570 ce457c 8566->8570 8568 cee89f 8567->8568 8569 cee8c9 FreeSid 8567->8569 8568->8569 8569->8566 8571 ce4595 8570->8571 8572 cfa805 2 API calls 8571->8572 8573 ce45da GetProcAddress 8572->8573 8574 cf8251 2 API calls 8573->8574 8575 ce4613 8574->8575 8576 ce463a 8575->8576 8577 ce4623 GetCurrentProcess 8575->8577 8576->8197 8578 cfc0de GetWindowsDirectoryA 8576->8578 8577->8576 8579 cfc125 8578->8579 8580 cfc1b6 8579->8580 8581 cfa805 2 API calls 8579->8581 8580->8196 8582 cfc164 8581->8582 8583 cf8251 2 API calls 8582->8583 8584 cfc1a4 8583->8584 8585 d042b6 lstrlen 8584->8585 8585->8580 8587 ce848a 8586->8587 8606 ce4f47 8587->8606 8591 cec62f 8590->8591 8592 ceb7cd WaitForSingleObject 8591->8592 8593 cec686 8592->8593 8594 cec6ef CreateFileA 8593->8594 8595 cec6b3 8593->8595 8598 cec75d 8594->8598 8600 cec79f Mailbox 8594->8600 8597 ce4eb1 ReleaseMutex 8595->8597 8605 ce8c6e 8597->8605 8599 ce4eb1 ReleaseMutex 8598->8599 8599->8605 8601 cec8fa WriteFile 8600->8601 8601->8600 8602 cec94e FindCloseChangeNotification 8601->8602 8635 ce4eb1 ReleaseMutex 8602->8635 8605->8209 8605->8210 8607 ce4f6e 8606->8607 8608 d042b6 lstrlen 8607->8608 8609 ce4f99 8608->8609 8612 d02f94 8609->8612 8611 ce4fa3 8611->8205 8615 d094ec 8612->8615 8614 d02fac Mailbox 8614->8611 8616 d09509 Mailbox 8615->8616 8618 d0950e Mailbox 8616->8618 8619 cef821 8616->8619 8618->8614 8620 cef845 8619->8620 8622 cef85a Mailbox 8620->8622 8623 cf7f29 8620->8623 8622->8618 8625 cf7f48 Mailbox 8623->8625 8624 cf8135 8632 d090f1 8624->8632 8625->8624 8627 cf802a 8625->8627 8631 cf8109 Mailbox 8625->8631 8628 d023a6 Mailbox 2 API calls 8627->8628 8629 cf8057 Mailbox 8628->8629 8630 cede5a Mailbox 2 API calls 8629->8630 8630->8631 8631->8622 8633 d09152 GetProcessHeap HeapAlloc 8632->8633 8634 d0912b GetProcessHeap RtlReAllocateHeap 8632->8634 8633->8631 8634->8631 8636 ce4ecb 8635->8636 8636->8605 8638 cfbfa3 8637->8638 8638->8346 8640 cf114d 8639->8640 8641 cf11d9 CreateFileA 8640->8641 8642 cf1219 8641->8642 8643 cf124b ReadFile CloseHandle 8642->8643 8644 cf15a4 8642->8644 8645 cf129d 8643->8645 8644->8359 8646 cf12bd GetTickCount 8645->8646 8666 ce51ca 8646->8666 8648 cf12de 8649 d042b6 lstrlen 8648->8649 8650 cf1310 8649->8650 8651 cfa805 2 API calls 8650->8651 8652 cf1378 8651->8652 8653 cf8251 2 API calls 8652->8653 8657 cf1416 8653->8657 8654 cf14e0 CreateFileA 8656 cf154f 8654->8656 8656->8644 8658 cf1564 WriteFile CloseHandle 8656->8658 8657->8654 8659 cfa805 2 API calls 8657->8659 8658->8644 8660 cf147e 8659->8660 8661 d042b6 lstrlen 8660->8661 8662 cf14a0 8661->8662 8663 cf074e wvsprintfA 8662->8663 8664 cf14a9 8663->8664 8665 cf8251 2 API calls 8664->8665 8665->8654 8667 ce51ea 8666->8667 8668 d042b6 lstrlen 8667->8668 8669 ce5235 8668->8669 8669->8648 8671 d09883 8 API calls 8670->8671 8672 ce6983 8671->8672 8672->8399 8674 d08577 8673->8674 8675 cfa805 2 API calls 8674->8675 8676 d08652 8675->8676 8677 cf8251 2 API calls 8676->8677 8678 d086d5 GetProcessHeap 8677->8678 8679 d08711 8678->8679 8691 cfb7c4 8678->8691 8680 cfa805 2 API calls 8679->8680 8681 d08739 LoadLibraryA 8680->8681 8683 cf8251 2 API calls 8681->8683 8684 d0878f 8683->8684 8685 cfa805 2 API calls 8684->8685 8684->8691 8686 d08837 GetProcAddress 8685->8686 8687 cf8251 2 API calls 8686->8687 8688 d0886e 8687->8688 8689 d08886 FreeLibrary 8688->8689 8690 d088ac HeapAlloc 8688->8690 8689->8691 8692 d08926 8690->8692 8693 d088fb FreeLibrary 8690->8693 8691->8402 8694 d0896c HeapFree 8692->8694 8698 d08a27 8692->8698 8693->8691 8695 d0898e HeapAlloc 8694->8695 8697 d089fb FreeLibrary 8695->8697 8695->8698 8697->8691 8699 d08d26 Mailbox 8698->8699 8700 cfa805 2 API calls 8698->8700 8701 d09094 HeapFree FreeLibrary 8699->8701 8702 d08ac3 8700->8702 8701->8691 8703 cf8251 2 API calls 8702->8703 8704 d08b17 8703->8704 8704->8699 8705 cfa805 2 API calls 8704->8705 8706 d08d41 8705->8706 8707 cf8251 2 API calls 8706->8707 8707->8699 8765 cf23e9 8708->8765 8711 ce5724 8712 ce573e Mailbox 8711->8712 8713 d09883 8 API calls 8712->8713 8714 ce5789 8713->8714 8714->8407 8716 ce3d0f Mailbox 8715->8716 8717 cfa805 2 API calls 8716->8717 8718 ce3d74 8717->8718 8719 cf8251 2 API calls 8718->8719 8720 ce3db8 8719->8720 8721 ce4d07 8720->8721 8722 ce4d1f 8721->8722 8723 d042b6 lstrlen 8722->8723 8724 ce4d4c 8723->8724 8724->8459 8726 cf6020 8725->8726 8727 cfa805 2 API calls 8726->8727 8728 cf604e 8727->8728 8729 cfa805 2 API calls 8728->8729 8730 cf6067 8729->8730 8731 cfa805 2 API calls 8730->8731 8732 cf60be 8731->8732 8733 cf8251 2 API calls 8732->8733 8734 cf60d2 8733->8734 8735 cfa805 2 API calls 8734->8735 8736 cf6144 8735->8736 8737 cf8251 2 API calls 8736->8737 8738 cf61a1 8737->8738 8739 cf8251 2 API calls 8738->8739 8749 cf621c 8739->8749 8740 cf6a70 8741 cf8251 2 API calls 8740->8741 8744 cf6b1c Mailbox 8741->8744 8742 cf07f5 8 API calls 8750 cf664d Mailbox 8742->8750 8744->8471 8745 cf07f5 8 API calls 8748 cf6983 8745->8748 8746 ce5071 9 API calls 8746->8750 8747 ce5071 9 API calls 8747->8749 8748->8740 8748->8745 8774 ce5071 8748->8774 8749->8747 8749->8750 8771 cf07f5 8749->8771 8750->8740 8750->8742 8750->8746 8750->8748 8753 d094ec Mailbox 8 API calls 8752->8753 8754 d0970e 8753->8754 8754->8473 8756 d09898 Mailbox 8755->8756 8757 d094ec Mailbox 8 API calls 8756->8757 8758 d098a3 Mailbox 8757->8758 8758->8475 8760 ceee52 8759->8760 8784 cf1da2 8760->8784 8762 ceee71 Mailbox 8763 d09883 8 API calls 8762->8763 8764 ceef9f 8762->8764 8763->8764 8764->8477 8766 cf23f5 8765->8766 8767 d042b6 lstrlen 8766->8767 8768 cf2488 8767->8768 8769 d02f94 8 API calls 8768->8769 8770 cf0ba0 8769->8770 8770->8711 8780 ceba10 8771->8780 8773 cf0802 8773->8749 8775 ceacbe 8774->8775 8776 d042b6 lstrlen 8775->8776 8777 cead02 8776->8777 8778 d09883 8 API calls 8777->8778 8779 cead0c 8778->8779 8779->8748 8781 ceba25 Mailbox 8780->8781 8782 d094ec Mailbox 8 API calls 8781->8782 8783 ceba30 Mailbox 8782->8783 8783->8773 8789 cedb48 8784->8789 8786 cf1e43 8786->8762 8788 cf1db4 8788->8786 8793 cebece 8788->8793 8790 cedb5b Mailbox 8789->8790 8791 cedb9f 8789->8791 8792 d09707 Mailbox 8 API calls 8790->8792 8791->8788 8792->8791 8794 cebf08 8793->8794 8795 ceb7cd WaitForSingleObject 8794->8795 8796 cebfa2 8795->8796 8797 cfa805 2 API calls 8796->8797 8805 cec09d 8796->8805 8798 cebfe5 GetProcAddress 8797->8798 8800 cfa805 2 API calls 8798->8800 8799 ce4eb1 ReleaseMutex 8801 cec2bd 8799->8801 8802 cec033 8800->8802 8801->8788 8803 cf8251 2 API calls 8802->8803 8804 cec06d GetProcAddress 8803->8804 8806 cf8251 2 API calls 8804->8806 8805->8799 8806->8805 8808 cf9b85 8807->8808 8809 d09707 Mailbox 8 API calls 8808->8809 8810 cf9c02 8809->8810 8811 ceb7cd WaitForSingleObject 8810->8811 8812 cf9c24 CreateFileA 8811->8812 8813 cf9c5a 8812->8813 8817 cf9c78 Mailbox 8812->8817 8815 ce4eb1 ReleaseMutex 8813->8815 8814 cf9c8b ReadFile 8814->8817 8823 cf9e2f Mailbox 8815->8823 8816 cf7f29 Mailbox 8 API calls 8816->8817 8817->8814 8817->8816 8818 cf9e6a CloseHandle 8817->8818 8819 d09883 8 API calls 8817->8819 8820 cf9dbc CloseHandle 8817->8820 8818->8813 8819->8817 8821 cf9dd9 8820->8821 8822 ce4eb1 ReleaseMutex 8821->8822 8822->8823 8823->8488 8825 d091e0 8824->8825 8826 d048e6 8825->8826 8827 d092ba WriteFile 8825->8827 8828 ceea59 CloseHandle 8826->8828 8827->8826 8829 ceea8e 8828->8829 8829->8541 9674 ce59a1 9677 d0cf7e 9674->9677 9678 d0236a lstrlen 9677->9678 9679 ce59af 9678->9679 9121 ce4e3c 9122 ce4e47 9121->9122 9123 cf56c6 8 API calls 9122->9123 9124 ce4e9b 9123->9124 9683 ce11b7 9684 ce1214 9683->9684 9685 ce122a Mailbox 9683->9685 9685->9684 9686 d042b6 lstrlen 9685->9686 9687 cf074e wvsprintfA 9685->9687 9686->9685 9687->9685 9129 cefa34 9132 ce7fce 9129->9132 9131 cefa42 9133 d042b6 lstrlen 9132->9133 9134 ce7fe9 Mailbox 9133->9134 9134->9131 9688 ce81b5 9689 ce81dc 9688->9689 9694 ce3b08 9689->9694 9692 cfbf07 8 API calls 9693 ce8276 9692->9693 9695 ce3b16 9694->9695 9696 cedd8f 8 API calls 9695->9696 9697 ce3b27 9696->9697 9697->9692 9698 cee9b3 9699 cf9a0f 8 API calls 9698->9699 9700 cee9e3 9699->9700 9701 ce5724 8 API calls 9700->9701 9702 ceea10 9701->9702

                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                            Function 00CFFF2A Relevance: 63.3, APIs: 29, Strings: 6, Instructions: 2026synchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,C:\Windows\system32\config\systemprofile,00000104), ref: 00D00590
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00D005E4
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00D00629
                                                                                                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00D00649
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00D006E6
                                                                                                                                                                                                            • GetCommandLineA.KERNEL32 ref: 00D00873
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2227053501.0000000000CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2226953420.0000000000CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227082702.0000000000D0F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227099187.0000000000D10000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227115098.0000000000D13000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227139676.0000000000D1C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_ce0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateMutex$CommandCountEnvironmentLineTickVariable
                                                                                                                                                                                                            • String ID: 241$C:\Windows\system32\config\systemprofile$HO$^d/$wb_m$~z0
                                                                                                                                                                                                            • API String ID: 3327569919-55223334
                                                                                                                                                                                                            • Opcode ID: eed380e281fce9acff3a89b7a8a65102a28011829e715658ded3f78738e5c7fa
                                                                                                                                                                                                            • Instruction ID: 761914c77d0ebba821c5728284ae1fdcab5dedcca92e1ff4d028c904513b87eb
                                                                                                                                                                                                            • Opcode Fuzzy Hash: eed380e281fce9acff3a89b7a8a65102a28011829e715658ded3f78738e5c7fa
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A1037575605300BBD708DB68FC96AFA37B5EB48311B14811AE906CA3B1EF349983DB75
                                                                                                                                                                                                            Function 00CE88A8 Relevance: 30.6, APIs: 12, Strings: 5, Instructions: 877fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 490 ce88a8-ce88de call ce57a9 493 ce88ea-ce898e GetVersionExA call cee769 call ce457c 490->493 494 ce88e0 490->494 499 ce899c-ce89c2 493->499 500 ce8990-ce899a 493->500 494->493 501 ce89d7-ce89dd 499->501 502 ce89c4-ce89d1 499->502 500->501 503 ce8b3f-ce8b5f 501->503 504 ce89e3-ce8add call cfc0de call cef38b CreateDirectoryA call cfa805 501->504 502->501 506 ce8b65-ce8b77 503->506 518 ce8ae2-ce8b3d call cef38b call cf8251 504->518 508 ce8ba9-ce8bb0 506->508 509 ce8b79-ce8b93 506->509 510 ce8bb6-ce8c17 call cfa805 call ce846d call cf8251 508->510 509->510 512 ce8b95-ce8ba7 509->512 525 ce8c2d-ce8c3f 510->525 526 ce8c19-ce8c2b 510->526 512->510 518->506 528 ce8c4b-ce8c73 call cec9ba call d0d492 call cec622 525->528 529 ce8c41 525->529 526->528 536 ce8d6f-ce8e0c call cfc0de call cef38b CreateDirectoryA call d05eaf 528->536 537 ce8c79-ce8ccc 528->537 529->528 549 ce8e0e-ce8e18 536->549 550 ce8e1a 536->550 538 ce8cfe-ce8d29 DeleteFileA 537->538 539 ce8cce-ce8cec 537->539 542 ce8d3d-ce8d65 RemoveDirectoryA 538->542 543 ce8d2b-ce8d37 538->543 539->538 541 ce8cee-ce8cf8 539->541 541->538 542->536 543->542 551 ce8e24-ce8e26 549->551 550->551 552 ce8e28-ce8e42 551->552 553 ce8e44 551->553 554 ce8e46-ce8e73 call cef793 552->554 553->554 557 ce8e89-ce8e8e 554->557 558 ce8e75-ce8e87 554->558 559 ce8e94-ce8f2f CreateDirectoryA call cfa805 call cef38b call cfa805 557->559 558->559 566 ce8f64-ce8fcf call cf8251 call ce846d call cf8251 call cec9ba call d0d492 call cec622 559->566 567 ce8f31-ce8f57 559->567 581 ce9769-ce97f8 call cef793 SetFileAttributesA call cf06af 566->581 582 ce8fd5-ce8fe6 566->582 567->566 568 ce8f59-ce8f5e 567->568 568->566 597 ce97fa-ce9815 581->597 598 ce981b-ce9826 call ce5017 581->598 584 ce906c-ce90da call cfa805 call cf074e call cf8251 582->584 585 ce8fec-ce906a call cfa805 call cf074e call cf8251 582->585 605 ce90e0-ce910d 584->605 585->605 597->598 606 ce910f-ce9126 605->606 607 ce9132-ce9192 call cef38b CreateDirectoryA call d05eaf 605->607 606->607 609 ce9128 606->609 613 ce9194-ce91a0 607->613 614 ce91c1-ce9257 call cef793 CreateDirectoryA call cfa805 call cef38b call cfa805 607->614 609->607 613->614 615 ce91a2-ce91bb 613->615 624 ce9259-ce926c 614->624 625 ce9272-ce92a4 call cf8251 call ce846d 614->625 615->614 624->625 630 ce92a6-ce92be 625->630 631 ce92c0-ce92e7 625->631 632 ce92ff-ce933b call cf8251 call cec9ba call d0d492 call cec622 630->632 631->632 633 ce92e9-ce92f9 631->633 642 ce9756-ce9763 632->642 643 ce9341-ce93c2 GetTempPathA call d042b6 632->643 633->632 642->581 646 ce93ea-ce93ec 643->646 647 ce93ee 646->647 648 ce93c4-ce93dd 646->648 651 ce946e-ce94fb call d05eaf call cef793 CreateDirectoryA 647->651 649 ce93df-ce93e9 648->649 650 ce93f0-ce9412 648->650 649->646 652 ce9414-ce941c 650->652 653 ce9422-ce9453 650->653 659 ce950d-ce9557 call cfa805 call cef38b 651->659 660 ce94fd-ce9507 651->660 652->653 653->651 655 ce9455-ce9469 653->655 655->651 665 ce956b-ce9610 call cfa805 call cf8251 call ce846d call cf8251 call cec9ba call d0d492 call cec622 659->665 666 ce9559-ce9565 659->666 660->659 681 ce9736-ce9751 665->681 682 ce9616-ce9627 665->682 666->665 681->642 683 ce9629 682->683 684 ce9633-ce96ce GetTempPathA call d05eaf call cfa805 682->684 683->684 689 ce96da-ce96fe call cef38b 684->689 690 ce96d0 684->690 693 ce970f-ce972a call cf8251 689->693 694 ce9700-ce970a 689->694 690->689 693->681 697 ce972c 693->697 694->693 697->681
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetVersionExA.KERNEL32(00D1B028), ref: 00CE893E
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00CE8AB6
                                                                                                                                                                                                            • DeleteFileA.KERNELBASE(?,00000000), ref: 00CE8D05
                                                                                                                                                                                                            • RemoveDirectoryA.KERNELBASE(00000000), ref: 00CE8D5F
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00CE8DD9
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00CE8E9C
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00CE9158
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00CE91F4
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,?,?,?,?,00000000), ref: 00CE936E
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(0000005C,00000000,?,?,?,?,?,?,00000000), ref: 00CE94DA
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,0000005C,?,?,?,00000000), ref: 00CE963F
                                                                                                                                                                                                            • SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,00000000), ref: 00CE97B0
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2227053501.0000000000CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2226953420.0000000000CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227082702.0000000000D0F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227099187.0000000000D10000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227115098.0000000000D13000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227139676.0000000000D1C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_ce0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
                                                                                                                                                                                                            • String ID: C:\Windows\system32\config\systemprofile$C:\hjflhukc\$Ua-W$\$gKV`
                                                                                                                                                                                                            • API String ID: 1691758827-3231860264
                                                                                                                                                                                                            • Opcode ID: aabc132e53101bb6000d22fd6388893b5031224571925ea483d6e3f535dc464c
                                                                                                                                                                                                            • Instruction ID: f1fe09d9f98096bfcd093f23c6d0b63990471910d471a44c26959a20a1373274
                                                                                                                                                                                                            • Opcode Fuzzy Hash: aabc132e53101bb6000d22fd6388893b5031224571925ea483d6e3f535dc464c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5982BBB1505344ABD708DB69FC929EA77B9FB54310B00C02AE906D63B1EF349A87DB35
                                                                                                                                                                                                            Function 00CF571F Relevance: 6.2, APIs: 4, Instructions: 213processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 794 cf571f-cf574f 795 cf577f-cf5796 794->795 796 cf5751-cf576b 794->796 797 cf5798-cf57aa 795->797 798 cf57b6-cf57d1 795->798 796->795 799 cf576d-cf5779 796->799 797->798 800 cf57ac 797->800 801 cf57dd-cf5826 CreateToolhelp32Snapshot 798->801 802 cf57d3 798->802 799->795 800->798 803 cf584f-cf5865 801->803 804 cf5828-cf584d 801->804 802->801 805 cf586b-cf586d 803->805 804->805 806 cf5873-cf58b1 805->806 807 cf5ab1-cf5af0 call cf06af 805->807 809 cf58da-cf5908 Process32First 806->809 810 cf58b3-cf58c6 806->810 813 cf590e-cf5934 809->813 814 cf5a6c-cf5a93 FindCloseChangeNotification 809->814 810->809 812 cf58c8-cf58d4 810->812 812->809 815 cf5936-cf5950 813->815 816 cf5952 813->816 817 cf5a95-cf5a9f 814->817 818 cf5aa1-cf5aab 814->818 819 cf595c-cf5992 call d05eaf call cf20d8 815->819 816->819 817->807 818->807 823 cf5997-cf59c0 call d07406 819->823 826 cf5a2b-cf5a42 823->826 827 cf59c2-cf5a08 Process32Next 823->827 830 cf5a44-cf5a53 826->830 831 cf5a62 826->831 828 cf5a0a-cf5a1c 827->828 829 cf5a21-cf5a23 827->829 828->829 829->813 832 cf5a29 829->832 830->814 833 cf5a55-cf5a60 830->833 831->814 832->814 833->814
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00CF5804
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 00CF58E2
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 00CF59E8
                                                                                                                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00CF5A7E
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2227053501.0000000000CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2226953420.0000000000CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227082702.0000000000D0F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227099187.0000000000D10000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227115098.0000000000D13000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227139676.0000000000D1C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_ce0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3243318325-0
                                                                                                                                                                                                            • Opcode ID: 64f4078512d768dcb15d4ac52fae9fa14911bdcf5877f9a54ebd96633fc34287
                                                                                                                                                                                                            • Instruction ID: 6cadce2803e1dc49d3b4d673cf3536f246e1b02f4db24a4ed502602c96e0c36d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 64f4078512d768dcb15d4ac52fae9fa14911bdcf5877f9a54ebd96633fc34287
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BB918676A15704EBC748DB69FCA65F977B4EB48311B10811AEA02C63B0EF349A43CF61
                                                                                                                                                                                                            Function 00CF0806 Relevance: 10.7, APIs: 7, Instructions: 195processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 698 cf0806-cf084b 699 cf084d-cf0867 698->699 700 cf086c-cf087c 698->700 699->700 701 cf087e-cf088b 700->701 702 cf0891-cf08a1 700->702 701->702 703 cf08be-cf08e8 CreateToolhelp32Snapshot 702->703 704 cf08a3-cf08b8 702->704 705 cf08ee-cf091f 703->705 706 cf0b20-cf0b91 call cf06af 703->706 704->703 708 cf095e-cf0982 Process32First 705->708 709 cf0921-cf0941 705->709 712 cf0aeb-cf0b03 708->712 713 cf0988 708->713 709->708 711 cf0943-cf0957 709->711 711->708 714 cf0b0f-cf0b16 CloseHandle 712->714 715 cf0b05 712->715 716 cf0989-cf09ef call d05eaf call cf20d8 call d07406 713->716 714->706 715->714 723 cf09f5-cf0a29 OpenProcess 716->723 724 cf0aa4-cf0ae4 Process32Next 716->724 725 cf0a2b-cf0a50 723->725 726 cf0a92-cf0a9e 723->726 724->716 727 cf0aea 724->727 728 cf0a52-cf0a5c 725->728 729 cf0a61-cf0a88 TerminateProcess CloseHandle 725->729 726->724 727->712 728->729 729->726
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00CF08C2
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 00CF0966
                                                                                                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CF0A15
                                                                                                                                                                                                            • TerminateProcess.KERNELBASE(00000000,000000FF), ref: 00CF0A64
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00CF0A82
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 00CF0AD2
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00CF0B10
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2227053501.0000000000CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2226953420.0000000000CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227082702.0000000000D0F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227099187.0000000000D10000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227115098.0000000000D13000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227139676.0000000000D1C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_ce0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2696918072-0
                                                                                                                                                                                                            • Opcode ID: 3ea1bf732c790467651be85401ceeafe1befd8dde859d9eed8778fcf48dcea6f
                                                                                                                                                                                                            • Instruction ID: 5f93a5b7c95a7b862a53cbd8df5eb19d0dfe0546bce1698dfe67f8a7f159de30
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3ea1bf732c790467651be85401ceeafe1befd8dde859d9eed8778fcf48dcea6f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 36819576511705BBD344CB68FD91AEA73B4FB48712B10C11AE906C67B1EF3889838B65
                                                                                                                                                                                                            Function 00CFB046 Relevance: 9.2, APIs: 6, Instructions: 184filetimeCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 730 cfb046-cfb066 731 cfb0ac-cfb0cc 730->731 732 cfb068-cfb09f 730->732 734 cfb0ce-cfb0d3 731->734 735 cfb0d9-cfb0ea 731->735 732->731 733 cfb0a1-cfb0a7 732->733 733->731 734->735 736 cfb0ec 735->736 737 cfb0f6-cfb119 CreateFileA 735->737 736->737 738 cfb11b-cfb133 737->738 739 cfb142-cfb175 GetFileTime 737->739 740 cfb13a-cfb13d 738->740 741 cfb1c7-cfb202 739->741 742 cfb177-cfb191 739->742 743 cfb35a-cfb35f 740->743 746 cfb204-cfb20e 741->746 747 cfb210-cfb222 741->747 744 cfb193-cfb1ac 742->744 745 cfb1b1-cfb1c2 CloseHandle 742->745 744->745 745->740 748 cfb252-cfb2f2 call cee909 GetFileSize CloseHandle 746->748 749 cfb248 747->749 750 cfb224-cfb246 747->750 753 cfb2f4-cfb2fe 748->753 754 cfb323-cfb334 748->754 749->748 750->748 755 cfb314 753->755 756 cfb300-cfb30a 753->756 757 cfb358 754->757 758 cfb336-cfb353 754->758 755->754 756->755 757->743 758->757
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00CFB104
                                                                                                                                                                                                            • GetFileTime.KERNEL32(00000000,?,?,?), ref: 00CFB16D
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00CFB1B2
                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CFB25F
                                                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00CFB2AB
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00CFB2D8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2227053501.0000000000CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2226953420.0000000000CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227082702.0000000000D0F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227099187.0000000000D10000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227115098.0000000000D13000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227139676.0000000000D1C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_ce0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3236713533-0
                                                                                                                                                                                                            • Opcode ID: b0b5f6b65f04700b5930cff0657384be66ad3474653db08d39e1fa7399daed56
                                                                                                                                                                                                            • Instruction ID: 9ac484e0a9636a332d67bae39328e26ae9f89acf8192f191ca2e705f4c189383
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b0b5f6b65f04700b5930cff0657384be66ad3474653db08d39e1fa7399daed56
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 95717675615308FBD344CF68FD915BA77B4FB48325710861AE912C67B0EB389A83CB22
                                                                                                                                                                                                            Function 00CF549D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 759 cf549d-cf54b8 760 cf550a-cf550c 759->760 761 cf54ba-cf54d5 759->761 762 cf550e-cf5529 760->762 763 cf552b 760->763 764 cf5535-cf55d8 call cf06af * 2 762->764 763->764 769 cf55fd-cf5631 CreateProcessA 764->769 770 cf55da-cf55f6 764->770 772 cf5677 769->772 773 cf5633-cf5643 769->773 770->769 771 cf55f8 770->771 771->769 774 cf5681-cf568e 772->774 775 cf564f-cf5675 CloseHandle * 2 773->775 776 cf5645 773->776 775->774 776->775
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,00CEDA33,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 00CF5628
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00CEDA33,?,?,?,?,00000000), ref: 00CF5652
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 00CF5665
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2227053501.0000000000CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2226953420.0000000000CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227082702.0000000000D0F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227099187.0000000000D10000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227115098.0000000000D13000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227139676.0000000000D1C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_ce0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 2922976086-2746444292
                                                                                                                                                                                                            • Opcode ID: 3a271c7762d8fa70e47ceab446e27737f9b1c1e21966a9a8c6d5020f54ad6b44
                                                                                                                                                                                                            • Instruction ID: 29a3d91b798934095765118fedc76953fd280ec31505801747c02194dedfe9ec
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3a271c7762d8fa70e47ceab446e27737f9b1c1e21966a9a8c6d5020f54ad6b44
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1641CD32500748ABC758DBA5FD66AFA77B5FB84310B00C11AEA12CA361EF358903DB35
                                                                                                                                                                                                            Function 00CF54D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 777 cf54d8-cf54e8 778 cf54ea-cf550c 777->778 779 cf5535-cf55d8 call cf06af * 2 777->779 780 cf550e-cf5529 778->780 781 cf552b 778->781 786 cf55fd-cf5631 CreateProcessA 779->786 787 cf55da-cf55f6 779->787 780->779 781->779 789 cf5677 786->789 790 cf5633-cf5643 786->790 787->786 788 cf55f8 787->788 788->786 791 cf5681-cf568e 789->791 792 cf564f-cf5675 CloseHandle * 2 790->792 793 cf5645 790->793 792->791 793->792
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,00CEDA33,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 00CF5628
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00CEDA33,?,?,?,?,00000000), ref: 00CF5652
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 00CF5665
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2227053501.0000000000CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2226953420.0000000000CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227082702.0000000000D0F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227099187.0000000000D10000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227115098.0000000000D13000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227139676.0000000000D1C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_ce0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 2922976086-2746444292
                                                                                                                                                                                                            • Opcode ID: 9f81daf0239ef4927e11b0a864d633eaac5f78387aa9d126f2cfa27ee306699f
                                                                                                                                                                                                            • Instruction ID: 629d228ccd2f20d53bd62a00c3c42a53d6eddad0f2b8987101ffe9e31890e346
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9f81daf0239ef4927e11b0a864d633eaac5f78387aa9d126f2cfa27ee306699f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 35418971501708FBCB58DB95FD969FA77B5EB84700B00C01AE612CA360EF348942DB72
                                                                                                                                                                                                            Function 00CEC622 Relevance: 4.7, APIs: 3, Instructions: 206fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 834 cec622-cec69d call d0dfa1 call ceb7cd 839 cec69f 834->839 840 cec6a9-cec6b1 834->840 839->840 841 cec6ef-cec709 840->841 842 cec6b3-cec6ea call ce4eb1 840->842 843 cec70b-cec71a 841->843 844 cec737-cec75b CreateFileA 841->844 850 cec9b6-cec9b9 842->850 843->844 847 cec71c-cec731 843->847 848 cec79f-cec7b3 844->848 849 cec75d-cec784 call ce4eb1 844->849 847->844 852 cec7b8-cec7d2 848->852 856 cec798-cec79a 849->856 857 cec786-cec792 849->857 854 cec7f9-cec7fb 852->854 855 cec7d4-cec7f4 852->855 858 cec7fd-cec819 854->858 859 cec81b-cec82d 854->859 855->854 861 cec9b5 856->861 857->856 860 cec837-cec8a2 call cf85e7 call d0970f 858->860 859->860 866 cec8d6-cec8ee 860->866 867 cec8a4-cec8d4 860->867 861->850 868 cec8fa-cec948 WriteFile 866->868 869 cec8f0 866->869 867->868 868->852 870 cec94e-cec962 868->870 869->868 871 cec964-cec96e 870->871 872 cec970-cec97c 870->872 873 cec982-cec9a2 FindCloseChangeNotification call ce4eb1 871->873 872->873 875 cec9a7-cec9b4 873->875 875->861
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 00CEB7CD: WaitForSingleObject.KERNEL32(00CFAEAC,00004E20,00000001,?,00CEBFA2,00000001,-AF16B4FB,?,00CFAEAC,00CE66DE), ref: 00CEB81D
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(00000004,40000000,00000000,00000000,00000002,00000000,00000000,?,00CE67E3,?,00000004,?,00000000,?), ref: 00CEC746
                                                                                                                                                                                                            • WriteFile.KERNELBASE(00000000,?,00000001,00000001,00000000,?,?,?,?,?,00000001), ref: 00CEC90B
                                                                                                                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,00000001), ref: 00CEC983
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2227053501.0000000000CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2226953420.0000000000CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227082702.0000000000D0F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227099187.0000000000D10000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227115098.0000000000D13000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227139676.0000000000D1C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_ce0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$ChangeCloseCreateFindNotificationObjectSingleWaitWrite
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2552625159-0
                                                                                                                                                                                                            • Opcode ID: d0ffba35c5f0f7f5e844c34dc9014bf609b28a6b015ea40450005255906b118e
                                                                                                                                                                                                            • Instruction ID: b5f68218c8cbbf6db562740dffe741186bef1901b688649d163c65a42cd5f4b5
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d0ffba35c5f0f7f5e844c34dc9014bf609b28a6b015ea40450005255906b118e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9F9162B5511341BBC708CF69FDA69AA7BA5FB88320710C11AE406CA3B5EF349943DB64
                                                                                                                                                                                                            Function 00CEE769 Relevance: 4.6, APIs: 3, Instructions: 101memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 876 cee769-cee79c 877 cee79e-cee7b7 876->877 878 cee7b9-cee7ce 876->878 879 cee7d4-cee807 877->879 878->879 880 cee81a-cee82f 879->880 881 cee809-cee818 879->881 882 cee83b-cee881 AllocateAndInitializeSid 880->882 883 cee831 880->883 881->882 884 cee8ef-cee908 882->884 885 cee883-cee89d CheckTokenMembership 882->885 883->882 886 cee89f-cee8c2 885->886 887 cee8c9-cee8e9 FreeSid 885->887 886->887 887->884
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • AllocateAndInitializeSid.ADVAPI32(00CE8954,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00CE8954), ref: 00CEE865
                                                                                                                                                                                                            • CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 00CEE895
                                                                                                                                                                                                            • FreeSid.ADVAPI32(?), ref: 00CEE8DC
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2227053501.0000000000CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2226953420.0000000000CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227082702.0000000000D0F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227099187.0000000000D10000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227115098.0000000000D13000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227139676.0000000000D1C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_ce0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3429775523-0
                                                                                                                                                                                                            • Opcode ID: ff3c54a07f57bb40e93950c0c05d125f53269d73697390893c720c531285a70c
                                                                                                                                                                                                            • Instruction ID: 10781b547aaef78270913865db409cd4c3e70c878cc0f5b50475a8c5ffa6d735
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ff3c54a07f57bb40e93950c0c05d125f53269d73697390893c720c531285a70c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7C411275915304FBCB04CFAAFD956E9B7B5FB08305B90801AE402D63A4EF349982DB65
                                                                                                                                                                                                            Function 00CF20D8 Relevance: 3.0, APIs: 2, Instructions: 27stringCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 888 cf20d8-cf210d lstrlen 889 cf210f-cf2119 888->889 890 cf211b-cf2127 888->890 891 cf212d-cf214f CharLowerBuffA 889->891 890->891
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • lstrlen.KERNEL32(?,?,00CF09C2,?,?,?), ref: 00CF20F0
                                                                                                                                                                                                            • CharLowerBuffA.USER32(?,00000000,?,00CF09C2,?,?,?), ref: 00CF2131
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2227053501.0000000000CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2226953420.0000000000CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227082702.0000000000D0F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227099187.0000000000D10000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227115098.0000000000D13000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227139676.0000000000D1C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_ce0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: BuffCharLowerlstrlen
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 794975171-0
                                                                                                                                                                                                            • Opcode ID: 55a34f58d42be80674dd59dca0a2d1d472f043801a8f5133b6b568df94ee2845
                                                                                                                                                                                                            • Instruction ID: f8e6a9139ae35c602040fd897ac04a7c47df111ec9341d7c8a8ec7e2d288a326
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 55a34f58d42be80674dd59dca0a2d1d472f043801a8f5133b6b568df94ee2845
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E0F06D31514304BBDB45CF4AE8564BA37B2FB54700740C019E806CA771EF309D82EB76
                                                                                                                                                                                                            Function 00D023A6 Relevance: 3.0, APIs: 2, Instructions: 23memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 892 d023a6-d023be 893 d023c0-d023d6 892->893 894 d023e2-d02404 GetProcessHeap RtlAllocateHeap 892->894 893->894 895 d023d8 893->895 895->894
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00D0A3A7,?,?,?,00D0D0BE), ref: 00D023F6
                                                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,00D0A3A7,?,?,?,00D0D0BE), ref: 00D023FD
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2227053501.0000000000CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2226953420.0000000000CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227082702.0000000000D0F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227099187.0000000000D10000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227115098.0000000000D13000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227139676.0000000000D1C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_ce0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1357844191-0
                                                                                                                                                                                                            • Opcode ID: 31a5053e5351b3c290feda93def48459f172f4231d71e052e217649c936f81ce
                                                                                                                                                                                                            • Instruction ID: 5c0829bc647f38f2479d3735965abcb8e215e57c98d988039aede19321330575
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 31a5053e5351b3c290feda93def48459f172f4231d71e052e217649c936f81ce
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2DF03976501301ABCA108FA9FD49B9A3BA8F314318B648416F449DA2B5DB78E8468FB0
                                                                                                                                                                                                            Function 00CEDE5A Relevance: 3.0, APIs: 2, Instructions: 17memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 896 cede5a-cede88 GetProcessHeap RtlFreeHeap 897 cede9a-cede9b 896->897 898 cede8a-cede94 896->898 898->897
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00CF8109,?,00CF8109,00000000), ref: 00CEDE6C
                                                                                                                                                                                                            • RtlFreeHeap.NTDLL(00000000,?,00CF8109,00000000), ref: 00CEDE73
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2227053501.0000000000CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2226953420.0000000000CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227082702.0000000000D0F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227099187.0000000000D10000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227115098.0000000000D13000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227139676.0000000000D1C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_ce0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$FreeProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3859560861-0
                                                                                                                                                                                                            • Opcode ID: e246c8975b9e179da6429938b8ba44a7b9e205c1aa0c5fdf96cd3e153b0f7b66
                                                                                                                                                                                                            • Instruction ID: dd517a1fe23b585a65a04a166319087864a8551e711ad67a9e334a190f741dbd
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e246c8975b9e179da6429938b8ba44a7b9e205c1aa0c5fdf96cd3e153b0f7b66
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BDE08C72540344BBEA008BD6FD4A7843BE8FB21741B10C511F11ACA730CB2195428AA4
                                                                                                                                                                                                            Function 00CF15E5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 899 cf15e5-cf160d call cfbf87 ExitProcess
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2227053501.0000000000CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2226953420.0000000000CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227082702.0000000000D0F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227099187.0000000000D10000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227115098.0000000000D13000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227139676.0000000000D1C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_ce0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExitProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 621844428-0
                                                                                                                                                                                                            • Opcode ID: 3fb0a3d77d03a44ed423dca2de6b26a8822f6da5e65b59453553833433dc564a
                                                                                                                                                                                                            • Instruction ID: 12bbad38fbcfa456a96cfc2170dea992a1c07c65da1dbf8b4a904cb8a0413079
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3fb0a3d77d03a44ed423dca2de6b26a8822f6da5e65b59453553833433dc564a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 50D01234004349BA87106FA8DC064A53BB5FF047007419011E945D9231DFB0D901D77B

                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                            Function 00D0D831 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 388pipeprocessfileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 923 d0d831-d0d84c 924 d0d858-d0d877 923->924 925 d0d84e 923->925 926 d0d885-d0d8a6 924->926 927 d0d879-d0d883 924->927 925->924 928 d0d8ac-d0d92b call cf06af 926->928 927->928 931 d0d944-d0d949 928->931 932 d0d92d-d0d942 928->932 933 d0d94f-d0d997 CreatePipe 931->933 932->933 934 d0d999-d0d9a8 933->934 935 d0d9ad-d0d9cb 933->935 936 d0de92-d0decb call d09707 934->936 937 d0d9e1-d0d9ef 935->937 938 d0d9cd-d0d9df 935->938 944 d0ded7-d0def1 936->944 945 d0decd 936->945 940 d0d9f4-d0da10 SetHandleInformation 937->940 938->940 942 d0da12-d0da23 940->942 943 d0da3b-d0da50 CreatePipe 940->943 946 d0da31 942->946 947 d0da25-d0da2f 942->947 948 d0da52-d0da61 943->948 949 d0da66-d0dad7 SetHandleInformation call cf06af * 2 943->949 945->944 946->943 947->943 950 d0de64-d0de79 CloseHandle 948->950 957 d0db10-d0db56 949->957 958 d0dad9-d0daf4 949->958 953 d0de84-d0de90 950->953 954 d0de7b-d0de7e CloseHandle 950->954 953->936 953->944 954->953 960 d0db76-d0dbde CreateProcessA 957->960 961 d0db58-d0db71 957->961 958->957 959 d0daf6-d0db09 958->959 959->957 962 d0dbe0-d0dc02 960->962 963 d0dc04-d0dc24 WriteFile 960->963 961->960 964 d0dc30-d0dc39 CloseHandle 962->964 965 d0dc26 963->965 966 d0dc3e-d0dc52 963->966 967 d0ddfe-d0de08 964->967 965->964 968 d0dc63-d0dc9f CloseHandle * 2 966->968 969 d0dc54-d0dc5e 966->969 970 d0de0a-d0de1f 967->970 971 d0de3e-d0de5d CloseHandle 967->971 972 d0dca1 968->972 973 d0dcab-d0dcc0 968->973 969->968 974 d0de21-d0de37 970->974 975 d0de39 970->975 971->950 972->973 976 d0dcc2-d0dccc 973->976 977 d0dcce-d0dce6 973->977 974->971 975->971 978 d0dd09-d0dd25 call d04101 976->978 977->978 979 d0dce8-d0dd03 977->979 982 d0dd47-d0dd6a WaitForSingleObject 978->982 983 d0dd27-d0dd42 978->983 979->978 984 d0dd8a-d0dd96 982->984 985 d0dd6c-d0dd88 982->985 983->982 986 d0dd9c-d0ddd0 CloseHandle * 2 984->986 985->986 987 d0ddd2-d0dde6 986->987 988 d0dded-d0ddf9 986->988 987->988 988->967
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreatePipe.KERNEL32(00000000,?,?,00000000,?,00000001,?), ref: 00D0D98F
                                                                                                                                                                                                            • SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 00D0D9F9
                                                                                                                                                                                                            • CreatePipe.KERNEL32(?,?,?,00000000), ref: 00D0DA48
                                                                                                                                                                                                            • SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 00D0DA7E
                                                                                                                                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 00D0DBCC
                                                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000020,00000020,00000000), ref: 00D0DC1C
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00D0DC33
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00D0DC66
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00D0DC89
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,00002710), ref: 00D0DD4F
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00D0DD9F
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00D0DDB2
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00D0DE41
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00D0DE67
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00D0DE7E
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2227053501.0000000000CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2226953420.0000000000CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227082702.0000000000D0F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227099187.0000000000D10000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227115098.0000000000D13000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227139676.0000000000D1C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_ce0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Handle$Close$Create$InformationPipe$FileObjectProcessSingleWaitWrite
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 1130065513-2746444292
                                                                                                                                                                                                            • Opcode ID: c9b07c4438aa0098cd07fa7c541d85fc31ec3fce5cbb4b7e7d8ff2cfe7addb81
                                                                                                                                                                                                            • Instruction ID: e9d78fd0a8e0a98aef5d500ba12ef3d31e68cf6ec108f8bf799e4a7ac4db13df
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c9b07c4438aa0098cd07fa7c541d85fc31ec3fce5cbb4b7e7d8ff2cfe7addb81
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 66025576611705EBCB04CFA8FD91AE97BB6FB48310714811AE806D63B0EF349942DB75
                                                                                                                                                                                                            Function 00D035AD Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00D03685
                                                                                                                                                                                                            • CreateServiceA.ADVAPI32(00000000,0088E678,0088E678,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00D036D6
                                                                                                                                                                                                            • ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00D03728
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00D0374C
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00D0375D
                                                                                                                                                                                                            • OpenServiceA.ADVAPI32(00000000,00000010), ref: 00D037D1
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00D03836
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00D03847
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00D038B1
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2227053501.0000000000CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2226953420.0000000000CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227082702.0000000000D0F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227099187.0000000000D10000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227115098.0000000000D13000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227139676.0000000000D1C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_ce0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
                                                                                                                                                                                                            • String ID: 3ch$qh~B
                                                                                                                                                                                                            • API String ID: 3525021261-274300185
                                                                                                                                                                                                            • Opcode ID: 4f1e4d63b6ce23b9f4c283c37ef7934297dc7a9acd446a33e04e3716aef870ac
                                                                                                                                                                                                            • Instruction ID: 1bf84ecb6574865267fbe524b96d486e8c1d5b224561fed4722e71eed62d7807
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4f1e4d63b6ce23b9f4c283c37ef7934297dc7a9acd446a33e04e3716aef870ac
                                                                                                                                                                                                            • Instruction Fuzzy Hash: AE9142B9514300BBC3088B68FDA5AF977B9FB49701744C01AE806DA3B1EE759943CB75
                                                                                                                                                                                                            Function 00CF111E Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 289fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CF11F7
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00CF1267
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00CF128B
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00CF12D1
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00CF153B
                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00CF157E
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00CF158F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2227053501.0000000000CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2226953420.0000000000CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227082702.0000000000D0F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227099187.0000000000D10000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227115098.0000000000D13000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227139676.0000000000D1C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_ce0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseCreateHandle$CountReadTickWrite
                                                                                                                                                                                                            • String ID: Ra);
                                                                                                                                                                                                            • API String ID: 3478262135-4229484525
                                                                                                                                                                                                            • Opcode ID: cfbe619f57b8a91cda5c33f04685c91c3340acc6ecf8b90c607c4d7abbfca75f
                                                                                                                                                                                                            • Instruction ID: 504e58bd93d17a767ee1766925f2aa199972c81f9c462e6842e6228b0eda2f0b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cfbe619f57b8a91cda5c33f04685c91c3340acc6ecf8b90c607c4d7abbfca75f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 36B198B2515704FAD7188B68FD91AFA37B8FB48315714801AE915CA3B1EF388943DB36
                                                                                                                                                                                                            Function 00CF1636 Relevance: 10.8, APIs: 7, Instructions: 279processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00CF16B2
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 00CF17BE
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00CF1932
                                                                                                                                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 00CF1991
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,0000000A), ref: 00CF1A6A
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 00CF1ACE
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00CF1AF5
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2227053501.0000000000CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2226953420.0000000000CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227082702.0000000000D0F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227099187.0000000000D10000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227115098.0000000000D13000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227139676.0000000000D1C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_ce0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 930127669-0
                                                                                                                                                                                                            • Opcode ID: f682d4f0d2be8905227de946b18f257c4ba201a5f48d1a1640567992bfce67cc
                                                                                                                                                                                                            • Instruction ID: 0ecee4c64a46b3e3e9666550e8219de0ee3411e1ab28c9571974965c98c61264
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f682d4f0d2be8905227de946b18f257c4ba201a5f48d1a1640567992bfce67cc
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 30C1DB76605704EBD708DB64FC966F933B4FB44311B04C11AEA06CA3A0EF789983CB65
                                                                                                                                                                                                            Function 00CF9F24 Relevance: 7.8, APIs: 5, Instructions: 329serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 00CF9FF7
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,?), ref: 00CFA049
                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00CFA061
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,?), ref: 00CFA162
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00CFA3B6
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2227053501.0000000000CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2226953420.0000000000CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227082702.0000000000D0F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227099187.0000000000D10000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227115098.0000000000D13000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227139676.0000000000D1C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_ce0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1579346331-0
                                                                                                                                                                                                            • Opcode ID: bc15a431043944f25e6eb3b4b3159980d2e49f31b43d553ea2ab8a402c3a1b6f
                                                                                                                                                                                                            • Instruction ID: 108f5685a6ee2370e2a381a707444034748bc3a7d488e5e969d2ffdb8c7bf5dd
                                                                                                                                                                                                            • Opcode Fuzzy Hash: bc15a431043944f25e6eb3b4b3159980d2e49f31b43d553ea2ab8a402c3a1b6f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4FD1BAB6905704EBC708CF68FD91AF9B7B5FB44310B14801AE915D63A0EF349A83DB62
                                                                                                                                                                                                            Function 00CE5C39 Relevance: 7.7, APIs: 5, Instructions: 247filesleepCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 00CE5DEC
                                                                                                                                                                                                            • FindFirstFileA.KERNEL32(?,?), ref: 00CE5EB2
                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 00CE5FE2
                                                                                                                                                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 00CE6020
                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00CE6042
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2227053501.0000000000CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2226953420.0000000000CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227082702.0000000000D0F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227099187.0000000000D10000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227115098.0000000000D13000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227139676.0000000000D1C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_ce0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FileFind$CloseDeleteFirstNextSleep
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1528862845-0
                                                                                                                                                                                                            • Opcode ID: 3c07c9edebc0613a67afe2704c2e422353409ec6b70fc717025050fe9d131073
                                                                                                                                                                                                            • Instruction ID: 0044a78d3c66e3b76898713296ed2989b2458c9611f1eb19004af33da0e78221
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3c07c9edebc0613a67afe2704c2e422353409ec6b70fc717025050fe9d131073
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3AA1ABB5515755EBD708CB6AFC929E933B8FB48301710811AE906CA370EF389A83DB75
                                                                                                                                                                                                            Function 00CEC9ED Relevance: 12.2, APIs: 8, Instructions: 196registrysynchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegisterServiceCtrlHandlerA.ADVAPI32(Function_0000BA72), ref: 00CECAF2
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00D1B2DC), ref: 00CECB64
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CECB78
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00D1B2DC), ref: 00CECBE5
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00001388), ref: 00CECC62
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00D1B2DC), ref: 00CECCAF
                                                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 00CECCC5
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00D1B2DC), ref: 00CECD8F
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2227053501.0000000000CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2226953420.0000000000CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227082702.0000000000D0F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227099187.0000000000D10000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227115098.0000000000D13000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227139676.0000000000D1C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_ce0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3399922960-0
                                                                                                                                                                                                            • Opcode ID: f19169a374bc35a71b2a306990e9ea4a2b5b40ea3f38cb981d2cd0b0475e1d01
                                                                                                                                                                                                            • Instruction ID: edb1abdb8745e6c10dab995e10ed9a6ff1b48dc1020fa89f11ad64e052fc5e0b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f19169a374bc35a71b2a306990e9ea4a2b5b40ea3f38cb981d2cd0b0475e1d01
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 71910B74111341ABC308CF2AFD999EA7BB6FB18721310C52AE406CA371DF348987DB64
                                                                                                                                                                                                            Function 00D04589 Relevance: 7.6, APIs: 5, Instructions: 104synchronizationthreadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000002,?,00CED583,Function_0000AD87,00000002,00000000), ref: 00D04637
                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00000002,?,00000000,00000000), ref: 00D04655
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000002,?,00CED583,Function_0000AD87,00000002,00000000), ref: 00D0468D
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000002,?,00CED583,Function_0000AD87,00000002,00000000), ref: 00D046A1
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,00000002,?,00CED583,Function_0000AD87,00000002,00000000), ref: 00D04712
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2227053501.0000000000CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2226953420.0000000000CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227082702.0000000000D0F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227099187.0000000000D10000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227115098.0000000000D13000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227139676.0000000000D1C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_ce0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateHandle$EventObjectSingleThreadWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1404307249-0
                                                                                                                                                                                                            • Opcode ID: 8c71b30b71d5bebf0544622207c639b88fbc1e5e043c19776161ba1310658636
                                                                                                                                                                                                            • Instruction ID: 1daa1c57a446e912a0cc90ddfe20f30c6cd1b4137b340775f19be96ea6ec8787
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8c71b30b71d5bebf0544622207c639b88fbc1e5e043c19776161ba1310658636
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 234124B5515340FBC3248F68FD85AA67BBAFB89711760C41AE54AC67B0EB349843CB31
                                                                                                                                                                                                            Function 00D04927 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 323sleepfileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00D04CBC
                                                                                                                                                                                                              • Part of subcall function 00CF074E: wvsprintfA.USER32(?,?,?), ref: 00CF07C3
                                                                                                                                                                                                            • Sleep.KERNEL32(00015F90), ref: 00D04E60
                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 00D04E7F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2227053501.0000000000CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2226953420.0000000000CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227082702.0000000000D0F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227099187.0000000000D10000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227115098.0000000000D13000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227139676.0000000000D1C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_ce0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$DeleteModuleNameSleepwvsprintf
                                                                                                                                                                                                            • String ID: KU
                                                                                                                                                                                                            • API String ID: 4183770253-1793860563
                                                                                                                                                                                                            • Opcode ID: 4d3f4cff14edc592f6e4614ae4d5cb7ea7e4883992f92262f4f26d524c3eb214
                                                                                                                                                                                                            • Instruction ID: c41e766ef2ae388bdc2227f259966e430d4269b2ba08fad511f22886b56575d5
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4d3f4cff14edc592f6e4614ae4d5cb7ea7e4883992f92262f4f26d524c3eb214
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B4D1BD75514704BAC708DF64FD92AE677B9FB48710B00841AEA0ACA3B1EF349983DB71
                                                                                                                                                                                                            Function 00CF9B78 Relevance: 6.2, APIs: 4, Instructions: 201fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CF9C43
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00CF9CA8
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00CF9DC7
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00CF9E86
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2227053501.0000000000CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2226953420.0000000000CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227082702.0000000000D0F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227099187.0000000000D10000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227115098.0000000000D13000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227139676.0000000000D1C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_ce0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseFileHandle$CreateRead
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2564258376-0
                                                                                                                                                                                                            • Opcode ID: 5e155086f529bffd6c59480b941e6a07423fc13910b1918dc4c480f6f59ed6c8
                                                                                                                                                                                                            • Instruction ID: 5695f7e8e8ad0815353b7f55b6a3c08a73bdfc12ba271153dcd0ca8b299cafe1
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5e155086f529bffd6c59480b941e6a07423fc13910b1918dc4c480f6f59ed6c8
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CB818575611304ABCB14DF64EC92AFA77A9FB48711B10841AE906C63A1EF349983CB76
                                                                                                                                                                                                            Function 00D090F1 Relevance: 6.0, APIs: 4, Instructions: 38memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00CF8146,00000000,?,?,?,?,?,00CEF85A,?,?,?,00D09573), ref: 00D09143
                                                                                                                                                                                                            • RtlReAllocateHeap.NTDLL(00000000,?,00CF8146,00000000), ref: 00D0914A
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,?,00CF8146,00000000,?,?,?,?,?,00CEF85A,?,?,?,00D09573,?), ref: 00D09174
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,00CF8146,00000000,?,?,?,?,?,00CEF85A,?,?,?,00D09573,?,00000001), ref: 00D0917B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000004.00000002.2227053501.0000000000CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00CE0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000004.00000002.2226953420.0000000000CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227082702.0000000000D0F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227099187.0000000000D10000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227115098.0000000000D13000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000004.00000002.2227139676.0000000000D1C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_4_2_ce0000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$Process$AllocAllocate
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1154092256-0
                                                                                                                                                                                                            • Opcode ID: 896526b1de86cf9aa778c2c6ccbc20735dae05c74435719cf3532c7e7ad5c1fe
                                                                                                                                                                                                            • Instruction ID: 90eec667f5d392f68c828e2445ec5088ef0938a595d42eb19da29d023f70a48d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 896526b1de86cf9aa778c2c6ccbc20735dae05c74435719cf3532c7e7ad5c1fe
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A1014876680700FFCB00DFA0FC597A83BA4FB48300B448516F90AC6766EF7894428B74

                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                            Execution Coverage:9%
                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                                                            Total number of Nodes:1498
                                                                                                                                                                                                            Total number of Limit Nodes:7
                                                                                                                                                                                                            execution_graph 8944 57686 8947 4fc1b 8944->8947 8950 694b4 8947->8950 8952 694bd Mailbox 8950->8952 8953 694e3 8950->8953 8951 4de5a Mailbox 2 API calls 8951->8953 8952->8951 9204 4ad87 9205 4ada3 9204->9205 9260 4501c 9205->9260 9207 4ae0e 9208 6443e 4 API calls 9207->9208 9213 4b26c Mailbox 9207->9213 9209 4aeff 9208->9209 9210 5a805 2 API calls 9209->9210 9211 4af15 9210->9211 9212 4846d 9 API calls 9211->9212 9214 4af2d 9212->9214 9215 58251 2 API calls 9214->9215 9216 4af56 9215->9216 9263 62306 9216->9263 9221 45724 8 API calls 9222 4af88 Mailbox 9221->9222 9223 5a805 2 API calls 9222->9223 9224 4afc5 9223->9224 9225 50b92 9 API calls 9224->9225 9226 4afe2 9225->9226 9227 45724 8 API calls 9226->9227 9228 4afee Mailbox 9227->9228 9229 58251 2 API calls 9228->9229 9230 4b00f 9229->9230 9231 4fe4b 8 API calls 9230->9231 9232 4b02d 9231->9232 9233 45724 8 API calls 9232->9233 9234 4b036 Mailbox 9233->9234 9269 51c14 9234->9269 9236 4b066 9273 460ad 9236->9273 9238 4b085 Mailbox 9239 55fba 9 API calls 9238->9239 9240 4b0c9 9239->9240 9327 47ef1 9240->9327 9243 5a805 2 API calls 9244 4b0f8 9243->9244 9245 50b92 9 API calls 9244->9245 9246 4b149 9245->9246 9247 45724 8 API calls 9246->9247 9248 4b155 Mailbox 9247->9248 9249 58251 2 API calls 9248->9249 9250 4b174 Mailbox 9249->9250 9251 69883 8 API calls 9250->9251 9252 4b19a 9251->9252 9253 69707 Mailbox 8 API calls 9252->9253 9254 4b1ea 9253->9254 9255 5a805 2 API calls 9254->9255 9256 4b217 9255->9256 9331 58695 9256->9331 9258 4b235 9259 58251 2 API calls 9258->9259 9259->9213 9261 69883 8 API calls 9260->9261 9262 45042 SetEvent 9261->9262 9262->9207 9431 44f0b 9263->9431 9266 51bc3 9267 67848 8 API calls 9266->9267 9268 4af7c 9267->9268 9268->9221 9271 51c36 Mailbox 9269->9271 9270 4bdcb 8 API calls 9272 51ce6 Mailbox 9270->9272 9271->9270 9272->9236 9274 46101 9273->9274 9275 5a805 2 API calls 9274->9275 9280 4623b Mailbox 9274->9280 9276 461a7 9275->9276 9277 4846d 9 API calls 9276->9277 9278 461d6 9277->9278 9279 58251 2 API calls 9278->9279 9279->9280 9281 46321 9280->9281 9284 463fd 9280->9284 9282 5a805 2 API calls 9281->9282 9283 4635d 9282->9283 9285 4846d 9 API calls 9283->9285 9287 5a805 2 API calls 9284->9287 9286 46381 9285->9286 9288 58251 2 API calls 9286->9288 9289 46487 Mailbox 9287->9289 9290 4639c Mailbox 9288->9290 9439 57ab8 9289->9439 9290->9238 9293 58251 2 API calls 9294 464eb 9293->9294 9295 4651c 9294->9295 9296 46598 9294->9296 9297 5a805 2 API calls 9295->9297 9451 48036 9296->9451 9299 46532 9297->9299 9301 4846d 9 API calls 9299->9301 9304 46548 9301->9304 9302 46668 9305 4ddd3 lstrlen 9302->9305 9303 465cb 9308 5a805 2 API calls 9303->9308 9306 58251 2 API calls 9304->9306 9307 466a4 9305->9307 9306->9290 9455 5ae3b 9307->9455 9309 465f2 9308->9309 9311 4846d 9 API calls 9309->9311 9312 46612 9311->9312 9314 58251 2 API calls 9312->9314 9314->9290 9317 5a805 2 API calls 9318 46718 9317->9318 9319 58251 2 API calls 9318->9319 9320 46775 9319->9320 9321 642b6 lstrlen 9320->9321 9322 467c4 9321->9322 9323 4c622 5 API calls 9322->9323 9324 467e3 9323->9324 9463 6d831 9324->9463 9328 47f14 9327->9328 9329 4dd8f 8 API calls 9328->9329 9330 47f37 9329->9330 9330->9243 9332 586b6 9331->9332 9333 43e8c GetSystemTimeAsFileTime 9332->9333 9334 58873 9333->9334 9335 642b6 lstrlen 9334->9335 9340 588d0 9335->9340 9336 642b6 lstrlen 9337 58a48 9336->9337 9338 642b6 lstrlen 9337->9338 9339 58a56 9338->9339 9341 5a805 2 API calls 9339->9341 9423 59185 Mailbox 9339->9423 9340->9336 9340->9423 9342 58ad5 9341->9342 9343 4846d 9 API calls 9342->9343 9344 58b0f 9343->9344 9345 58251 2 API calls 9344->9345 9346 58b3d Mailbox 9345->9346 9347 5a805 2 API calls 9346->9347 9360 58d19 9346->9360 9349 58b9e 9347->9349 9348 50b92 9 API calls 9350 58dbe 9348->9350 9351 523e9 9 API calls 9349->9351 9352 45724 8 API calls 9350->9352 9354 58bc8 Mailbox 9351->9354 9353 58dca Mailbox 9352->9353 9355 5a805 2 API calls 9353->9355 9357 58251 2 API calls 9354->9357 9356 58ded 9355->9356 9358 50b92 9 API calls 9356->9358 9363 58bf7 9357->9363 9359 58e04 9358->9359 9361 45724 8 API calls 9359->9361 9360->9348 9362 58e10 Mailbox 9361->9362 9365 58251 2 API calls 9362->9365 9363->9360 9364 51c14 8 API calls 9363->9364 9366 58c77 9364->9366 9367 58e3b 9365->9367 9368 5a805 2 API calls 9366->9368 9369 50b92 9 API calls 9367->9369 9370 58cbd 9368->9370 9371 58e8b 9369->9371 9373 4846d 9 API calls 9370->9373 9372 45724 8 API calls 9371->9372 9376 58e9a Mailbox 9372->9376 9374 58cff 9373->9374 9375 58251 2 API calls 9374->9375 9375->9360 9378 5a805 2 API calls 9376->9378 9413 59051 Mailbox 9376->9413 9377 5a805 2 API calls 9379 59087 9377->9379 9380 58f09 9378->9380 9382 50b92 9 API calls 9379->9382 9381 50b92 9 API calls 9380->9381 9383 58f23 9381->9383 9384 590d7 9382->9384 9385 45724 8 API calls 9383->9385 9386 45724 8 API calls 9384->9386 9387 58f32 Mailbox 9385->9387 9388 590e3 Mailbox 9386->9388 9389 5a805 2 API calls 9387->9389 9390 58251 2 API calls 9388->9390 9391 58f5b 9389->9391 9392 590fd 9390->9392 9394 58251 2 API calls 9391->9394 9393 59142 socket 9392->9393 9395 45724 8 API calls 9392->9395 9397 59197 9393->9397 9393->9423 9396 58fbc Mailbox 9394->9396 9395->9393 9400 5074e wvsprintfA 9396->9400 9398 591f3 gethostbyname 9397->9398 9399 591bb setsockopt 9397->9399 9403 59289 inet_ntoa inet_addr 9398->9403 9398->9423 9399->9398 9402 58fdd 9400->9402 9404 58251 2 API calls 9402->9404 9407 592ef 9403->9407 9408 592f9 htons connect 9403->9408 9406 58ff4 9404->9406 9409 50b92 9 API calls 9406->9409 9407->9408 9411 5932f Mailbox 9408->9411 9408->9423 9410 59042 9409->9410 9412 45724 8 API calls 9410->9412 9414 5939f send 9411->9414 9412->9413 9413->9377 9415 593bb Mailbox 9414->9415 9416 69707 Mailbox 8 API calls 9415->9416 9415->9423 9425 593df Mailbox 9416->9425 9417 5946b recv 9417->9425 9420 59784 closesocket 9421 597e1 9420->9421 9420->9423 9422 51c14 8 API calls 9421->9422 9422->9423 9423->9258 9424 57f29 Mailbox 8 API calls 9424->9425 9425->9417 9425->9420 9425->9424 9426 69883 8 API calls 9425->9426 9427 5a805 GetProcessHeap RtlAllocateHeap 9425->9427 9428 523e9 9 API calls 9425->9428 9429 58251 GetProcessHeap RtlFreeHeap 9425->9429 9661 6d5e8 9425->9661 9665 4f1bd 9425->9665 9426->9425 9427->9425 9428->9425 9429->9425 9432 44f16 9431->9432 9435 4e739 9432->9435 9436 4e751 9435->9436 9437 4dd8f 8 API calls 9436->9437 9438 44f36 9437->9438 9438->9266 9441 57ae2 9439->9441 9440 464bc 9440->9293 9441->9440 9492 66c12 9441->9492 9446 57d11 9450 57c94 Mailbox 9446->9450 9502 5bff6 9446->9502 9448 57dab 9509 570e6 9448->9509 9519 5761b 9450->9519 9452 4804b GetModuleFileNameA 9451->9452 9454 465c2 9452->9454 9454->9302 9454->9303 9456 5ae5e 9455->9456 9457 4bece 8 API calls 9456->9457 9458 466de 9456->9458 9457->9458 9459 63ca3 9458->9459 9461 46702 9459->9461 9462 63cd9 9459->9462 9460 5ae3b 8 API calls 9460->9462 9461->9317 9462->9460 9462->9461 9464 6d84e Mailbox 9463->9464 9465 6d94f CreatePipe 9464->9465 9466 6d9ad SetHandleInformation 9465->9466 9467 6d999 9465->9467 9471 6da12 9466->9471 9472 6da3b CreatePipe 9466->9472 9469 69707 Mailbox 8 API calls 9467->9469 9470 46894 DeleteFileA 9467->9470 9469->9470 9470->9290 9471->9472 9473 6da66 SetHandleInformation 9472->9473 9474 6da52 9472->9474 9477 6da9a Mailbox 9473->9477 9475 6de64 CloseHandle 9474->9475 9475->9467 9476 6de7b CloseHandle 9475->9476 9476->9467 9478 6db76 CreateProcessA 9477->9478 9479 6dc04 WriteFile 9478->9479 9480 6dbe0 CloseHandle 9478->9480 9479->9480 9482 6dc3e CloseHandle CloseHandle 9479->9482 9483 6ddd2 CloseHandle 9480->9483 9486 6dca1 9482->9486 9483->9475 9654 64101 9486->9654 9490 6dd6c CloseHandle CloseHandle 9490->9483 9493 66c2d 9492->9493 9494 44088 4 API calls 9493->9494 9495 66cb8 9494->9495 9496 57c5d 9495->9496 9497 486e2 4 API calls 9495->9497 9496->9450 9498 486e2 9496->9498 9497->9496 9499 486f8 9498->9499 9500 44088 4 API calls 9499->9500 9501 4873e Mailbox 9500->9501 9501->9446 9522 47bf8 9502->9522 9506 5c05c 9534 4774c 9506->9534 9508 5c089 Mailbox 9508->9448 9510 570f3 9509->9510 9515 571ef 9510->9515 9546 5a4b9 9510->9546 9513 5a805 2 API calls 9516 5740b 9513->9516 9514 5a805 2 API calls 9514->9515 9515->9450 9516->9515 9517 58251 2 API calls 9516->9517 9518 5745e 9517->9518 9518->9514 9518->9515 9520 6572d 2 API calls 9519->9520 9521 57661 9520->9521 9521->9440 9523 47c25 9522->9523 9524 5a805 2 API calls 9523->9524 9525 47c4e Mailbox 9524->9525 9526 58251 2 API calls 9525->9526 9527 47c82 9526->9527 9528 50ce6 9527->9528 9529 50d32 Mailbox 9528->9529 9531 50ecd 9529->9531 9532 51054 Mailbox 9529->9532 9540 50113 9529->9540 9531->9532 9533 50113 4 API calls 9531->9533 9532->9506 9533->9531 9535 477a8 Mailbox 9534->9535 9536 50ce6 4 API calls 9535->9536 9537 47a60 9536->9537 9538 50ce6 4 API calls 9537->9538 9539 47ab2 9538->9539 9539->9508 9541 50132 Mailbox 9540->9541 9542 5a805 2 API calls 9541->9542 9543 50318 9542->9543 9544 58251 2 API calls 9543->9544 9545 505f9 9544->9545 9545->9531 9547 5a506 9546->9547 9548 66c12 4 API calls 9547->9548 9550 5a539 9548->9550 9549 6572d 2 API calls 9554 5719b 9549->9554 9551 5a563 9550->9551 9552 5a58e 9550->9552 9556 5a5e4 9550->9556 9553 6572d 2 API calls 9551->9553 9557 469a8 9552->9557 9553->9554 9554->9513 9554->9515 9554->9518 9556->9549 9558 469c7 Mailbox 9557->9558 9559 44088 4 API calls 9558->9559 9569 476f7 9558->9569 9560 46c45 9559->9560 9561 44088 4 API calls 9560->9561 9591 470f3 9560->9591 9563 46c6a 9561->9563 9562 476cf 9564 476e7 9562->9564 9565 476fc 9562->9565 9570 44088 4 API calls 9563->9570 9563->9591 9568 6572d 2 API calls 9564->9568 9566 6572d 2 API calls 9565->9566 9566->9569 9567 6572d 2 API calls 9567->9591 9568->9569 9569->9556 9571 46c97 9570->9571 9572 486e2 4 API calls 9571->9572 9582 46cb9 Mailbox 9571->9582 9571->9591 9573 46d18 9572->9573 9573->9591 9592 4dec6 9573->9592 9575 46e4c 9579 485a4 4 API calls 9575->9579 9576 46e3d 9578 62405 4 API calls 9576->9578 9581 46e47 9578->9581 9579->9581 9583 485a4 4 API calls 9581->9583 9582->9575 9582->9576 9582->9591 9584 46ec5 9583->9584 9585 44088 4 API calls 9584->9585 9584->9591 9586 46f71 9585->9586 9587 485a4 4 API calls 9586->9587 9586->9591 9589 46f9e 9587->9589 9588 44088 4 API calls 9588->9589 9589->9588 9590 485a4 4 API calls 9589->9590 9589->9591 9590->9589 9591->9562 9591->9567 9593 4df1f 9592->9593 9594 44088 4 API calls 9593->9594 9595 46d62 9593->9595 9594->9595 9595->9591 9596 62405 9595->9596 9597 62431 9596->9597 9604 49903 9597->9604 9599 4e4e4 4 API calls 9600 62450 9599->9600 9600->9599 9601 6248c 9600->9601 9602 624b6 9600->9602 9601->9602 9644 56d72 9601->9644 9602->9582 9605 49924 9604->9605 9606 499a4 9605->9606 9607 49a10 9605->9607 9610 49952 9605->9610 9608 499c4 9606->9608 9609 486e2 4 API calls 9606->9609 9612 485a4 4 API calls 9607->9612 9608->9610 9611 485a4 4 API calls 9608->9611 9637 499ea 9608->9637 9609->9608 9610->9600 9611->9637 9614 49a45 9612->9614 9613 6572d 2 API calls 9613->9610 9615 485a4 4 API calls 9614->9615 9614->9637 9616 49aaa 9615->9616 9617 44088 4 API calls 9616->9617 9616->9637 9618 49aed 9617->9618 9619 486e2 4 API calls 9618->9619 9618->9637 9620 49b25 9619->9620 9621 44088 4 API calls 9620->9621 9620->9637 9622 49b46 9621->9622 9623 44088 4 API calls 9622->9623 9622->9637 9624 49b73 9623->9624 9625 4dec6 4 API calls 9624->9625 9626 49c7b 9624->9626 9624->9637 9627 49c56 9625->9627 9628 4dec6 4 API calls 9626->9628 9626->9637 9629 4dec6 4 API calls 9627->9629 9627->9637 9630 49d47 9628->9630 9629->9626 9631 56d72 4 API calls 9630->9631 9639 49e51 9630->9639 9631->9630 9632 4a66b 9633 485a4 4 API calls 9632->9633 9634 4a6fa 9632->9634 9633->9634 9635 485a4 4 API calls 9634->9635 9634->9637 9635->9637 9636 4534c GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9636->9639 9637->9610 9637->9613 9638 486e2 GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9638->9639 9639->9632 9639->9636 9639->9637 9639->9638 9640 4dec6 GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 9639->9640 9641 56d72 4 API calls 9639->9641 9642 485a4 4 API calls 9639->9642 9643 4e4e4 4 API calls 9639->9643 9640->9639 9641->9639 9642->9639 9643->9639 9645 56d97 9644->9645 9646 56dd4 9645->9646 9647 56f07 9645->9647 9649 56df4 9646->9649 9650 56e66 9646->9650 9648 4b38e 4 API calls 9647->9648 9653 56e24 9648->9653 9651 658f9 4 API calls 9649->9651 9652 658f9 4 API calls 9650->9652 9651->9653 9652->9653 9653->9601 9655 6410e 9654->9655 9656 69707 Mailbox 8 API calls 9655->9656 9659 6419c 9656->9659 9657 641f1 ReadFile 9658 64256 WaitForSingleObject 9657->9658 9657->9659 9658->9490 9659->9657 9659->9658 9660 69883 8 API calls 9659->9660 9660->9659 9662 6d5ff 9661->9662 9663 43e8c GetSystemTimeAsFileTime 9662->9663 9664 6d628 9662->9664 9663->9664 9664->9425 9666 4f206 9665->9666 9667 5a805 2 API calls 9666->9667 9668 4f22f 9667->9668 9669 523e9 9 API calls 9668->9669 9670 4f250 Mailbox 9669->9670 9671 58251 2 API calls 9670->9671 9672 4f28d 9671->9672 9673 5a805 2 API calls 9672->9673 9678 4f2a5 9672->9678 9674 4f2cb 9673->9674 9675 523e9 9 API calls 9674->9675 9676 4f2e2 Mailbox 9675->9676 9677 58251 2 API calls 9676->9677 9677->9678 9678->9425 9689 4519e 9690 623a6 Mailbox 2 API calls 9689->9690 9691 451b3 9690->9691 8839 6d01d 8840 6d03a 8839->8840 8846 65d58 8840->8846 8844 6d067 8845 6d108 ExitProcess 8844->8845 8847 65d93 8846->8847 8857 4565e 8847->8857 8849 65dbb 8850 55d50 8849->8850 8851 55d74 8850->8851 8852 55d87 GetStdHandle 8850->8852 8851->8852 8853 55dc5 GetStdHandle 8852->8853 8854 55db3 8852->8854 8856 55dfa GetStdHandle 8853->8856 8854->8853 8856->8844 8858 456c5 GetProcessHeap HeapAlloc 8857->8858 8859 45695 8857->8859 8858->8849 8859->8858 8954 55498 8955 554ba 8954->8955 8956 5550a Mailbox 8954->8956 8957 555fd CreateProcessA 8956->8957 8958 55677 8957->8958 8959 55633 CloseHandle CloseHandle 8957->8959 8959->8958 9692 459a1 9695 6cf7e 9692->9695 9696 6236a lstrlen 9695->9696 9697 459af 9696->9697 8864 4fa34 8867 47fce 8864->8867 8866 4fa42 8868 642b6 lstrlen 8867->8868 8869 47fe9 Mailbox 8868->8869 8869->8866 7952 6cdb7 7953 6ce1b 7952->7953 7956 5ff20 7953->7956 7954 6cf4c 8183 58251 7956->8183 7960 5ff74 7961 58251 2 API calls 7960->7961 7962 5ff88 7961->7962 7963 5a805 2 API calls 7962->7963 7964 5ffc7 7963->7964 7965 58251 2 API calls 7964->7965 7966 5ffdb 7965->7966 7967 5a805 2 API calls 7966->7967 7968 6001a 7967->7968 7969 58251 2 API calls 7968->7969 7970 6002e 7969->7970 7971 5a805 2 API calls 7970->7971 7972 60063 7971->7972 7973 58251 2 API calls 7972->7973 7974 60077 7973->7974 7975 5a805 2 API calls 7974->7975 7976 600f0 7975->7976 7977 58251 2 API calls 7976->7977 7978 60126 7977->7978 7979 5a805 2 API calls 7978->7979 7980 601a6 7979->7980 7981 58251 2 API calls 7980->7981 7982 601c4 7981->7982 7983 5a805 2 API calls 7982->7983 7984 60238 7983->7984 7985 58251 2 API calls 7984->7985 7986 60252 7985->7986 7987 5a805 2 API calls 7986->7987 7988 60283 7987->7988 7989 58251 2 API calls 7988->7989 7990 602bf 7989->7990 7991 5a805 2 API calls 7990->7991 7992 60325 7991->7992 7993 58251 2 API calls 7992->7993 7994 60339 7993->7994 7995 5a805 2 API calls 7994->7995 7996 6036a 7995->7996 7997 58251 2 API calls 7996->7997 7998 603bd 7997->7998 7999 5a805 2 API calls 7998->7999 8000 60402 7999->8000 8001 58251 2 API calls 8000->8001 8002 60422 8001->8002 8003 5a805 2 API calls 8002->8003 8004 60469 8003->8004 8005 58251 2 API calls 8004->8005 8006 604b2 8005->8006 8007 58251 2 API calls 8006->8007 8008 60503 Mailbox 8007->8008 8190 4de5a GetProcessHeap RtlFreeHeap 8008->8190 8012 6054a 8013 5a805 2 API calls 8012->8013 8014 60560 GetEnvironmentVariableA 8013->8014 8015 605b2 8014->8015 8016 58251 2 API calls 8015->8016 8017 605d0 CreateMutexA CreateMutexA CreateMutexA 8016->8017 8018 60665 8017->8018 8019 60809 8018->8019 8020 606de GetTickCount 8018->8020 8021 606c9 8018->8021 8197 488a8 8019->8197 8023 606f2 8020->8023 8021->8020 8025 5a805 2 API calls 8023->8025 8024 60818 GetCommandLineA 8027 608a8 8024->8027 8029 60710 8025->8029 8028 5a805 2 API calls 8027->8028 8031 608c5 8028->8031 8030 58251 2 API calls 8029->8030 8032 607b7 8030->8032 8033 58251 2 API calls 8031->8033 8032->8019 8034 6092f 8033->8034 8035 60964 8034->8035 8036 61311 GetCommandLineA 8034->8036 8037 5a805 2 API calls 8035->8037 8356 63e09 8036->8356 8041 60996 8037->8041 8040 613a1 8359 642b6 8040->8359 8042 58251 2 API calls 8041->8042 8044 60a10 8042->8044 8048 5a805 2 API calls 8044->8048 8050 60a21 8044->8050 8045 613dc 8046 61417 GetModuleFileNameA 8045->8046 8047 613f9 8045->8047 8362 520d8 lstrlen 8046->8362 8047->8046 8053 60ac3 8048->8053 8353 515e5 8050->8353 8054 58251 2 API calls 8053->8054 8056 60b1f 8054->8056 8055 6145c 8059 520d8 2 API calls 8055->8059 8056->8050 8300 4f793 8056->8300 8057 5a805 2 API calls 8058 622a4 8057->8058 8563 4e2f8 8058->8563 8061 61510 8059->8061 8063 520d8 2 API calls 8061->8063 8075 61523 8063->8075 8065 5a805 2 API calls 8071 60ba4 8065->8071 8066 61785 8385 43b2c 8066->8385 8067 622c9 8067->7954 8069 617c8 8070 6175d 8069->8070 8393 5b3db 8069->8393 8070->8050 8073 58251 2 API calls 8071->8073 8092 60be7 8073->8092 8074 617ed 8076 43e8c GetSystemTimeAsFileTime 8074->8076 8075->8066 8079 615b0 8075->8079 8077 61806 8076->8077 8487 4ddd3 8077->8487 8365 5af1f 8079->8365 8083 615e1 8371 45c39 8083->8371 8086 60d00 Sleep 8087 5b046 5 API calls 8086->8087 8088 60d57 8087->8088 8088->8092 8089 615fa 8089->8070 8090 5a805 2 API calls 8089->8090 8093 61680 8090->8093 8091 60dd2 Sleep 8091->8092 8092->8086 8092->8091 8116 60dfe 8092->8116 8305 5571f 8092->8305 8316 5b046 8092->8316 8328 43e8c 8092->8328 8096 642b6 lstrlen 8093->8096 8094 6186d 8098 618fb WSAStartup 8094->8098 8095 5571f 6 API calls 8095->8116 8097 61695 MessageBoxA 8096->8097 8105 61738 8097->8105 8101 61928 8098->8101 8108 6197d 8098->8108 8099 60ee5 8100 5b046 5 API calls 8099->8100 8104 60ef9 8100->8104 8101->8057 8109 60f60 GetModuleFileNameA SetFileAttributesA 8104->8109 8110 612ba 8104->8110 8106 58251 2 API calls 8105->8106 8106->8070 8107 61a3d 8117 61a8c CloseHandle SetFileAttributesA 8107->8117 8141 61d7e 8107->8141 8108->8107 8491 6395f 8108->8491 8111 60fcc CopyFileA 8109->8111 8346 554d8 8110->8346 8118 5a805 2 API calls 8111->8118 8112 60ea2 Sleep 8112->8116 8116->8095 8116->8099 8116->8112 8332 50806 8116->8332 8119 61b05 CopyFileA 8117->8119 8120 61ae9 8117->8120 8121 61044 8118->8121 8123 61b22 SetFileAttributesA 8119->8123 8124 61c76 8119->8124 8120->8119 8131 58251 2 API calls 8121->8131 8122 5571f 6 API calls 8122->8141 8129 61b5b 8123->8129 8130 61b79 8123->8130 8532 4b7cd WaitForSingleObject 8124->8532 8126 619d7 8126->8070 8501 4f02c 8126->8501 8128 61e3f SetFileAttributesA CopyFileA SetFileAttributesA 8142 4f793 lstrlen 8128->8142 8510 635ad 8129->8510 8138 61c27 Sleep 8130->8138 8523 56bd8 8130->8523 8134 61077 8131->8134 8132 50806 9 API calls 8136 61dcb Sleep 8132->8136 8147 5a805 2 API calls 8134->8147 8157 6111d 8134->8157 8136->8141 8140 554d8 3 API calls 8138->8140 8140->8124 8141->8122 8141->8128 8141->8132 8146 61ed0 8142->8146 8143 61bef 8143->8138 8144 61206 SetFileAttributesA 8150 6126d 8144->8150 8145 61195 SetFileAttributesA 8145->8150 8149 5a805 2 API calls 8146->8149 8153 610ce 8147->8153 8152 61ee6 8149->8152 8150->8110 8154 5a805 2 API calls 8152->8154 8155 58251 2 API calls 8153->8155 8156 61f29 8154->8156 8155->8157 8158 58251 2 API calls 8156->8158 8157->8144 8157->8145 8159 61f4e 8158->8159 8534 675ce 8159->8534 8161 61f65 8162 58251 2 API calls 8161->8162 8163 61fc0 8162->8163 8538 6473b 8163->8538 8166 5a805 2 API calls 8167 62012 8166->8167 8168 5a805 2 API calls 8167->8168 8169 62031 8168->8169 8559 5074e 8169->8559 8171 62063 8172 58251 2 API calls 8171->8172 8173 62079 8172->8173 8174 58251 2 API calls 8173->8174 8175 62092 8174->8175 8176 554d8 3 API calls 8175->8176 8177 620d2 Mailbox 8176->8177 8178 62140 CreateThread 8177->8178 8180 62179 8178->8180 8179 621c3 Sleep 8180->8179 8562 674e8 StartServiceCtrlDispatcherA 8180->8562 8184 58268 Mailbox 8183->8184 8185 4de5a Mailbox 2 API calls 8184->8185 8186 582cb 8185->8186 8187 5a805 8186->8187 8569 623a6 8187->8569 8189 5a878 Mailbox 8189->7960 8191 4de8a 8190->8191 8192 6d256 GetSystemTime 8191->8192 8193 6d2ec 8192->8193 8194 43e8c GetSystemTimeAsFileTime 8193->8194 8195 6d368 GetTickCount 8194->8195 8196 6d39b 8195->8196 8196->8012 8198 488cc 8197->8198 8199 488ea GetVersionExA 8198->8199 8572 4e769 8199->8572 8205 489fc 8208 48a89 CreateDirectoryA 8205->8208 8206 48b28 8207 5a805 2 API calls 8206->8207 8209 48bc2 8207->8209 8210 5a805 2 API calls 8208->8210 8595 4846d 8209->8595 8212 48ae2 8210->8212 8215 58251 2 API calls 8212->8215 8214 58251 2 API calls 8216 48c06 Mailbox 8214->8216 8215->8206 8599 4c622 8216->8599 8218 48d6f 8220 5c0de 6 API calls 8218->8220 8219 48cfe DeleteFileA 8222 48d3d RemoveDirectoryA 8219->8222 8223 48d2b 8219->8223 8224 48d85 8220->8224 8222->8218 8223->8222 8225 48dc3 CreateDirectoryA 8224->8225 8226 48e00 8225->8226 8227 4f793 lstrlen 8226->8227 8228 48e64 CreateDirectoryA 8227->8228 8230 5a805 2 API calls 8228->8230 8231 48eb8 8230->8231 8232 5a805 2 API calls 8231->8232 8233 48f10 8232->8233 8234 58251 2 API calls 8233->8234 8235 48f6c 8234->8235 8236 4846d 9 API calls 8235->8236 8237 48f89 8236->8237 8238 58251 2 API calls 8237->8238 8239 48f9b Mailbox 8238->8239 8240 4c622 5 API calls 8239->8240 8241 48fca 8240->8241 8242 49769 8241->8242 8244 4906c 8241->8244 8245 48fec 8241->8245 8243 4f793 lstrlen 8242->8243 8248 4977f SetFileAttributesA 8243->8248 8247 5a805 2 API calls 8244->8247 8246 5a805 2 API calls 8245->8246 8249 4900e 8246->8249 8250 49082 8247->8250 8255 497e1 Mailbox 8248->8255 8251 5074e wvsprintfA 8249->8251 8252 5074e wvsprintfA 8250->8252 8253 49034 8251->8253 8254 490a0 8252->8254 8256 58251 2 API calls 8253->8256 8257 58251 2 API calls 8254->8257 8255->8024 8258 4905d 8256->8258 8257->8258 8259 49128 8258->8259 8260 49144 CreateDirectoryA 8259->8260 8261 4917e 8260->8261 8262 4f793 lstrlen 8261->8262 8263 491cd CreateDirectoryA 8262->8263 8264 5a805 2 API calls 8263->8264 8265 49210 8264->8265 8266 5a805 2 API calls 8265->8266 8267 4923f 8266->8267 8268 58251 2 API calls 8267->8268 8269 4927a 8268->8269 8270 4846d 9 API calls 8269->8270 8271 4928f 8270->8271 8272 58251 2 API calls 8271->8272 8273 49307 Mailbox 8272->8273 8274 4c622 5 API calls 8273->8274 8275 49336 8274->8275 8276 49716 8275->8276 8277 49341 GetTempPathA 8275->8277 8276->8242 8278 642b6 lstrlen 8277->8278 8279 4938b 8278->8279 8280 4f793 lstrlen 8279->8280 8281 494ae CreateDirectoryA 8280->8281 8282 494fd 8281->8282 8283 5a805 2 API calls 8282->8283 8284 49519 8283->8284 8285 5a805 2 API calls 8284->8285 8286 49577 8285->8286 8287 58251 2 API calls 8286->8287 8288 495a4 8287->8288 8289 4846d 9 API calls 8288->8289 8290 495ba 8289->8290 8291 58251 2 API calls 8290->8291 8292 495dc Mailbox 8291->8292 8293 4c622 5 API calls 8292->8293 8294 4960b 8293->8294 8294->8276 8295 49633 GetTempPathA 8294->8295 8296 49670 8295->8296 8297 5a805 2 API calls 8296->8297 8298 496a4 8297->8298 8299 58251 2 API calls 8298->8299 8299->8276 8301 4ddd3 lstrlen 8300->8301 8303 4f7bd 8301->8303 8302 4f80a 8302->8065 8303->8302 8304 642b6 lstrlen 8303->8304 8304->8302 8306 55751 CreateToolhelp32Snapshot 8305->8306 8309 55828 8306->8309 8308 55a95 Mailbox 8308->8092 8309->8308 8310 558da Process32First 8309->8310 8311 55a6c FindCloseChangeNotification 8310->8311 8312 5590e 8310->8312 8311->8308 8313 520d8 2 API calls 8312->8313 8314 559c2 Process32Next 8312->8314 8315 55a29 8312->8315 8313->8312 8314->8312 8315->8311 8317 5b068 CreateFileA 8316->8317 8319 5b142 GetFileTime 8317->8319 8320 5b11b 8317->8320 8321 5b1c7 8319->8321 8322 5b177 8319->8322 8320->8092 8325 5b204 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 8321->8325 8323 5b1b1 CloseHandle 8322->8323 8324 5b193 8322->8324 8323->8320 8324->8323 8326 5b264 GetFileSize CloseHandle 8325->8326 8327 5b2f4 8326->8327 8327->8320 8329 43ebf GetSystemTimeAsFileTime 8328->8329 8331 43f11 __aulldiv 8329->8331 8331->8092 8333 5084d CreateToolhelp32Snapshot 8332->8333 8335 50b20 Mailbox 8333->8335 8336 508ee Process32First 8333->8336 8335->8116 8338 50aeb 8336->8338 8343 50988 8336->8343 8339 50b0f CloseHandle 8338->8339 8344 50aea 8338->8344 8339->8335 8340 520d8 2 API calls 8340->8343 8341 509f5 OpenProcess 8341->8343 8342 50aa4 Process32Next 8342->8343 8342->8344 8343->8340 8343->8341 8343->8342 8345 50a61 TerminateProcess CloseHandle 8343->8345 8344->8338 8344->8339 8345->8343 8350 554ea Mailbox 8346->8350 8347 555fd CreateProcessA 8348 55677 8347->8348 8349 55633 8347->8349 8348->8050 8351 55645 8349->8351 8352 5564f CloseHandle CloseHandle 8349->8352 8350->8347 8351->8352 8352->8348 8646 5bf87 8353->8646 8355 51600 ExitProcess 8357 642b6 lstrlen 8356->8357 8358 63e48 8357->8358 8358->8040 8360 642cf lstrlen 8359->8360 8360->8045 8363 5210f CharLowerBuffA 8362->8363 8363->8055 8366 5af3f 8365->8366 8648 5111e 8366->8648 8368 5af7b 8369 554d8 3 API calls 8368->8369 8370 5afe0 Mailbox 8369->8370 8370->8083 8372 45c69 8371->8372 8373 642b6 lstrlen 8372->8373 8380 46052 Mailbox 8372->8380 8374 45dce Sleep 8373->8374 8375 45e25 8374->8375 8376 5a805 2 API calls 8375->8376 8377 45e52 8376->8377 8378 58251 2 API calls 8377->8378 8379 45e87 FindFirstFileA 8378->8379 8379->8380 8381 45ecd 8379->8381 8380->8089 8382 45fdb DeleteFileA 8381->8382 8383 46018 FindNextFileA 8381->8383 8382->8381 8382->8383 8383->8381 8384 4602e FindClose 8383->8384 8384->8380 8386 4f793 lstrlen 8385->8386 8387 43b68 8386->8387 8388 5a805 2 API calls 8387->8388 8389 43b88 8388->8389 8390 58251 2 API calls 8389->8390 8391 43bc6 CreateFileA 8390->8391 8392 43c14 Mailbox 8391->8392 8392->8069 8394 5b41c 8393->8394 8395 5b4ff GetComputerNameA 8394->8395 8396 5b536 8395->8396 8403 5b59e 8395->8403 8398 5a805 2 API calls 8396->8398 8397 5a805 2 API calls 8399 5b5fa 8397->8399 8400 5b552 8398->8400 8401 58251 2 API calls 8399->8401 8402 58251 2 API calls 8400->8402 8404 5b63d 8401->8404 8402->8403 8403->8397 8405 4846d 9 API calls 8404->8405 8406 5b661 8405->8406 8679 4695e 8406->8679 8408 5b6db Mailbox 8682 684d7 8408->8682 8411 642b6 lstrlen 8412 5b7d9 8411->8412 8717 50b92 8412->8717 8416 5b834 Mailbox 8417 4695e 8 API calls 8416->8417 8418 5b891 8417->8418 8419 50b92 9 API calls 8418->8419 8420 5b92e 8419->8420 8421 45724 8 API calls 8420->8421 8422 5b93d Mailbox 8421->8422 8423 4695e 8 API calls 8422->8423 8424 5b964 8423->8424 8425 50b92 9 API calls 8424->8425 8426 5b988 8425->8426 8427 45724 8 API calls 8426->8427 8428 5b997 Mailbox 8427->8428 8429 4695e 8 API calls 8428->8429 8430 5b9cf 8429->8430 8431 50b92 9 API calls 8430->8431 8432 5b9fe 8431->8432 8433 45724 8 API calls 8432->8433 8434 5ba0a Mailbox 8433->8434 8435 4695e 8 API calls 8434->8435 8436 5ba25 8435->8436 8437 50b92 9 API calls 8436->8437 8438 5ba48 8437->8438 8439 45724 8 API calls 8438->8439 8440 5ba57 Mailbox 8439->8440 8441 4695e 8 API calls 8440->8441 8442 5ba79 8441->8442 8443 5a805 2 API calls 8442->8443 8444 5ba95 8443->8444 8445 50b92 9 API calls 8444->8445 8446 5bab9 8445->8446 8447 45724 8 API calls 8446->8447 8448 5bac8 Mailbox 8447->8448 8449 58251 2 API calls 8448->8449 8450 5baf7 8449->8450 8451 4695e 8 API calls 8450->8451 8452 5bb1f 8451->8452 8453 50b92 9 API calls 8452->8453 8454 5bb3d 8453->8454 8455 45724 8 API calls 8454->8455 8456 5bb49 Mailbox 8455->8456 8457 4695e 8 API calls 8456->8457 8458 5bb75 8457->8458 8459 50b92 9 API calls 8458->8459 8460 5bb96 8459->8460 8461 45724 8 API calls 8460->8461 8462 5bba5 Mailbox 8461->8462 8463 4695e 8 API calls 8462->8463 8464 5bbcb 8463->8464 8724 43cdc 8464->8724 8468 5bc06 8469 50b92 9 API calls 8468->8469 8470 5bc12 8469->8470 8471 45724 8 API calls 8470->8471 8472 5bc21 Mailbox 8471->8472 8473 4695e 8 API calls 8472->8473 8474 5bc3f 8473->8474 8475 50b92 9 API calls 8474->8475 8476 5bc85 8475->8476 8477 45724 8 API calls 8476->8477 8478 5bc94 Mailbox 8477->8478 8734 55fba 8478->8734 8480 5bccc 8761 69707 8480->8761 8482 5bd04 Mailbox 8764 69883 8482->8764 8484 5bd30 8768 4ee34 8484->8768 8486 5bd6e Mailbox 8486->8074 8488 4de20 8487->8488 8489 642b6 lstrlen 8488->8489 8490 4de3f 8489->8490 8490->8094 8492 63980 8491->8492 8493 4f793 lstrlen 8492->8493 8494 639f3 8493->8494 8495 5a805 2 API calls 8494->8495 8500 63a11 Mailbox 8494->8500 8496 63ace 8495->8496 8497 58251 2 API calls 8496->8497 8498 63b0d 8497->8498 8816 59b78 8498->8816 8500->8126 8502 4f065 8501->8502 8503 43e8c GetSystemTimeAsFileTime 8502->8503 8505 4f079 8503->8505 8504 4f15a 8504->8107 8505->8504 8506 43e8c GetSystemTimeAsFileTime 8505->8506 8509 4f104 8506->8509 8507 4f10f Sleep 8508 43e8c GetSystemTimeAsFileTime 8507->8508 8508->8509 8509->8504 8509->8507 8511 635f3 OpenSCManagerA 8510->8511 8513 636a9 CreateServiceA 8511->8513 8522 638db 8511->8522 8514 636f0 ChangeServiceConfig2A StartServiceA CloseServiceHandle 8513->8514 8517 63777 OpenServiceA 8513->8517 8516 6388e CloseServiceHandle 8514->8516 8516->8522 8519 637eb 8517->8519 8520 63866 8519->8520 8521 63811 StartServiceA CloseServiceHandle 8519->8521 8520->8516 8521->8520 8522->8130 8524 56c36 8523->8524 8525 5a805 2 API calls 8524->8525 8526 56c9d RegOpenKeyA 8525->8526 8527 58251 2 API calls 8526->8527 8528 56ccb 8527->8528 8529 56d31 RegCloseKey 8528->8529 8530 642b6 lstrlen 8528->8530 8529->8143 8531 56d0f RegSetValueExA 8530->8531 8531->8529 8533 4b846 8532->8533 8533->8070 8535 675f4 8534->8535 8536 676ef CreateFileA 8535->8536 8537 67732 Mailbox 8536->8537 8537->8161 8539 64771 8538->8539 8544 64797 8538->8544 8541 4bece 8 API calls 8539->8541 8540 5a805 2 API calls 8542 647be 8540->8542 8541->8544 8543 675ce CreateFileA 8542->8543 8545 647e5 8543->8545 8544->8540 8546 58251 2 API calls 8545->8546 8547 64803 8546->8547 8548 64835 Sleep 8547->8548 8549 648af 8547->8549 8550 5a805 2 API calls 8548->8550 8551 61fe7 8549->8551 8833 691aa 8549->8833 8552 64886 8550->8552 8551->8166 8554 675ce CreateFileA 8552->8554 8556 6489b 8554->8556 8558 58251 2 API calls 8556->8558 8558->8549 8560 50764 wvsprintfA 8559->8560 8560->8171 8562->8179 8564 4e30a 8563->8564 8565 4b7cd WaitForSingleObject 8564->8565 8566 4e324 8565->8566 8567 515e5 ExitProcess 8566->8567 8568 4e35a 8567->8568 8568->8067 8570 623e2 GetProcessHeap RtlAllocateHeap 8569->8570 8571 623c0 8569->8571 8570->8189 8571->8570 8573 4e79e AllocateAndInitializeSid 8572->8573 8575 4e883 CheckTokenMembership 8573->8575 8576 48954 8573->8576 8577 4e89f 8575->8577 8578 4e8c9 FreeSid 8575->8578 8579 4457c 8576->8579 8577->8578 8578->8576 8580 44595 8579->8580 8581 5a805 2 API calls 8580->8581 8582 445da GetProcAddress 8581->8582 8583 58251 2 API calls 8582->8583 8584 44613 8583->8584 8585 44623 GetCurrentProcess 8584->8585 8586 4463a 8584->8586 8585->8586 8586->8206 8587 5c0de GetWindowsDirectoryA 8586->8587 8588 5c125 8587->8588 8589 5a805 2 API calls 8588->8589 8594 5c1b6 8588->8594 8590 5c164 8589->8590 8591 58251 2 API calls 8590->8591 8592 5c1a4 8591->8592 8593 642b6 lstrlen 8592->8593 8593->8594 8594->8205 8596 4848a 8595->8596 8615 44f47 8596->8615 8600 4c62f 8599->8600 8601 4b7cd WaitForSingleObject 8600->8601 8602 4c686 8601->8602 8603 4c6b3 8602->8603 8604 4c6ef CreateFileA 8602->8604 8605 44eb1 ReleaseMutex 8603->8605 8607 4c75d 8604->8607 8609 4c79f Mailbox 8604->8609 8614 48c6e 8605->8614 8608 44eb1 ReleaseMutex 8607->8608 8608->8614 8610 4c8fa WriteFile 8609->8610 8610->8609 8611 4c94e FindCloseChangeNotification 8610->8611 8644 44eb1 ReleaseMutex 8611->8644 8614->8218 8614->8219 8616 44f6e 8615->8616 8617 642b6 lstrlen 8616->8617 8618 44f99 8617->8618 8621 62f94 8618->8621 8620 44fa3 8620->8214 8624 694ec 8621->8624 8623 62fac Mailbox 8623->8620 8625 69509 Mailbox 8624->8625 8627 6950e Mailbox 8625->8627 8628 4f821 8625->8628 8627->8623 8629 4f845 8628->8629 8631 4f85a Mailbox 8629->8631 8632 57f29 8629->8632 8631->8627 8634 57f48 Mailbox 8632->8634 8633 58135 8641 690f1 8633->8641 8634->8633 8636 5802a 8634->8636 8640 58109 Mailbox 8634->8640 8637 623a6 Mailbox 2 API calls 8636->8637 8638 58057 Mailbox 8637->8638 8639 4de5a Mailbox 2 API calls 8638->8639 8639->8640 8640->8631 8642 69152 GetProcessHeap HeapAlloc 8641->8642 8643 6912b GetProcessHeap RtlReAllocateHeap 8641->8643 8642->8640 8643->8640 8645 44ecb 8644->8645 8645->8614 8647 5bfa3 8646->8647 8647->8355 8649 5114d 8648->8649 8650 511d9 CreateFileA 8649->8650 8651 51219 8650->8651 8652 515a4 8651->8652 8653 5124b ReadFile CloseHandle 8651->8653 8652->8368 8654 5129d 8653->8654 8655 512bd GetTickCount 8654->8655 8675 451ca 8655->8675 8657 512de 8658 642b6 lstrlen 8657->8658 8659 51310 8658->8659 8660 5a805 2 API calls 8659->8660 8661 51378 8660->8661 8662 58251 2 API calls 8661->8662 8666 51416 8662->8666 8663 514e0 CreateFileA 8665 5154f 8663->8665 8665->8652 8667 51564 WriteFile CloseHandle 8665->8667 8666->8663 8668 5a805 2 API calls 8666->8668 8667->8652 8669 5147e 8668->8669 8670 642b6 lstrlen 8669->8670 8671 514a0 8670->8671 8672 5074e wvsprintfA 8671->8672 8673 514a9 8672->8673 8674 58251 2 API calls 8673->8674 8674->8663 8676 451ea 8675->8676 8677 642b6 lstrlen 8676->8677 8678 45235 8677->8678 8678->8657 8680 69883 8 API calls 8679->8680 8681 46983 8680->8681 8681->8408 8683 68577 8682->8683 8684 5a805 2 API calls 8683->8684 8685 68652 8684->8685 8686 58251 2 API calls 8685->8686 8687 686d5 GetProcessHeap 8686->8687 8688 68711 8687->8688 8700 5b7c4 8687->8700 8689 5a805 2 API calls 8688->8689 8690 68739 LoadLibraryA 8689->8690 8692 58251 2 API calls 8690->8692 8693 6878f 8692->8693 8694 5a805 2 API calls 8693->8694 8693->8700 8695 68837 GetProcAddress 8694->8695 8696 58251 2 API calls 8695->8696 8697 6886e 8696->8697 8698 68886 FreeLibrary 8697->8698 8699 688ac HeapAlloc 8697->8699 8698->8700 8701 68926 8699->8701 8702 688fb FreeLibrary 8699->8702 8700->8411 8703 6896c HeapFree 8701->8703 8707 68a27 8701->8707 8702->8700 8704 6898e HeapAlloc 8703->8704 8706 689fb FreeLibrary 8704->8706 8704->8707 8706->8700 8708 5a805 2 API calls 8707->8708 8716 68d26 Mailbox 8707->8716 8710 68ac3 8708->8710 8709 69094 HeapFree FreeLibrary 8709->8700 8711 58251 2 API calls 8710->8711 8712 68b17 8711->8712 8713 5a805 2 API calls 8712->8713 8712->8716 8714 68d41 8713->8714 8715 58251 2 API calls 8714->8715 8715->8716 8716->8709 8774 523e9 8717->8774 8720 45724 8721 4573e Mailbox 8720->8721 8722 69883 8 API calls 8721->8722 8723 45789 8722->8723 8723->8416 8726 43d0f Mailbox 8724->8726 8725 5a805 2 API calls 8727 43d74 8725->8727 8726->8725 8728 58251 2 API calls 8727->8728 8729 43db8 8728->8729 8730 44d07 8729->8730 8731 44d1f 8730->8731 8732 642b6 lstrlen 8731->8732 8733 44d4c 8732->8733 8733->8468 8735 56020 8734->8735 8736 5a805 2 API calls 8735->8736 8737 5604e 8736->8737 8738 5a805 2 API calls 8737->8738 8739 56067 8738->8739 8740 5a805 2 API calls 8739->8740 8741 560be 8740->8741 8742 58251 2 API calls 8741->8742 8743 560d2 8742->8743 8744 5a805 2 API calls 8743->8744 8745 56144 8744->8745 8746 58251 2 API calls 8745->8746 8747 561a1 8746->8747 8748 58251 2 API calls 8747->8748 8754 5621c 8748->8754 8749 56a70 8750 58251 2 API calls 8749->8750 8753 56b1c Mailbox 8750->8753 8751 507f5 8 API calls 8760 5664d Mailbox 8751->8760 8753->8480 8755 45071 9 API calls 8754->8755 8754->8760 8780 507f5 8754->8780 8755->8754 8756 56983 8756->8749 8757 507f5 8 API calls 8756->8757 8783 45071 8756->8783 8757->8756 8758 45071 9 API calls 8758->8760 8760->8749 8760->8751 8760->8756 8760->8758 8762 694ec Mailbox 8 API calls 8761->8762 8763 6970e 8762->8763 8763->8482 8765 69898 Mailbox 8764->8765 8766 694ec Mailbox 8 API calls 8765->8766 8767 698a3 Mailbox 8766->8767 8767->8484 8769 4ee52 8768->8769 8793 51da2 8769->8793 8771 4ee71 Mailbox 8772 69883 8 API calls 8771->8772 8773 4ef9f 8771->8773 8772->8773 8773->8486 8775 523f5 8774->8775 8776 642b6 lstrlen 8775->8776 8777 52488 8776->8777 8778 62f94 8 API calls 8777->8778 8779 50ba0 8778->8779 8779->8720 8789 4ba10 8780->8789 8782 50802 8782->8754 8784 4acbe 8783->8784 8785 642b6 lstrlen 8784->8785 8786 4ad02 8785->8786 8787 69883 8 API calls 8786->8787 8788 4ad0c 8787->8788 8788->8756 8790 4ba25 Mailbox 8789->8790 8791 694ec Mailbox 8 API calls 8790->8791 8792 4ba30 Mailbox 8791->8792 8792->8782 8798 4db48 8793->8798 8795 51e43 8795->8771 8797 51db4 8797->8795 8802 4bece 8797->8802 8799 4db5b Mailbox 8798->8799 8801 4db9f 8798->8801 8800 69707 Mailbox 8 API calls 8799->8800 8800->8801 8801->8797 8803 4bf08 8802->8803 8804 4b7cd WaitForSingleObject 8803->8804 8805 4bfa2 8804->8805 8806 5a805 2 API calls 8805->8806 8813 4c09d 8805->8813 8807 4bfe5 GetProcAddress 8806->8807 8808 5a805 2 API calls 8807->8808 8810 4c033 8808->8810 8809 44eb1 ReleaseMutex 8811 4c2bd 8809->8811 8812 58251 2 API calls 8810->8812 8811->8797 8814 4c06d GetProcAddress 8812->8814 8813->8809 8815 58251 2 API calls 8814->8815 8815->8813 8817 59b85 8816->8817 8818 69707 Mailbox 8 API calls 8817->8818 8819 59c02 8818->8819 8820 4b7cd WaitForSingleObject 8819->8820 8821 59c24 CreateFileA 8820->8821 8822 59c5a 8821->8822 8827 59c78 Mailbox 8821->8827 8824 44eb1 ReleaseMutex 8822->8824 8823 59c8b ReadFile 8823->8827 8825 59e2f Mailbox 8824->8825 8825->8500 8826 57f29 Mailbox 8 API calls 8826->8827 8827->8823 8827->8826 8828 59e6a CloseHandle 8827->8828 8829 69883 8 API calls 8827->8829 8830 59dbc CloseHandle 8827->8830 8828->8822 8829->8827 8831 59dd9 8830->8831 8832 44eb1 ReleaseMutex 8831->8832 8832->8825 8835 691e0 8833->8835 8834 648e6 8837 4ea59 CloseHandle 8834->8837 8835->8834 8836 692ba WriteFile 8835->8836 8836->8834 8838 4ea8e 8837->8838 8838->8551 9698 481b5 9699 481dc 9698->9699 9700 43b08 8 API calls 9699->9700 9701 4823c 9700->9701 9702 5bf07 8 API calls 9701->9702 9703 48276 9702->9703 9704 411b7 9705 41214 9704->9705 9708 4122a Mailbox 9704->9708 9706 642b6 lstrlen 9706->9708 9707 5074e wvsprintfA 9707->9708 9708->9705 9708->9706 9708->9707 8870 49830 8871 4983b Mailbox 8870->8871 8872 62f94 8 API calls 8871->8872 8873 498bd 8872->8873 9709 4e9b3 9710 59a0f 8 API calls 9709->9710 9711 4e9e3 9710->9711 9712 45724 8 API calls 9711->9712 9713 4ea10 9712->9713 8874 44e3c 8875 44e47 8874->8875 8878 556c6 8875->8878 8879 556e3 Mailbox 8878->8879 8882 5a7bc 8879->8882 8881 44e9b 8883 4f821 Mailbox 8 API calls 8882->8883 8884 5a7d6 Mailbox 8883->8884 8884->8881 9714 695bd 9715 695c3 Mailbox 9714->9715 9716 690f1 Mailbox 4 API calls 9715->9716 9717 69605 Mailbox 9716->9717 8964 640bb 8965 640c6 8964->8965 8968 4dd8f 8965->8968 8969 4dda0 8968->8969 8970 62f94 8 API calls 8969->8970 8971 4ddad 8970->8971 8972 684c2 8975 48020 8972->8975 8978 6236a 8975->8978 8977 4802b 8979 642b6 lstrlen 8978->8979 8980 62378 8979->8980 8980->8977 8981 450c3 8982 450e0 8981->8982 8983 642b6 lstrlen 8982->8983 8984 4510f Mailbox 8983->8984 8985 57f29 Mailbox 8 API calls 8984->8985 8986 45123 8985->8986 8987 45071 9 API calls 8986->8987 8988 45145 8987->8988 8991 5bf07 8988->8991 8992 5bf15 Mailbox 8991->8992 8993 69883 8 API calls 8992->8993 8994 45183 8993->8994 8995 598cc 8996 51da2 12 API calls 8995->8996 8997 59900 8996->8997 8998 69883 8 API calls 8997->8998 8999 59994 8998->8999 8885 4444e 8886 4446b 8885->8886 8889 4e4e4 8886->8889 8890 4e513 8889->8890 8891 4e553 8890->8891 8892 4e69a 8890->8892 8894 4e576 8891->8894 8895 4e621 8891->8895 8907 4b38e 8892->8907 8899 658f9 8894->8899 8896 658f9 4 API calls 8895->8896 8898 44575 8896->8898 8900 65931 8899->8900 8902 659a1 8900->8902 8906 65937 8900->8906 8915 485a4 8900->8915 8903 485a4 4 API calls 8902->8903 8904 659f4 8902->8904 8903->8904 8919 6572d 8904->8919 8906->8898 8908 4b3c3 8907->8908 8909 485a4 4 API calls 8908->8909 8912 4b456 8908->8912 8909->8912 8910 44088 4 API calls 8913 4b4c3 8910->8913 8911 4b7b4 8911->8898 8912->8910 8912->8911 8913->8911 8914 44088 4 API calls 8913->8914 8914->8913 8916 485be 8915->8916 8918 4860a Mailbox 8916->8918 8923 44088 8916->8923 8918->8902 8921 65761 Mailbox 8919->8921 8920 658d3 8920->8906 8921->8920 8922 4de5a Mailbox 2 API calls 8921->8922 8922->8921 8924 440bc 8923->8924 8925 440d8 8923->8925 8926 623a6 Mailbox 2 API calls 8924->8926 8925->8918 8927 440d1 Mailbox 8926->8927 8927->8925 8928 4de5a Mailbox 2 API calls 8927->8928 8928->8925 9004 624d3 9005 6250c 9004->9005 9006 6d256 3 API calls 9005->9006 9007 6261c 9006->9007 9008 45c39 10 API calls 9007->9008 9009 62645 9008->9009 9010 4f793 lstrlen 9009->9010 9011 62697 9010->9011 9012 5a805 2 API calls 9011->9012 9013 626ad 9012->9013 9014 58251 2 API calls 9013->9014 9030 62706 Mailbox 9014->9030 9015 69707 Mailbox 8 API calls 9016 62cf0 Sleep 9015->9016 9049 52192 9016->9049 9018 5571f 6 API calls 9018->9030 9019 43e8c GetSystemTimeAsFileTime 9019->9030 9020 554d8 3 API calls 9020->9030 9022 6473b 12 API calls 9022->9030 9023 5a805 GetProcessHeap RtlAllocateHeap 9023->9030 9024 58695 21 API calls 9024->9030 9025 58251 GetProcessHeap RtlFreeHeap 9025->9030 9026 4846d 9 API calls 9026->9030 9027 4695e 8 API calls 9027->9030 9029 45724 8 API calls 9029->9030 9030->9015 9030->9018 9030->9019 9030->9020 9030->9022 9030->9023 9030->9024 9030->9025 9030->9026 9030->9027 9030->9029 9031 67dc0 50 API calls 9030->9031 9032 64927 32 API calls 9030->9032 9033 6443e 9030->9033 9045 4fe4b 9030->9045 9031->9030 9032->9030 9034 64470 9033->9034 9035 5a805 2 API calls 9034->9035 9036 644cd 9035->9036 9037 5a805 2 API calls 9036->9037 9038 644fc 9037->9038 9058 4a928 9038->9058 9041 58251 2 API calls 9042 64546 9041->9042 9043 58251 2 API calls 9042->9043 9044 6456f 9043->9044 9044->9030 9047 4fe66 Mailbox 9045->9047 9046 4ff60 Mailbox 9046->9030 9047->9046 9048 69883 8 API calls 9047->9048 9048->9046 9052 521ab 9049->9052 9050 523d9 9050->9030 9051 522b7 DeleteFileA 9051->9052 9052->9050 9052->9051 9054 5233c 9052->9054 9064 59ef6 9052->9064 9055 523c2 9054->9055 9069 4b920 9054->9069 9073 45430 9055->9073 9059 4a95f Mailbox 9058->9059 9060 5a805 2 API calls 9059->9060 9061 4ac5d 9060->9061 9062 58251 2 API calls 9061->9062 9063 4ac90 9062->9063 9063->9041 9077 55b3e 9064->9077 9066 59f0d 9081 482bf 9066->9081 9070 4b93a 9069->9070 9072 4b97f 9070->9072 9096 4de9c 9070->9096 9072->9054 9074 45438 9073->9074 9075 694b4 Mailbox 2 API calls 9074->9075 9076 4fc29 9075->9076 9078 55b5a Mailbox 9077->9078 9079 57f29 Mailbox 8 API calls 9078->9079 9080 55b64 Mailbox 9079->9080 9080->9066 9082 482cc 9081->9082 9083 482dc 9082->9083 9085 59a0f 9082->9085 9083->9052 9088 67848 9085->9088 9087 59a1d 9087->9083 9089 6785a Mailbox 9088->9089 9092 64333 9089->9092 9091 67870 Mailbox 9091->9087 9093 6433e 9092->9093 9094 4f821 Mailbox 8 API calls 9093->9094 9095 643a8 9094->9095 9095->9091 9099 484ea 9096->9099 9100 48529 9099->9100 9103 4bdcb 9100->9103 9102 4854b 9102->9072 9104 4bde1 Mailbox 9103->9104 9105 57f29 Mailbox 8 API calls 9104->9105 9106 4be04 Mailbox 9105->9106 9106->9102 9176 4f553 9177 4f5b5 9176->9177 9179 4f567 9176->9179 9178 4f671 ReadFile 9177->9178 9177->9179 9178->9179 9180 4b353 9181 62f94 8 API calls 9180->9181 9182 4b377 9181->9182 9107 4bcdc 9108 4bcfa 9107->9108 9109 69707 Mailbox 8 API calls 9108->9109 9110 4bd13 9109->9110 9115 4563a 9110->9115 9112 4bd3a Mailbox 9113 69707 Mailbox 8 API calls 9112->9113 9114 4bdb8 9113->9114 9116 45648 9115->9116 9117 4dd8f 8 API calls 9116->9117 9118 45659 9117->9118 9118->9112 9183 62f5d ExitProcess 9127 4cedb FlushFileBuffers 9128 4cf0d GetLastError 9127->9128 9129 4cf39 9127->9129 9128->9129 9184 5b360 9185 5b378 9184->9185 9186 642b6 lstrlen 9185->9186 9187 5b3a5 9186->9187 9190 4fc31 9187->9190 9193 698df 9190->9193 9192 4fc47 9194 69923 9193->9194 9195 69982 9194->9195 9196 6998f 9194->9196 9197 4bdcb 8 API calls 9195->9197 9198 4dbdf 8 API calls 9196->9198 9199 6998d Mailbox 9196->9199 9197->9199 9198->9199 9199->9192 9130 64ee1 9131 64efa 9130->9131 9134 6d527 9131->9134 9133 64f99 9135 6d544 9134->9135 9138 4dbdf 9135->9138 9137 6d559 Mailbox 9137->9133 9139 4dbf5 Mailbox 9138->9139 9140 4f821 Mailbox 8 API calls 9139->9140 9141 4dc18 9140->9141 9141->9137 9728 4c9ed 9729 4ca6f RegisterServiceCtrlHandlerA 9728->9729 9731 4cb13 SetServiceStatus CreateEventA 9729->9731 9732 4cda7 9729->9732 9734 4cbcd 9731->9734 9735 4cbde SetServiceStatus 9731->9735 9734->9735 9736 4cc00 9735->9736 9737 4cc42 WaitForSingleObject 9736->9737 9737->9737 9738 4cc6f 9737->9738 9739 4b7cd WaitForSingleObject 9738->9739 9740 4cc84 SetServiceStatus CloseHandle 9739->9740 9742 4cd01 SetServiceStatus 9740->9742 9742->9732 8932 4ba72 8936 4ba89 8932->8936 8939 4bb03 SetServiceStatus 8932->8939 8935 4bb88 SetEvent 8937 4bcd8 8935->8937 8936->8939 8940 4baa1 SetServiceStatus 8936->8940 8939->8935 8940->8937 9753 6cffe 9754 6d050 9753->9754 9755 65d58 2 API calls 9754->9755 9756 6d055 9755->9756 9757 55d50 3 API calls 9756->9757 9758 6d067 9757->9758 9759 6d108 ExitProcess 9758->9759 9142 4e2f9 9143 4e30a 9142->9143 9144 4b7cd WaitForSingleObject 9143->9144 9145 4e324 9144->9145 9146 515e5 ExitProcess 9145->9146 9147 4e35a 9146->9147 8941 4507a 8942 642b6 lstrlen 8941->8942 8943 450a9 8942->8943

                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                            Function 0005FF20 Relevance: 63.3, APIs: 29, Strings: 6, Instructions: 2031synchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,C:\Windows\system32\config\systemprofile,00000104), ref: 00060590
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 000605E4
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00060629
                                                                                                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00060649
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 000606E6
                                                                                                                                                                                                            • GetCommandLineA.KERNEL32 ref: 00060873
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.3197050507.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Offset: 00040000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197034305.0000000000040000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197105644.000000000006F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197124907.0000000000070000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197143695.0000000000073000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197159676.000000000007C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_40000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateMutex$CommandCountEnvironmentLineTickVariable
                                                                                                                                                                                                            • String ID: 241$C:\Windows\system32\config\systemprofile$HO$^d/$wb_m$~z0
                                                                                                                                                                                                            • API String ID: 3327569919-55223334
                                                                                                                                                                                                            • Opcode ID: fdc241b2d739371ec051f0598690e6ddbb98e9f53b0df0022f67fb20c9119b15
                                                                                                                                                                                                            • Instruction ID: 27fd9fecd40b7de0697229c9cb76298783c4fc1ca376ef847430228dd4518410
                                                                                                                                                                                                            • Opcode Fuzzy Hash: fdc241b2d739371ec051f0598690e6ddbb98e9f53b0df0022f67fb20c9119b15
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3603BC71E446019BF358DF64EC869BA37B5FB44301B14412AE90EFA2B1EB7D99C0CB52
                                                                                                                                                                                                            Function 000488A8 Relevance: 30.6, APIs: 12, Strings: 5, Instructions: 877fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 490 488a8-488de call 457a9 493 488e0 490->493 494 488ea-4898e GetVersionExA call 4e769 call 4457c 490->494 493->494 499 48990-4899a 494->499 500 4899c-489c2 494->500 501 489d7-489dd 499->501 500->501 502 489c4-489d1 500->502 503 489e3-48add call 5c0de call 4f38b CreateDirectoryA call 5a805 501->503 504 48b3f-48b5f 501->504 502->501 518 48ae2-48b3d call 4f38b call 58251 503->518 506 48b65-48b77 504->506 508 48ba9-48bb0 506->508 509 48b79-48b93 506->509 510 48bb6-48c17 call 5a805 call 4846d call 58251 508->510 509->510 512 48b95-48ba7 509->512 525 48c2d-48c3f 510->525 526 48c19-48c2b 510->526 512->510 518->506 528 48c4b-48c73 call 4c9ba call 6d492 call 4c622 525->528 529 48c41 525->529 526->528 536 48d6f-48e0c call 5c0de call 4f38b CreateDirectoryA call 65eaf 528->536 537 48c79-48ccc 528->537 529->528 549 48e0e-48e18 536->549 550 48e1a 536->550 538 48cfe-48d29 DeleteFileA 537->538 539 48cce-48cec 537->539 542 48d3d-48d65 RemoveDirectoryA 538->542 543 48d2b-48d37 538->543 539->538 541 48cee-48cf8 539->541 541->538 542->536 543->542 551 48e24-48e26 549->551 550->551 552 48e44 551->552 553 48e28-48e42 551->553 554 48e46-48e73 call 4f793 552->554 553->554 557 48e75-48e87 554->557 558 48e89-48e8e 554->558 559 48e94-48f2f CreateDirectoryA call 5a805 call 4f38b call 5a805 557->559 558->559 566 48f64-48fcf call 58251 call 4846d call 58251 call 4c9ba call 6d492 call 4c622 559->566 567 48f31-48f57 559->567 581 48fd5-48fe6 566->581 582 49769-497f8 call 4f793 SetFileAttributesA call 506af 566->582 567->566 568 48f59-48f5e 567->568 568->566 584 4906c-490da call 5a805 call 5074e call 58251 581->584 585 48fec-4906a call 5a805 call 5074e call 58251 581->585 597 497fa-49815 582->597 598 4981b-49826 call 45017 582->598 605 490e0-4910d 584->605 585->605 597->598 606 49132-49192 call 4f38b CreateDirectoryA call 65eaf 605->606 607 4910f-49126 605->607 613 49194-491a0 606->613 614 491c1-49257 call 4f793 CreateDirectoryA call 5a805 call 4f38b call 5a805 606->614 607->606 609 49128 607->609 609->606 613->614 615 491a2-491bb 613->615 624 49272-492a4 call 58251 call 4846d 614->624 625 49259-4926c 614->625 615->614 630 492a6-492be 624->630 631 492c0-492e7 624->631 625->624 632 492ff-4933b call 58251 call 4c9ba call 6d492 call 4c622 630->632 631->632 633 492e9-492f9 631->633 642 49756-49763 632->642 643 49341-493c2 GetTempPathA call 642b6 632->643 633->632 642->582 646 493ea-493ec 643->646 647 493c4-493dd 646->647 648 493ee 646->648 649 493f0-49412 647->649 650 493df-493e9 647->650 651 4946e-494fb call 65eaf call 4f793 CreateDirectoryA 648->651 652 49414-4941c 649->652 653 49422-49453 649->653 650->646 659 4950d-49557 call 5a805 call 4f38b 651->659 660 494fd-49507 651->660 652->653 653->651 655 49455-49469 653->655 655->651 665 49559-49565 659->665 666 4956b-49610 call 5a805 call 58251 call 4846d call 58251 call 4c9ba call 6d492 call 4c622 659->666 660->659 665->666 681 49736-49751 666->681 682 49616-49627 666->682 681->642 683 49633-496ce GetTempPathA call 65eaf call 5a805 682->683 684 49629 682->684 689 496d0 683->689 690 496da-496fe call 4f38b 683->690 684->683 689->690 693 49700-4970a 690->693 694 4970f-4972a call 58251 690->694 693->694 694->681 697 4972c 694->697 697->681
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetVersionExA.KERNEL32(0007B028), ref: 0004893E
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00048AB6
                                                                                                                                                                                                            • DeleteFileA.KERNELBASE(?,00000000), ref: 00048D05
                                                                                                                                                                                                            • RemoveDirectoryA.KERNELBASE(00000000), ref: 00048D5F
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00048DD9
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00048E9C
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00049158
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 000491F4
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,?,?,?,?,00000000), ref: 0004936E
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(0000005C,00000000,?,?,?,?,?,?,00000000), ref: 000494DA
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,0000005C,?,?,?,00000000), ref: 0004963F
                                                                                                                                                                                                            • SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,00000000), ref: 000497B0
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.3197050507.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Offset: 00040000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197034305.0000000000040000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197105644.000000000006F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197124907.0000000000070000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197143695.0000000000073000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197159676.000000000007C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_40000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
                                                                                                                                                                                                            • String ID: C:\Windows\system32\config\systemprofile$C:\hjflhukc\$Ua-W$\$gKV`
                                                                                                                                                                                                            • API String ID: 1691758827-3231860264
                                                                                                                                                                                                            • Opcode ID: aeb04c608a65590021a163e9bd56b8e5a9484fbe7aa88cb785cb97692ab1d4cb
                                                                                                                                                                                                            • Instruction ID: 7dac72961df3323e4369cc74e02f44855be43ffc474ed0323a270ef120d6be22
                                                                                                                                                                                                            • Opcode Fuzzy Hash: aeb04c608a65590021a163e9bd56b8e5a9484fbe7aa88cb785cb97692ab1d4cb
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4582D3B1E40604DFF718DF64EC869AA37B4F744311B40842AE90EF6262EB7C99C5CB56
                                                                                                                                                                                                            Function 0005571F Relevance: 6.2, APIs: 4, Instructions: 213processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 794 5571f-5574f 795 55751-5576b 794->795 796 5577f-55796 794->796 795->796 797 5576d-55779 795->797 798 557b6-557d1 796->798 799 55798-557aa 796->799 797->796 801 557d3 798->801 802 557dd-55826 CreateToolhelp32Snapshot 798->802 799->798 800 557ac 799->800 800->798 801->802 803 5584f-55865 802->803 804 55828-5584d 802->804 805 5586b-5586d 803->805 804->805 806 55ab1-55af0 call 506af 805->806 807 55873-558b1 805->807 809 558b3-558c6 807->809 810 558da-55908 Process32First 807->810 809->810 812 558c8-558d4 809->812 813 55a6c-55a93 FindCloseChangeNotification 810->813 814 5590e-55934 810->814 812->810 817 55a95-55a9f 813->817 818 55aa1-55aab 813->818 815 55936-55950 814->815 816 55952 814->816 819 5595c-559c0 call 65eaf call 520d8 call 67406 815->819 816->819 817->806 818->806 826 559c2-55a08 Process32Next 819->826 827 55a2b-55a42 819->827 828 55a21-55a23 826->828 829 55a0a-55a1c 826->829 830 55a44-55a53 827->830 831 55a62 827->831 828->814 832 55a29 828->832 829->828 830->813 833 55a55-55a60 830->833 831->813 832->813 833->813
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00055804
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 000558E2
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 000559E8
                                                                                                                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00055A7E
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.3197050507.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Offset: 00040000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197034305.0000000000040000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197105644.000000000006F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197124907.0000000000070000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197143695.0000000000073000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197159676.000000000007C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_40000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3243318325-0
                                                                                                                                                                                                            • Opcode ID: af3bf86f518085339e3310485ec1f2f8b04e88bd1a94a4e4217c0709eee2f19a
                                                                                                                                                                                                            • Instruction ID: 69a5e0c91fbc1b28d46b6f4eed551ad691147f6b28a9e92589fb0bd3f6e392de
                                                                                                                                                                                                            • Opcode Fuzzy Hash: af3bf86f518085339e3310485ec1f2f8b04e88bd1a94a4e4217c0709eee2f19a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1091AA35E05A04CBE758DB68ECAA5AA37F4F748312B14411AE80EE6261EB3C99C5CF41
                                                                                                                                                                                                            Function 00050806 Relevance: 10.7, APIs: 7, Instructions: 195processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 698 50806-5084b 699 5084d-50867 698->699 700 5086c-5087c 698->700 699->700 701 50891-508a1 700->701 702 5087e-5088b 700->702 703 508a3-508b8 701->703 704 508be-508e8 CreateToolhelp32Snapshot 701->704 702->701 703->704 705 50b20-50b91 call 506af 704->705 706 508ee-5091f 704->706 707 50921-50941 706->707 708 5095e-50982 Process32First 706->708 707->708 710 50943-50957 707->710 711 50988 708->711 712 50aeb-50b03 708->712 710->708 716 50989-509ef call 65eaf call 520d8 call 67406 711->716 714 50b05 712->714 715 50b0f-50b16 CloseHandle 712->715 714->715 715->705 723 509f5-50a29 OpenProcess 716->723 724 50aa4-50ae4 Process32Next 716->724 725 50a92-50a9e 723->725 726 50a2b-50a50 723->726 724->716 727 50aea 724->727 725->724 728 50a61-50a88 TerminateProcess CloseHandle 726->728 729 50a52-50a5c 726->729 727->712 728->725 729->728
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000508C2
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 00050966
                                                                                                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00050A15
                                                                                                                                                                                                            • TerminateProcess.KERNELBASE(00000000,000000FF), ref: 00050A64
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00050A82
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 00050AD2
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00050B10
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.3197050507.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Offset: 00040000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197034305.0000000000040000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197105644.000000000006F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197124907.0000000000070000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197143695.0000000000073000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197159676.000000000007C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_40000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2696918072-0
                                                                                                                                                                                                            • Opcode ID: 852cde9e156b046680483627cdd04d80fbaa7b977c05022f2ff21542ca410893
                                                                                                                                                                                                            • Instruction ID: 8e91b74047045fce3f761e649c895d74031b46b35c6821ac4e1e8137c93baa39
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 852cde9e156b046680483627cdd04d80fbaa7b977c05022f2ff21542ca410893
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A581AC72D11A11DBF354DF68EC856AA33B4FB48312B00411AE90EE6671EB7C99C5CB46
                                                                                                                                                                                                            Function 0005B046 Relevance: 9.2, APIs: 6, Instructions: 184filetimeCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 730 5b046-5b066 731 5b0ac-5b0cc 730->731 732 5b068-5b09f 730->732 734 5b0ce-5b0d3 731->734 735 5b0d9-5b0ea 731->735 732->731 733 5b0a1-5b0a7 732->733 733->731 734->735 736 5b0f6-5b119 CreateFileA 735->736 737 5b0ec 735->737 738 5b142-5b175 GetFileTime 736->738 739 5b11b-5b133 736->739 737->736 740 5b1c7-5b202 738->740 741 5b177-5b191 738->741 742 5b13a-5b13d 739->742 745 5b204-5b20e 740->745 746 5b210-5b222 740->746 743 5b1b1-5b1c2 CloseHandle 741->743 744 5b193-5b1ac 741->744 747 5b35a-5b35f 742->747 743->742 744->743 748 5b252-5b2f2 call 4e909 GetFileSize CloseHandle 745->748 749 5b224-5b246 746->749 750 5b248 746->750 753 5b2f4-5b2fe 748->753 754 5b323-5b334 748->754 749->748 750->748 757 5b314 753->757 758 5b300-5b30a 753->758 755 5b336-5b353 754->755 756 5b358 754->756 755->756 756->747 757->754 758->757
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 0005B104
                                                                                                                                                                                                            • GetFileTime.KERNEL32(00000000,?,?,?), ref: 0005B16D
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0005B1B2
                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0005B25F
                                                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 0005B2AB
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0005B2D8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.3197050507.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Offset: 00040000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197034305.0000000000040000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197105644.000000000006F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197124907.0000000000070000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197143695.0000000000073000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197159676.000000000007C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_40000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3236713533-0
                                                                                                                                                                                                            • Opcode ID: 05c26961bd4fb8ac6ffff879bf9cce5a874fe822e8143103ecec8176ac7e1f50
                                                                                                                                                                                                            • Instruction ID: af1a86d23ded9b64639877041ec21a25d2dff494158f1438573132dcf0fcf25a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 05c26961bd4fb8ac6ffff879bf9cce5a874fe822e8143103ecec8176ac7e1f50
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6A71B971E00604DBF354DF68ED8196A3BF4F745316714462AE80EE66B0E73C9AC5CB26
                                                                                                                                                                                                            Function 00055498 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 759 55498-554b8 760 5550a-5550c 759->760 761 554ba-554d5 759->761 762 5550e-55529 760->762 763 5552b 760->763 764 55535-555d8 call 506af * 2 762->764 763->764 769 555fd-55631 CreateProcessA 764->769 770 555da-555f6 764->770 771 55677 769->771 772 55633-55643 769->772 770->769 773 555f8 770->773 776 55681-5568e 771->776 774 55645 772->774 775 5564f-55675 CloseHandle * 2 772->775 773->769 774->775 775->776
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,0004DA33,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 00055628
                                                                                                                                                                                                            • CloseHandle.KERNEL32(0004DA33,?,?,?,?,00000000), ref: 00055652
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 00055665
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.3197050507.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Offset: 00040000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197034305.0000000000040000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197105644.000000000006F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197124907.0000000000070000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197143695.0000000000073000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197159676.000000000007C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_40000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 2922976086-2746444292
                                                                                                                                                                                                            • Opcode ID: 61ee4e4ba474db1a1d1bb7cbb8eec24b92509df664ed4d08af0a5894c9990490
                                                                                                                                                                                                            • Instruction ID: f2c8ba331d51ccee5320d68df2b151b21030c95c7e132a2fea2525f29b282f47
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 61ee4e4ba474db1a1d1bb7cbb8eec24b92509df664ed4d08af0a5894c9990490
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0C411472E00A40DBE718DF64FD699AA77B4FB85302B04801EE90EE71B1E77D8984CB11
                                                                                                                                                                                                            Function 000554D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 777 554d8-554e8 778 55535-555d8 call 506af * 2 777->778 779 554ea-5550c 777->779 786 555fd-55631 CreateProcessA 778->786 787 555da-555f6 778->787 781 5550e-55529 779->781 782 5552b 779->782 781->778 782->778 788 55677 786->788 789 55633-55643 786->789 787->786 790 555f8 787->790 793 55681-5568e 788->793 791 55645 789->791 792 5564f-55675 CloseHandle * 2 789->792 790->786 791->792 792->793
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,0004DA33,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 00055628
                                                                                                                                                                                                            • CloseHandle.KERNEL32(0004DA33,?,?,?,?,00000000), ref: 00055652
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000), ref: 00055665
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.3197050507.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Offset: 00040000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197034305.0000000000040000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197105644.000000000006F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197124907.0000000000070000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197143695.0000000000073000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197159676.000000000007C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_40000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 2922976086-2746444292
                                                                                                                                                                                                            • Opcode ID: 37f701de91a8f0a126d5d21fb4f7bb0de878c3a90768812395df91f760cac92e
                                                                                                                                                                                                            • Instruction ID: 81bfa1eb243a66b726552b74140570d694df4abde940b89e1824fcba4aec276e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 37f701de91a8f0a126d5d21fb4f7bb0de878c3a90768812395df91f760cac92e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9E41A171D00A45DBEB58DF65EDAA9AA77B5FB84702B00401AE90EB6170EB7C49C4CB12
                                                                                                                                                                                                            Function 0004C622 Relevance: 4.7, APIs: 3, Instructions: 206fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 834 4c622-4c69d call 6dfa1 call 4b7cd 839 4c69f 834->839 840 4c6a9-4c6b1 834->840 839->840 841 4c6b3-4c6ea call 44eb1 840->841 842 4c6ef-4c709 840->842 850 4c9b6-4c9b9 841->850 844 4c737-4c75b CreateFileA 842->844 845 4c70b-4c71a 842->845 848 4c75d-4c784 call 44eb1 844->848 849 4c79f-4c7b3 844->849 845->844 847 4c71c-4c731 845->847 847->844 858 4c786-4c792 848->858 859 4c798-4c79a 848->859 852 4c7b8-4c7d2 849->852 854 4c7d4-4c7f4 852->854 855 4c7f9-4c7fb 852->855 854->855 856 4c7fd-4c819 855->856 857 4c81b-4c82d 855->857 860 4c837-4c8a2 call 585e7 call 6970f 856->860 857->860 858->859 861 4c9b5 859->861 866 4c8a4-4c8d4 860->866 867 4c8d6-4c8ee 860->867 861->850 868 4c8fa-4c948 WriteFile 866->868 867->868 869 4c8f0 867->869 868->852 870 4c94e-4c962 868->870 869->868 871 4c964-4c96e 870->871 872 4c970-4c97c 870->872 873 4c982-4c9a2 FindCloseChangeNotification call 44eb1 871->873 872->873 875 4c9a7-4c9b4 873->875 875->861
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0004B7CD: WaitForSingleObject.KERNEL32(0005AEAC,00004E20,00000001,?,0004BFA2,00000001,-AF16B4FB,?,0005AEAC,000466DE), ref: 0004B81D
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(00000004,40000000,00000000,00000000,00000002,00000000,00000000,?,000467E3,?,00000004,?,00000000,?), ref: 0004C746
                                                                                                                                                                                                            • WriteFile.KERNELBASE(00000000,?,00000001,00000001,00000000,?,?,?,?,?,00000001), ref: 0004C90B
                                                                                                                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,00000001), ref: 0004C983
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.3197050507.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Offset: 00040000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197034305.0000000000040000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197105644.000000000006F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197124907.0000000000070000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197143695.0000000000073000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197159676.000000000007C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_40000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$ChangeCloseCreateFindNotificationObjectSingleWaitWrite
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2552625159-0
                                                                                                                                                                                                            • Opcode ID: 7ee5d4e65a14d2efd5a1e7aaec03cefe30640cec846db508fc807cbfd063f453
                                                                                                                                                                                                            • Instruction ID: 830fef32286b4fa656b17bdbb5e1b6198ac41daf8d736f47be0bca06e42f6d38
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7ee5d4e65a14d2efd5a1e7aaec03cefe30640cec846db508fc807cbfd063f453
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B291BAB1E11601DBF758CF28ED959693BE4FB84311710802AE50EEA2B1EB3D99C0CF19
                                                                                                                                                                                                            Function 0004E769 Relevance: 4.6, APIs: 3, Instructions: 101memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 876 4e769-4e79c 877 4e79e-4e7b7 876->877 878 4e7b9-4e7ce 876->878 879 4e7d4-4e807 877->879 878->879 880 4e809-4e818 879->880 881 4e81a-4e82f 879->881 882 4e83b-4e881 AllocateAndInitializeSid 880->882 881->882 883 4e831 881->883 884 4e883-4e89d CheckTokenMembership 882->884 885 4e8ef-4e908 882->885 883->882 886 4e89f-4e8c2 884->886 887 4e8c9-4e8e9 FreeSid 884->887 886->887 887->885
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • AllocateAndInitializeSid.ADVAPI32(00048954,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00048954), ref: 0004E865
                                                                                                                                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0004E895
                                                                                                                                                                                                            • FreeSid.ADVAPI32(?), ref: 0004E8DC
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.3197050507.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Offset: 00040000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197034305.0000000000040000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197105644.000000000006F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197124907.0000000000070000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197143695.0000000000073000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197159676.000000000007C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_40000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3429775523-0
                                                                                                                                                                                                            • Opcode ID: fd4301dd52e15f2fbe8a245595a8eb8cb2b0699e0f300e52f28402e659058ea8
                                                                                                                                                                                                            • Instruction ID: 177dccb889e018c3a30fbcd38e53fb358732a7ed8b0dfab018e241a0e8b836cb
                                                                                                                                                                                                            • Opcode Fuzzy Hash: fd4301dd52e15f2fbe8a245595a8eb8cb2b0699e0f300e52f28402e659058ea8
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A8417AB4D55244EFEB40CFA5EC88AA977B4FB09305B40402AE50EF7261EB3C99C0CB55
                                                                                                                                                                                                            Function 000520D8 Relevance: 3.0, APIs: 2, Instructions: 27stringCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 888 520d8-5210d lstrlen 889 5210f-52119 888->889 890 5211b-52127 888->890 891 5212d-5214f CharLowerBuffA 889->891 890->891
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • lstrlen.KERNEL32(?,?,000509C2,?,?,?), ref: 000520F0
                                                                                                                                                                                                            • CharLowerBuffA.USER32(?,00000000,?,000509C2,?,?,?), ref: 00052131
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.3197050507.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Offset: 00040000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197034305.0000000000040000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197105644.000000000006F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197124907.0000000000070000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197143695.0000000000073000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197159676.000000000007C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_40000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: BuffCharLowerlstrlen
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 794975171-0
                                                                                                                                                                                                            • Opcode ID: eaf4d094f65e06734ef9f2bda75e50179dfe29b36fb73aef494b02e6fa88e3d3
                                                                                                                                                                                                            • Instruction ID: df08fdce8bfae79e786c564362b6d173db40b65cab87bf02d539b75f249d675f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: eaf4d094f65e06734ef9f2bda75e50179dfe29b36fb73aef494b02e6fa88e3d3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 77F06D31D14A049BEB498F05E94A43A3BF1FB947017008019E80EAA630EB3D9DC0EB56
                                                                                                                                                                                                            Function 000623A6 Relevance: 3.0, APIs: 2, Instructions: 23memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 892 623a6-623be 893 623e2-62404 GetProcessHeap RtlAllocateHeap 892->893 894 623c0-623d6 892->894 894->893 895 623d8 894->895 895->893
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,0006A3A7,?,?,?,0006D0BE), ref: 000623F6
                                                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,0006A3A7,?,?,?,0006D0BE), ref: 000623FD
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.3197050507.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Offset: 00040000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197034305.0000000000040000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197105644.000000000006F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197124907.0000000000070000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197143695.0000000000073000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197159676.000000000007C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_40000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1357844191-0
                                                                                                                                                                                                            • Opcode ID: 32998cee58bea2d9c3ff31f89b3a799a9bb81f00742b32e7487546cd948c6953
                                                                                                                                                                                                            • Instruction ID: b13be65ecb536c4729c0905d064ef7b5e06e279c052fcc857e12ee8526f82443
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 32998cee58bea2d9c3ff31f89b3a799a9bb81f00742b32e7487546cd948c6953
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A9F03976A01302ABFA108FA9FD49A5A37A5F314358B650012F25DEA1A5D77CE8948BA0
                                                                                                                                                                                                            Function 0004DE5A Relevance: 3.0, APIs: 2, Instructions: 17memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 896 4de5a-4de88 GetProcessHeap RtlFreeHeap 897 4de9a-4de9b 896->897 898 4de8a-4de94 896->898 898->897
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00058109,?,00058109,00000000), ref: 0004DE6C
                                                                                                                                                                                                            • RtlFreeHeap.NTDLL(00000000,?,00058109,00000000), ref: 0004DE73
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.3197050507.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Offset: 00040000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197034305.0000000000040000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197105644.000000000006F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197124907.0000000000070000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197143695.0000000000073000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197159676.000000000007C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_40000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$FreeProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3859560861-0
                                                                                                                                                                                                            • Opcode ID: cf66ba3a07d672f1912cc4ba575f44ea84e485856164406b9ee2b91aca844985
                                                                                                                                                                                                            • Instruction ID: 8001f6c23eebdd6b69eb8b1c3eb83722999f33b6c36f9065bc39c0f7e9e12283
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cf66ba3a07d672f1912cc4ba575f44ea84e485856164406b9ee2b91aca844985
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3DE0C232D00248EBFE149BD6FC4A7043BECFB21341F008121F11EEA130D72D99D08A85
                                                                                                                                                                                                            Function 000515E5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 899 515e5-5160d call 5bf87 ExitProcess
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.3197050507.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Offset: 00040000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197034305.0000000000040000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197105644.000000000006F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197124907.0000000000070000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197143695.0000000000073000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197159676.000000000007C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_40000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExitProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 621844428-0
                                                                                                                                                                                                            • Opcode ID: b38d7a5427f17576125bc7e519ee6622556652fd069bff8bae42116df58b3146
                                                                                                                                                                                                            • Instruction ID: 438d2e948da11c2c567e1cc08378a7517d64dce8c94ebf330ea3997dc65bb3e9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b38d7a5427f17576125bc7e519ee6622556652fd069bff8bae42116df58b3146
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 73D01224904384AAA7107F649C0A56A3BB4FF886017411021F848B9031EB7DD980C75B

                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                            Function 0006D831 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 388pipeprocessfileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 923 6d831-6d84c 924 6d84e 923->924 925 6d858-6d877 923->925 924->925 926 6d885-6d8a6 925->926 927 6d879-6d883 925->927 928 6d8ac-6d92b call 506af 926->928 927->928 931 6d944-6d949 928->931 932 6d92d-6d942 928->932 933 6d94f-6d997 CreatePipe 931->933 932->933 934 6d9ad-6d9cb 933->934 935 6d999-6d9a8 933->935 936 6d9e1-6d9ef 934->936 937 6d9cd-6d9df 934->937 938 6de92-6decb call 69707 935->938 939 6d9f4-6da10 SetHandleInformation 936->939 937->939 944 6ded7-6def1 938->944 945 6decd 938->945 942 6da12-6da23 939->942 943 6da3b-6da50 CreatePipe 939->943 946 6da25-6da2f 942->946 947 6da31 942->947 948 6da66-6dad7 SetHandleInformation call 506af * 2 943->948 949 6da52-6da61 943->949 945->944 946->943 947->943 957 6db10-6db56 948->957 958 6dad9-6daf4 948->958 950 6de64-6de79 CloseHandle 949->950 953 6de84-6de90 950->953 954 6de7b-6de7e CloseHandle 950->954 953->938 953->944 954->953 959 6db76-6dbde CreateProcessA 957->959 960 6db58-6db71 957->960 958->957 961 6daf6-6db09 958->961 962 6dc04-6dc24 WriteFile 959->962 963 6dbe0-6dc02 959->963 960->959 961->957 965 6dc26 962->965 966 6dc3e-6dc52 962->966 964 6dc30-6dc39 CloseHandle 963->964 967 6ddfe-6de08 964->967 965->964 968 6dc54-6dc5e 966->968 969 6dc63-6dc9f CloseHandle * 2 966->969 970 6de3e-6de5d CloseHandle 967->970 971 6de0a-6de1f 967->971 968->969 972 6dca1 969->972 973 6dcab-6dcc0 969->973 970->950 974 6de21-6de37 971->974 975 6de39 971->975 972->973 976 6dcc2-6dccc 973->976 977 6dcce-6dce6 973->977 974->970 975->970 978 6dd09-6dd25 call 64101 976->978 977->978 979 6dce8-6dd03 977->979 982 6dd47-6dd6a WaitForSingleObject 978->982 983 6dd27-6dd42 978->983 979->978 984 6dd6c-6dd88 982->984 985 6dd8a-6dd96 982->985 983->982 986 6dd9c-6ddd0 CloseHandle * 2 984->986 985->986 987 6ddd2-6dde6 986->987 988 6dded-6ddf9 986->988 987->988 988->967
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreatePipe.KERNEL32(00000000,?,?,00000000,?,00000001,?), ref: 0006D98F
                                                                                                                                                                                                            • SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 0006D9F9
                                                                                                                                                                                                            • CreatePipe.KERNEL32(?,?,?,00000000), ref: 0006DA48
                                                                                                                                                                                                            • SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 0006DA7E
                                                                                                                                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 0006DBCC
                                                                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000020,00000020,00000000), ref: 0006DC1C
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0006DC33
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0006DC66
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0006DC89
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,00002710), ref: 0006DD4F
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0006DD9F
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0006DDB2
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0006DE41
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0006DE67
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0006DE7E
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.3197050507.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Offset: 00040000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197034305.0000000000040000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197105644.000000000006F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197124907.0000000000070000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197143695.0000000000073000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197159676.000000000007C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_40000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Handle$Close$Create$InformationPipe$FileObjectProcessSingleWaitWrite
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 1130065513-2746444292
                                                                                                                                                                                                            • Opcode ID: 9e1776c79c41f5c004c533194adc21faa80e56914d9e3d48cf7a3bd3b3e58645
                                                                                                                                                                                                            • Instruction ID: f095436937d554724fde0cd6906eacfe2eb13effabf9e591180fea2f099d0dfc
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9e1776c79c41f5c004c533194adc21faa80e56914d9e3d48cf7a3bd3b3e58645
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EC029676E10604DBEB14DF68EC859AA7BF5FB08301714811AE80EF6231EB7D99D1CB52
                                                                                                                                                                                                            Function 000635AD Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 219serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00063685
                                                                                                                                                                                                            • CreateServiceA.ADVAPI32(00000000,00912F68,00912F68,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 000636D6
                                                                                                                                                                                                            • ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00063728
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0006374C
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0006375D
                                                                                                                                                                                                            • OpenServiceA.ADVAPI32(00000000,00000010), ref: 000637D1
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00063836
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00063847
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 000638B1
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.3197050507.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Offset: 00040000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197034305.0000000000040000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197105644.000000000006F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197124907.0000000000070000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197143695.0000000000073000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197159676.000000000007C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_40000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
                                                                                                                                                                                                            • String ID: 3ch$qh~B
                                                                                                                                                                                                            • API String ID: 3525021261-274300185
                                                                                                                                                                                                            • Opcode ID: 890320046d1b0e0dee086c434ea869350a29637b20f1f6e69bbc9ab130d0bcd5
                                                                                                                                                                                                            • Instruction ID: 84dc494caf210b4c683a4244e353c3adf2a39eae02f9323bf99413cd41ed9efa
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 890320046d1b0e0dee086c434ea869350a29637b20f1f6e69bbc9ab130d0bcd5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0C918AB5E14A10ABF3188F28ED859B937F5F749701340441AE80EBA271EB7D99C1CBA1
                                                                                                                                                                                                            Function 0005111E Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 289fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000511F7
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00051267
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0005128B
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 000512D1
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0005153B
                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0005157E
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0005158F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.3197050507.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Offset: 00040000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197034305.0000000000040000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197105644.000000000006F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197124907.0000000000070000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197143695.0000000000073000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197159676.000000000007C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_40000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseCreateHandle$CountReadTickWrite
                                                                                                                                                                                                            • String ID: Ra);
                                                                                                                                                                                                            • API String ID: 3478262135-4229484525
                                                                                                                                                                                                            • Opcode ID: 8bd8447b4fe83fcb4091c761578054707c5237f8980bbbedc787bcdbe56945ab
                                                                                                                                                                                                            • Instruction ID: 095e51955c56a1b7a6a9536f04c9508aea5424dc0ba3fd9717c4368ccdf4f141
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8bd8447b4fe83fcb4091c761578054707c5237f8980bbbedc787bcdbe56945ab
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6CB1E171D15A00AEF7189F64EC85ABA37F4FB48356710401AF90DE62B1EB7C89C5CB16
                                                                                                                                                                                                            Function 00051636 Relevance: 10.8, APIs: 7, Instructions: 279processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000516B2
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 000517BE
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00051932
                                                                                                                                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 00051991
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,0000000A), ref: 00051A6A
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 00051ACE
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00051AF5
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.3197050507.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Offset: 00040000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197034305.0000000000040000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197105644.000000000006F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197124907.0000000000070000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197143695.0000000000073000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197159676.000000000007C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_40000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 930127669-0
                                                                                                                                                                                                            • Opcode ID: 05d51c00f46aa174b177e5c522a987979c465f60d8ced2824dcf367381ceefe5
                                                                                                                                                                                                            • Instruction ID: ea795721006d39a6a13ccd4f7a81d214a88bc580766b9d0ed7c810f2615d2d0b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 05d51c00f46aa174b177e5c522a987979c465f60d8ced2824dcf367381ceefe5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4FC1DE76E04604CBF758DF68EC866BA33B4F749312B00411AE90EE62A1EB7C99C5CF55
                                                                                                                                                                                                            Function 00059F24 Relevance: 7.8, APIs: 5, Instructions: 329serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 00059FF7
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,?), ref: 0005A049
                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0005A061
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,?), ref: 0005A162
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0005A3B6
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.3197050507.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Offset: 00040000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197034305.0000000000040000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197105644.000000000006F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197124907.0000000000070000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197143695.0000000000073000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197159676.000000000007C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_40000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1579346331-0
                                                                                                                                                                                                            • Opcode ID: 69c017d3d9fd6105eec18d5473cf67c5cc1dae124fd6cc7bcc5a1d55ea5eaa59
                                                                                                                                                                                                            • Instruction ID: 245b701e4e97dd1a771a1a0afbc08c0122b1dcb0d48183f7fc94b49410aca86e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 69c017d3d9fd6105eec18d5473cf67c5cc1dae124fd6cc7bcc5a1d55ea5eaa59
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B5D1CD76E00600DFF718CF68ED956AA77F4F745312B14411AE80EBA261EB7C9AC1CB52
                                                                                                                                                                                                            Function 00045C39 Relevance: 7.7, APIs: 5, Instructions: 247filesleepCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 00045DEC
                                                                                                                                                                                                            • FindFirstFileA.KERNEL32(?,?), ref: 00045EB2
                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 00045FE2
                                                                                                                                                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 00046020
                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00046042
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.3197050507.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Offset: 00040000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197034305.0000000000040000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197105644.000000000006F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197124907.0000000000070000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197143695.0000000000073000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197159676.000000000007C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_40000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FileFind$CloseDeleteFirstNextSleep
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1528862845-0
                                                                                                                                                                                                            • Opcode ID: a2d1448bd059c349d753b393b22eedbcf8f4ac3352143dc64be112c4bcb64561
                                                                                                                                                                                                            • Instruction ID: 05b5da1dc047328b69268950ea980008504997498129bffe7b40d4bdcc44ee09
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a2d1448bd059c349d753b393b22eedbcf8f4ac3352143dc64be112c4bcb64561
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D0A1CEB1D10A05DBF358DF64EC8A5A933B8F748342710402AE90EEA671EB7C99C5CF56
                                                                                                                                                                                                            Function 0004C9ED Relevance: 12.2, APIs: 8, Instructions: 196registrysynchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegisterServiceCtrlHandlerA.ADVAPI32(Function_0000BA72), ref: 0004CAF2
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0007B2DC), ref: 0004CB64
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0004CB78
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0007B2DC), ref: 0004CBE5
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00001388), ref: 0004CC62
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0007B2DC), ref: 0004CCAF
                                                                                                                                                                                                            • CloseHandle.KERNEL32 ref: 0004CCC5
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0007B2DC), ref: 0004CD8F
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.3197050507.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Offset: 00040000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197034305.0000000000040000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197105644.000000000006F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197124907.0000000000070000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197143695.0000000000073000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197159676.000000000007C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_40000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3399922960-0
                                                                                                                                                                                                            • Opcode ID: 560e2c2394613ef4f36472b28d1b70cb06984281ac04a6761254d867d4cc2a8e
                                                                                                                                                                                                            • Instruction ID: f96156196dac12193f0f1ee8be3eec9c26c9fd34a685737c2d807d4fadefbae6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 560e2c2394613ef4f36472b28d1b70cb06984281ac04a6761254d867d4cc2a8e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C59144B4D126418BF798DF28ED99A693BF4F709305340452AE40EEA271DB7C98C2CB45
                                                                                                                                                                                                            Function 00064589 Relevance: 7.6, APIs: 5, Instructions: 104synchronizationthreadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000002,?,0004D583,Function_0000AD87,00000002,00000000), ref: 00064637
                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00000002,?,00000000,00000000), ref: 00064655
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000002,?,0004D583,Function_0000AD87,00000002,00000000), ref: 0006468D
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000002,?,0004D583,Function_0000AD87,00000002,00000000), ref: 000646A1
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,00000002,?,0004D583,Function_0000AD87,00000002,00000000), ref: 00064712
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.3197050507.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Offset: 00040000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197034305.0000000000040000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197105644.000000000006F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197124907.0000000000070000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197143695.0000000000073000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197159676.000000000007C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_40000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateHandle$EventObjectSingleThreadWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1404307249-0
                                                                                                                                                                                                            • Opcode ID: 266b47c58f41e549f72198b62c3230b3843b1479793bc129659bbbf15f70d90a
                                                                                                                                                                                                            • Instruction ID: cd316fe5bdb5f74ee68df5d9ed06d9b4515524b54718aeefc8fe92a431720094
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 266b47c58f41e549f72198b62c3230b3843b1479793bc129659bbbf15f70d90a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 80416775D05640DFE328DF28ED8996A3BF6F78A712710442AE40EE6631E73C9891CB12
                                                                                                                                                                                                            Function 00064927 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 323sleepfileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00064CBC
                                                                                                                                                                                                              • Part of subcall function 0005074E: wvsprintfA.USER32(?,?,?), ref: 000507C3
                                                                                                                                                                                                            • Sleep.KERNEL32(00015F90), ref: 00064E60
                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 00064E7F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.3197050507.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Offset: 00040000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197034305.0000000000040000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197105644.000000000006F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197124907.0000000000070000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197143695.0000000000073000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197159676.000000000007C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_40000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$DeleteModuleNameSleepwvsprintf
                                                                                                                                                                                                            • String ID: KU
                                                                                                                                                                                                            • API String ID: 4183770253-1793860563
                                                                                                                                                                                                            • Opcode ID: dba2fb44e413e334180082a805e19e11d655a69d4f3b7620b3b2213f7ec14e95
                                                                                                                                                                                                            • Instruction ID: 308c4f3e375b140e4d1e58b053ba27801f848aa674f9d05c35e779167ef312a6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: dba2fb44e413e334180082a805e19e11d655a69d4f3b7620b3b2213f7ec14e95
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4DD1E271E106049EF758DF64EC96AAA37B9FB44701B00441AE90EFB2B1DB3D99C1CB51
                                                                                                                                                                                                            Function 00059B78 Relevance: 6.2, APIs: 4, Instructions: 201fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00059C43
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00059CA8
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00059DC7
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00059E86
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.3197050507.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Offset: 00040000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197034305.0000000000040000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197105644.000000000006F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197124907.0000000000070000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197143695.0000000000073000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197159676.000000000007C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_40000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseFileHandle$CreateRead
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2564258376-0
                                                                                                                                                                                                            • Opcode ID: 5e1a2ce493a3e69463c71067a0a3bf497161c6fab9b485d408e3790add7b0983
                                                                                                                                                                                                            • Instruction ID: 7ed7fb5c68138083f1ce577c721b7aabe37c98815331cd6e800df862d63b0355
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5e1a2ce493a3e69463c71067a0a3bf497161c6fab9b485d408e3790add7b0983
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2D81BC75E10600DBF714DF64EC86ABA37F9FB44312B004429E90EE62A1E73C99C1CB56
                                                                                                                                                                                                            Function 000690F1 Relevance: 6.0, APIs: 4, Instructions: 38memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00058146,00000000,?,?,?,?,?,0004F85A,?,?,?,00069573), ref: 00069143
                                                                                                                                                                                                            • RtlReAllocateHeap.NTDLL(00000000,?,00058146,00000000), ref: 0006914A
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,?,00058146,00000000,?,?,?,?,?,0004F85A,?,?,?,00069573,?), ref: 00069174
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,00058146,00000000,?,?,?,?,?,0004F85A,?,?,?,00069573,?,00000001), ref: 0006917B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.3197050507.0000000000041000.00000020.00000001.01000000.00000007.sdmp, Offset: 00040000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197034305.0000000000040000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197105644.000000000006F000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197124907.0000000000070000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197143695.0000000000073000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.3197159676.000000000007C000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_40000_xxxniijvj.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$Process$AllocAllocate
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1154092256-0
                                                                                                                                                                                                            • Opcode ID: 231cd8dcfe27ee2d212168d71e76c0708fdc46757f4a47f8e2894c3d1d43f31f
                                                                                                                                                                                                            • Instruction ID: 61fc5e31dc81f031c21b943c3ba2da40ff67569a057049aab41b773dd5131bb2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 231cd8dcfe27ee2d212168d71e76c0708fdc46757f4a47f8e2894c3d1d43f31f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 50010C75940604EFFB449F54FC4966537A5FB08302F444015F91EA6662EBBDA4D08B51